Commonwealth Bank of Australia loses 19.8 million customer account records

Commonwealth Bank of Australia loses 19.8 million customer account records

Australia's biggest bank has admitted to losing the financial records of nearly 20 million customer accounts after a subcontractor lost two magnetic tape drives containing the data in 2016.

CBA says it had been unable to confirm the destruction of two magnetic tapes containing historical customer statements.

In a statement - the bank says an independent investigation determined the information was most likely destroyed. Teams retraced the route of a bank subcontractor's vehicle to look for the backup drives but couldn't find any trace of them, BuzzFeed reported.

The latest revelation is another blow to the Commonwealth Bank, which is already reeling from several other scandals. The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016.

Angus Sullivan, CBA's acting group executive for retail banking services, issued a video statement confirming the data breach after Buzz feed exposed details of the incident yesterday.

There's been no evidence of suspicious activity or that customer data was compromised, and the bank is still monitoring the accounts as a precaution, it said.

"Maintaining data security is of vital importance for everybody, whether it's the private sector or governments, and if there's a serious breach or loss, the people affected should be advised so they can take steps to protect themselves", Turnbull said. The tapes did not contain PINs, passwords or other data that could enable account fraud, he said. The bank immediately put in place monitoring mechanisms to further protect customers.

More news: The United States pushing Saudi Arabia to war against Iran

Commonwealth Bank has insisted that the decision to not inform customers was in order to "not unduly alarm" them.

While there may be truth to this, recent legislation means that Australian businesses must report if they've suffered a data breach to both the regulators and the affected individuals if they were deemed at risk.

"The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion".

"[We have] sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learned from this incident, to ensure the privacy of customer's personal information is adequately protected", the office said.

After investigating the incident and concluding the missing tapes were probably destroyed, the bank resolved not to tell its customers about the breach.

Examples of "harm" provided in a guide by the Office of the Australian Information Commissioner (OAIC) include: financial fraud including unauthorised credit card transactions or credit fraud; identity theft causing financial loss or emotional and psychological harm; family violence; and physical harm or intimidation. At the time, the OAIC indicated it would take not action.

Related Articles