Commonwealth bank data breach of 20 million accounts highlights that people regard privacy as important, the Information Commissioner is a lax regulator and that the threatened Government action shows that privacy laws and regulation in Australia are a complete mess

May 6, 2018 |

As is the way of it big data breaches there has been a ripple effect with the Commonwealth Bank’s data breach of losing track of records affecting 12 million customers and 20 million accounts.  The banks initial “not much to see here” explanation on its home page has morphed into a sort of acceptance, via comment to the media, that it should have come clean earlier.  Which is in and of itself a misrepresentation.  It never actually came clean with the public.  The breach was exposed and only then did it state that it had advised the Information Commissioner.  That is not coming clean. The CBA is now notifying affected customers.  Two years after the event.

The CBA’s explanation has been the rightly subject of criticism.  Typical of that criticism, and that of the regulators, is the ABC piece,  Commonwealth Bank: Here’s what you should know about the data breach if you’re a customer, taking issue with the “nothing to worry about” flavour of the CBA’s explanation providing:

The Commonwealth Bank has confirmed it doesn’t know what happened to two magnetic tapes that had been scheduled to be destroyed — and that it’s known about this without telling customers since 2016.

It’s a big deal because those tapes included information from 19.8 million customer accounts from 2000 to 2016.

So, if you were a CBA customer at the time, there’s a good chance you’re affected. Here’s what you need to know.

Why was this data on tapes anyway?

Professor Richard Buckland, an expert in cybercrime at UNSW, said tapes are used in banking because that used to be the best way of storing large amounts of information (back before the cloud) and because they’re still used for keeping physical back-ups of data.

The tapes lost by the Commonwealth Bank were supposed to be destroyed by Fuji-Xerox last year.

But the Commonwealth Bank has been unable to confirm this actually happened.

Does the fact the data was on tapes make it less likely someone could access it?

Professor Buckland says it can be quite hard to access the data on old tapes, though you could probably find the drives required on eBay.

“You’d likely have to go to a fair bit of trouble to work out how to use them … It’s not like leaving a printout in a taxi,” he said.

He says his guess is that the tapes are in a dump somewhere — or, he joked, “a filing cabinet near Canberra”.

“I often see old tapes around, you see them at the second-hand shop or you see them at the dump,” he said.

“I think the chances are that it’s safe. But, that it happened is alarming.”

The Commonwealth Bank says an independent forensic investigation conducted by KPMG determined the most likely scenario was that the tapes had been destroyed.

But Professor Buckland says you really want more assurance than that.

“It’s like getting on a plane and saying, ‘As far as we know, the engine is fine and isn’t going to explode’,” he said.

What sort of data are we talking about?

The Commonwealth Bank says the tapes contained customer names, addresses, account numbers and transaction details.

Should I be worried about this?

Professor Buckland says someone with that data could find out how much you were paid and what you bought, as examples.

Depending on your circumstances, that could be a very bad thing.

“What if it had information about a famous political figure, and it had brothel receipts or something strange like that?” he said.

Dr Jodie Siganto, a partner at data privacy and security consulting firm Ringrose Siganto, says as a CBA customer herself, she’s very concerned.

“I really would not want anyone to have access to my bank statements to find out what I spend money on and how much I spend,” she said.

Dr Siganto says it’s about the embarrassment of someone able to go through your transactions — “all of your habits, basically”.

That leaves the possibility of information being made public or used for blackmail.

Dr Siganto said it’s not so much about the risk of fraudulent activity, because the bank would cover for that.

But could someone use the data to access my account?

Not on its own. But Professor Buckland says the data could be useful for someone trying to impersonate an account holder and steal their money.

“If you knew someone’s account number, that’s a really important piece of information,” he said.

“If you knew my account number, my BSB, my home address and my full name as my bank knew it, that’s a lot of the information you need to impersonate me to the bank.”

But Professor Buckland says banks work really hard on security, and have lots of threat teams and response teams.

“If someone tried to exploit this information at scale, the bank would get onto it,” he said.

“The people would probably get some money, but the bank would spot it and Australian banks have a good track record with refunding.”

What can I do about this data breach?

There’s nothing you can do about the information that’s unaccounted for.

And Professor Buckland says there’s probably nothing you can do yourself to find out if your data was lost, so if you were a Commonwealth Bank customer at the time, you should just act as if you have been affected.

But what you can do is keep a close eye on your bank statements — and Professor Buckland says you should be doing this anyway, because your data is always under threat.

“Your account number is constantly leaking; your address is constantly leaking; you do transactions with people, it leaks things; you give someone a cheque, it has your account number on it,” he said.

The Commonwealth Bank says “ongoing monitoring of accounts by CBA confirms customers do not need to take any action”.

If this happened in 2016, should the Commonwealth Bank have told me before now?

Professor Buckland says it looks like the Commonwealth Bank was given permission by the bank regulator, APRA, not to alert customers to the breach.

But that doesn’t mean that was the right decision.

“I would expect that it would be a decent thing to do to tell people,” Professor Buckland said.

He says he’d also like to think the Commonwealth Bank will eventually tell individuals whether or not they were affected if it is able to work that out.

Dr Siganto says the fact the bank hasn’t tried to narrow down which customers are affected suggests it affects everybody.

“If it was just their business customers, or their home loan customers, or something, I’m sure they would have come out and said that,” she said.

Dr Cassandra Cross from QUT’s School of Justice, whose research focuses on online fraud, says victims of identity theft suffer more if they’re unable to identify how and when their identity was compromised.

She says the Commonwealth Bank shouldn’t have tried to protect its reputation by keeping information from customers.

“By not telling customers of this breach, the CBA has denied the customers the ability to put measures into place to monitor their own credit and financial matters,” she said.

Dr Siganto says the decision not to tell customers sooner was clearly out of line with public expectation.

“It seems to me that people think they should at least have been told, even if it was, ‘Don’t worry’,” she said.

The ripple effect is, for a change, impacting on the Information Commissioner who did nothing of any consequence when the CBA advised him of the data breach.  No official action was taken.  Not even an enforceable undertaking.  There has been an unhealthy practice of organisations and agencies approaching the Commissioner when there has been a data breach or other interference with privacy and after some liaison and a possible something (noboby knows what because it is not made public) is done by the agency/organisation that seems to be the end of the matter.  Those affected by the data breach are not notified and certainly not the wider public informed. In effect no action is taken by the regulator as far as the market can tell.  This informal policy that those who confess no enforcement action will be taken.  Their privacy sins are forgiven and no penance is required.  However it is worse than that.  Those who don’t come forward but are found out and don’t care to repent, not much happens.  Of the few enforceable undertakings the Commissioner has entered into the terms have been so weak compared to the swingeing terms imposed by the US Federal Trade Commission and the penalty notices of the UK Information Commissioner that there is very little incentive to comply with the law.

For the first time in a long time the mainstream media has picked up criticism of the Information Commissioner, with the Guardian quoting a spokesman from the Australian Privacy Foundation stating that the Commissioner has dropped the ball.  It is a rare venture by the Foundation to criticize the Commissioner, possibly because it tends to be an enthusiastic participant in engaging in the Commissioner’s various, and generally ineffective, committees, consultations and talking shops.  In that way it is somewhat captive to and part of the Commissioners’ kabuki; performance in which nothing substantive is done.  So the story is something of a rarity in focusing on the regulator rather than the supposedly more dramatic story of a breach.  The Information Commissioner has clearly made a big mistake and should be held to account. More reporting on the Commissioner would be for the good.

Based on a Sky News interview last Friday it appears that the Attorney General is at least talking about asking the hard questions of the Commissioner and contemplating some action against the CBA.  The former is fine but the latter, deciding to bring an action against the CBA, is properly the responsibility of the Commissioner.  While it is a problem that the Commissioner does not exercise those powers it is not an answer for the Commonwealth to step in bring an action or get another agency to do so.  That emasculates the Commissioner and makes a bad regulatory situation worse.  The problem with the interview is that the Attorney General confused the Mandatory Data breach notification laws, which may have required notification in a similar situation, and other powers to deal with the data breach, such as own motion investigations, enforceable undertakings and civil penalty actions, all of which could have occurred in 2016. What must be borne in mind is that the mandatory notification legislation has nothing to do with the regulator taking action against the CBA in relation to poor data security practices.  Since March 2014 the Commissioner has had, for example, the power to bring civil penalty proceedings in the Federal Court.  He has, to date, issued no such proceedings.  And that is not because there have not been opportunities to do so quite validly.  It is because the regulator is timid and has had a poor understanding of what is required to improve the privacy culture in Australia.  Education is important, something the Commissioner focuses on, but it is the fear of being prosecuted with the attended expense, reputational harm and penalty which drives organisations and agencies to proper compliance.

The interview provides:

DAVID SPEERS: As you heard there in Leo’s piece, the Attorney-General Christian Porter has been receiving briefings on this matter today and I spoke to him a little earlier.

Christian Porter, thanks very much for your time this afternoon. So, when were you told about this data breach at the Commonwealth Bank?

CHRISTIAN PORTER: Tuesday evening, my office was informed and I requested a briefing the next morning from the Information Commissioner about the matter. And obviously it’s a matter which is very serious, of great concern to me, the Government, and my office. And we had yesterday, or a couple of days ago, APRA producing a report noting that the Commonwealth Bank didn’t seem to fully comprehend or understand its many non-financial requirements with respect to compliance and related matters, and this is just an obvious case in point. It is very, very disappointing.

DAVID SPEERS: It is an obvious case. It’s one of the most serious breaches as far as the- data breaches as far as the banking sector is concerned. Should you have been told earlier, either by the bank or by the Information Commissioner?

CHRISTIAN PORTER: Well, there’s no evidence that I can see – and obviously I’m inquiring into this and it’s early days – that there was any reporting up from the Information Commissioner, but I’ll confirm that as soon as I am able to.

DAVID SPEERS: That good enough?

CHRISTIAN PORTER: But I think it would have- well, the regime at the time, I must say, was quite different from what is now. And as you’d be aware, our Government has introduced legislation that makes the reporting of this type of breach mandatory and there are very serious civil penalties that now apply to the overarching system.

But, look, notification should flow up to government and down to customers as quickly as possible, so the Commonwealth Bank has come out today and notified all its customers and its position seems to be that the magnetic tapes in question were most likely destroyed, but that they can’t fully or finally confirm that destruction, but that there were no pins or security issues in the data, and so that their customers shouldn’t be worried.

Now, you know, whether or not that is an accurate depiction of the situation is one question, but if the Commonwealth Bank maintain that position and that’s what they’ve notified customers of today, then the obvious question arises; why couldn’t they have notified their customers of that back in 2016? The idea that…

DAVID SPEERS: ….yeah well, exactly. And why did the Privacy Commissioner not tell them to do that back in 2016? I know you’re saying the regime was different – you’re right, the laws were different. Nonetheless, do you think the Privacy Commissioner should have given them different advice?

CHRISTIAN PORTER: Well, I think that that is a question that needs to be asked and I think that that is something that I will be, obviously, going through the documentation of, but I don’t want to jump to that conclusion. Now, at the time, there wouldn’t have existed a mandatory power of the Information Commissioner to compel the information be given by the Commonwealth Bank to its customers. So, the regime was quite different. But look, it is a serious data breach, a loss of data in this occasion. The Commonwealth Bank should have informed its customers at the time. I am obviously going to look very carefully at all of the notifications that flowed up to Government at the time to see whether they were adequate.

But at the end of the day, this is a problem with the bank and a problem with its ability to notify its customers and it should not be keeping its customers in the dark.

