A significant data breach by the Commonwealth Bank. The real question, what will be the consequences..

May 3, 2018 |

The Commonwealth Bank of Australia has suffered a major data breach involving the records of 20 million customers.  In 2016.  It has only made this public now after media reports.  The CBA only made a statement after the media reports.  That is a dreadful approach to data breaches.  Conceal until you can’t.  Then obfuscate.  The CBA is not an outlier in its reaction to this data breach.  Unfortunately it is all too common in Australia.  Perhaps that will change with the mandatory data breach notification scheme but proper enforcement is required.  Incredibly the Information Commissioner was notified in 2016.  And took no enforcement action.  No enforceable undertakings even.  That was, and remains, a dreadful mistake.  The Australian Prudential Regulation Authority that has been more active and transparent than the Information Commissioner’s Office in dealing with privacy breaches.  If that is not an indictment on the Information Commissioner I am not sure what would be.

The CBA argues that while historical records, held on magnetic tapes, were lost the data was uncompromised.  It seems to be arguing it is a technical but not actual data breach.  The CBA has lost track of the data rather than a knowing theft or hack.  That argument cuts no ice in the United Kingdom or America. There the regulators take firm action because it either highlights poor data security protocols and/or poor training and inadequate data security generally.  In the United Kingdom, based on similar breaches, a monetary penalty notice would be the likely response involving a heavy fine. In the United States the Federal Trade Commission would require the malefactor to enter into a comprehensive agreement lasting 10 – 20 years with a possible significant fine.  Here the approach of the regulator has been lamentably weak.

The fact that customers names and addresses are accessible is a serious breach.  The CBA claiming that the fact that pins and passwords were not included, thereby precluding fraud against the bank highlights CBA’s wrongheaded self interested focus and failure to understand its obligations under the Privacy Act.  Under the Privacy Act, which regulates the CBA, it is personal information, names and addressses, that should be protected not pins and passwords.  The story has received wide coverage being run by The Australian, the Age, the ABC and the Guardian to name by a few outlets.

The Information Commissioner’s response provides:

The Office of the Australian Information Commissioner was notified of an incident by the Commonwealth Bank of Australia (CBA) in 2016. Having regard to the findings in the report by the Australian Prudential Regulation Authority into the CBA released on Tuesday, the OAIC has made further inquiries in relation to this matter and has sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learned from this incident, to ensure the privacy of customer’s personal information is adequately protected.

If anyone has concerns about this incident they can, in the first instance, contact CBA directly on 1800 316 433 and if not satisfied with their response they can contact the OAIC at www.oaic.gov.au or on 1300 363 992.

Given the Information Commissioner’s non action in 2016 it is little wonder that its response is so tepid and vague.

The notice from the CBA is found here.  It provides:

We take your privacy seriously.

Following recent media reports detailing an event in May 2016, we want to reassure you there is no evidence of your information being compromised and you do not need to take any action. 

Here’s what you should know:

  • There is no evidence that any customer information was compromised
  • In May 2016 we were unable to confirm the scheduled destruction of two magnetic tapes used to print bank statements. These tapes contained information including customer names, addresses, account numbers and transaction details
  • They did not contain passwords, PIN numbers, or other data which could enable account fraud
  • We deployed enhanced reporting and ongoing monitoring of customer accounts to ensure customers were protected. These protections are still in place today
  • This was not cyber-related and there has been no compromise of CommBank’s technology platforms, systems, services, apps or websites
  • CommBank offers you a 100% security guarantee against fraud for all your accounts, where you are not at fault. We cover any loss should someone make an unauthorised transaction

Here’s what you can do:

A message from acting Group Executive, Retail Banking Services, Angus Sullivan 

Hi everyone,

I want to share some information with you about an incident that happened in 2016.

I want to reassure you that there’s no evidence that any customer records have been compromised.


The Australian article, fairly typical of the coverage, provides:

Commonwealth Bank admits it lost customer data

In one of the nation’s biggest financial services data security blunders, Commonwealth Bank has lost historical records for 20 million accounts.

In one of the nation’s biggest financial services data security blunders, Commonwealth Bank has lost historical account records for close to 20 million accounts after failing to track the hardware on which they were stored, but insists the customers’ data remains uncompromised.

The incident came to light at the bank in 2016, when it discovered two magnetic tapes used to record over 15 years of customer statements may not have been securely disposed of.

Customers whose data was lost do not have to take any action as their accounts have been monitored since the incident, an ASX announcement released this morning advised.

The tapes stored personal data of 12 million customers such as names and addresses, but not pins, passwords “or other data that could enable account fraud,” Commonwealth Bank Retail Banking Services acting group executive Angus Sullivan said in a video statement yesterday.

In a statement the bank said it had confirmed there was no evidence of suspicious activity involving the 19.8 million accounts affected following the incident.

CBA says it had been unable to confirm the destruction of two magnetic tapes containing historical customer statements.

The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016.

An investigation in 2016, when the incident occurred, determined it was most likely the tapes had been disposed of and the bank immediately put mechanisms in place to further protect customers.

However, CBA decided not to alert the public of the incident until media reports yesterday publicised the problem.

“We take the protection of customer data very seriously and incidents like this are not acceptable,” Mr Sullivan said.

“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”

The bank said it had commissioned a “forensic” investigation by KPMG on discovering the incident, and notified the Australian Prudential Regulation Authority and the Australian Privacy Commissioner.

The KPMG probe found no evidence that customers’ data had been compromised, or accessed by third parties, CBA said.

“We balanced the need to alert customers without unnecessarily alarming them,” Mr Sullivan said.

It comes as the banking royal commission has spotlighted endemic cultural problems in Australia’s financial services industry, including multiple failures by CBA to prioritise customer interests.

On Tuesday, a damning review of Commonwealth Bank by APRA found bumper profitability “dulled” the bank’s senses to signals that might have otherwise alerted the board and senior executives to problems emerging inside the banks, as well as a deterioration in CBA’s risk profile.

APRA’s report found CBA guilty of “complacency”, a “reactive stance”, as well as being insular and not learning from experiences and mistakes.

CBA on Wednesday advised its customers to “continue using your accounts as you always have”.

In March this year, mandatory data breach notification laws came into force that require companies to disclose data breaches likely to result in serious harm.


Leave a Reply

Verified by MonsterInsights