Australia’s Commonwealth Bank admits losing data of 20m customers

3 May 2018

Branch of Commonwealth Bank in Melbourne. Image: TK Kurikawa/Shutterstock

Customers of Commonwealth Bank in Australia are receiving messages about major data loss at the financial institution.

The Commonwealth Bank (CBA) is the largest bank in Australia and it is now in the midst of a maelstrom of controversy around the loss of millions of people’s personal financial data.

BuzzFeed News was first to report the incident, revealing that, in 2016, a subcontractor lost several tape drives containing financial data spanning more than a decade .

The bank let the Australian information commissioner’s office (OAIC) know of the breach after it became aware in 2016, but the OAIC said it would be examining the incident further following the release on 30 April of an Australian Prudential Regulation Authority (APRA) report into the bank’s culture.

Destruction of the tapes cannot be confirmed

The bank said it could not confirm that the tapes containing the 15 years of data were destroyed. According to Reuters, the decision made by CBA to not inform its customers about the breach was described by the Australian prime minister, Malcolm Turnbull, as an “extraordinary blunder”.

Turnbull added: “It’s hard to imagine how so much data could be lost in this way. If that had happened today, the bank would have to advise each of their customers.”

CBA’s acting head of retail banking services, Angus Sullivan, said the magnetic tapes were due to be destroyed but the bank was not in a position to confirm this had happened. He also said no data that could enable fraudulent activity was on the tapes.

Data on the tapes did include names, addresses, account numbers and transaction details. The breach took place when the bank’s subcontractor, Fuji Xerox, decommissioned a data storage centre where the data was being stored. The data on the tapes was apparently not encrypted.

The bank informed regulators and found that the tapes had “most likely been disposed of” after an internal investigation with the help of KPMG. Sullivan said customers were not told as the bank wanted to balance the need to let them know with causing them needless alarm. New data breach laws in Australia mean that if an incident like this happened again, disclosure would be legally required.

A tough time for CBA

A separate judicial inquiry into CBA is ongoing and the bank has been accused of breaching anti-money laundering rules more than 50,000 times. CBA also admitted to using old medical definitions in order to refuse sick customers health insurance payouts. It was also found to have collected fees from customers whom staff were aware had died.

A regulator ordered the bank to keep an extra AUD$1bn in cash reserves as punishment for the alleged money laundering breaches.

CEO of CBA Matt Comyn said all of the APRA recommendations would be implemented. “We will establish a higher level of accountability and consequence for our actions and the impact we have on customers.”

Branch of Commonwealth Bank in Melbourne. Image: TK Kurikawa/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects