Australia’s largest bank has admitted it lost the financial statements of 20 million accounts. The Commonwealth Bank insists that customer security has not been compromised as the statements did not contain customer passwords or pin numbers.
The statements did include customer names, addresses, account numbers and transaction history. The data was held on a magnetic tapes which were supposed to be destroyed by sub contractor Fuji-Xerox in 2016. But the Commonwealth Bank said they could not confirm the tapes were destroyed.
The bank launched an independent investigation, through KPMG, and informed the Office of the Australian Information Commissioner (OAIC) and banking regulator, APRA. However, they decided not to inform customers when the investigation determined the tapes being erased was “the most likely outcome”.
Under the new Notifiable Data Breaches scheme , which came into effect in February, it appears the Commonwealth Bank would have had a legal obligation to let its customers know their data had been breached, but the incident occurred in 2016.
The Commonwealth Bank’s acting head of retail, Angus Sullivan, defended the decision not to tell customers in an interview with the ABC’s AM program.
“When incidents like these are shared more broadly, they create risks in and of themselves,” Sullivan said.
“When we look back now, the decision that was made at the time has probably been borne out to be a good decision in as much that the data hasn’t turned into fraudulent activity.”
A serious incident
While the Commonwealth Bank attempts to downplay the threat of the incident, their admission suggests it is a serious breach, according to Troy Hunt, Microsoft managing director – developer security.
“We need to recognise that the CBA incident is serious enough for them to decide it needed to be disclosed publicly,” Hunt told Which-50, also noting the current industry climate likely impacted the decision to come clean.
“Inevitably, this is also a decision driven by the current climate of increased scrutiny on the banking sector, but an event like this is a major story all the same.”
And while it is highly unlikely customer data was compromised in this incident, the disclosure of banking details does heighten the risk of fraud, according to Hunt.
“In terms of risks to consumers, at the very least disclosure of someone’s banking choices does heighten their risk of fraud, [such as identify theft] ” Hunt said.
“But we also need to recognise that based on CBA’s statements, it seems highly likely the data never fell into malicious hands and whilst it’s natural for people to feel that their privacy has been violated, it seems highly unlikely any unauthorised party saw the data and that it will result in any tangible loss or impact on them.”