DAVID SPEERS: Well, to that end: has it actually notified the specific customers involved here? I know it’s put out a general statement, but what of those 12 million customers holding nearly 20 million accounts, have they specifically been told? Because as far as I’m aware, this data is still lost.

CHRISTIAN PORTER: The data is still lost and I think you will find, David, that even in the updated regime that we have bought in in 2018, that there are options for large corporations to notify people who might have been affected by a data breach and that can be done in a variety of ways. One of the ways is to notify individual customers. If that is impossible or prohibitive because there are so many customers and contact details might have changed, there are other ways that the legislation stipulates that you can notify your customers. So, even….

DAVID SPEERS: …so, they have to have satisfied their obligation now to actually notify through that general statement, do you think?

CHRISTIAN PORTER: Well, I’ve- look, I’m a Commonwealth Bank customer. I would’ve liked to have known. I received my notification today, so it certainly reached me, this general notification. But there are different ways in which you can notify clients. I don’t think the issue here is the methodology in which they’ve chosen to notify their clients, the issue is why now? Why not back in 2016 when the problem became apparent. It is due and proper that you notify your clients and this is the regime, in fact, that our Government has brought in, so now there are mandatory requirements to report this type of breach to the Information Commissioner; there are serious penalties for breaches of the regime and that is a very positive act from this Government to prevent these types of events from occurring in the future. But ultimately, it comes back down to the culture of the organisation in question.

DAVID SPEERS: Alright. But just to be clear, there’s no prospect of them facing any penalty under the current laws over this particular breach?

CHRISTIAN PORTER: Well, I just can’t say that definitively, but under the Privacy Act that is now drafted, after the reforms that we brought in in 2018, you could argue, without knowing all of the details, that this is a circumstance which could have caused serious harm to clients, which therefore should have been mandatorily informed to the Information Commissioner and there could have been a requirement that they inform their customers at the time. But that is the new regime that our Government’s put in place…

DAVID SPEERS: …but right now, just to be clear on this, right now, could they actually face any sort of penalty right now over this?

CHRISTIAN PORTER: Well, that is a complicated legal question that I just simply won’t be able to give you the answer to here on air. But it is more likely that if this event happened from 2018 on, that it would be the consequence of a penalty, a very severe civil penalty that in the past; that is a reform that our Government has introduced…..

DAVID SPEERS: …sure. But is someone looking into this now? Is your department looking into whether there is a potential penalty now?

CHRISTIAN PORTER: Of course. As we become aware of all of the details around the breach, we will be looking at any avenues in which we might be able to pursue it.

DAVID SPEERS: Now, look, no one wants to see trust in the banks undermined, but we have had you know a pretty torrid couple of weeks. We had the big banks, or suggestions that they’ve misled and ripped off customers by charging them fees for services not provided, that damning report from the regulator APRA about a culture of complacency, and now this revelation about the data breach of 20 million accounts. Do you think trust in the banks has been shaken?

CHRISTIAN PORTER: I mean, it’s unquestionable that it has been, and for some good reason. I mean, it seemed, at least to me personally, that when the Royal Commission was established, the major issue with which most people were concerned was with respect to lending practices. But as the Royal Commission has gathered pace it seems that sharp practices and, frankly, unethical practices and in some cases quite despicable practices in the banks seem to have permeated a variety of different business models inside the banks, including the provision of financial advice.

So, of course confidence in the banks has been shaken. That is not a good thing for our overall economy. But ultimately, government can play a very strong part in trying to institute systems to repair that confidence, but ultimately that confidence can only be regained by the institutions themselves.

DAVID SPEERS: And yet, as you know, your Government wants to give the banks a tax cut. Can you understand a lot of people saying: well, hang on, that’s not right.

CHRISTIAN PORTER: Well, we’re proposing tax cuts to the second half of businesses in Australia, which are larger half of businesses. We’ve already provided tax cuts to businesses with turnovers between $0 and $50 million and that has been a major contributor to the economic growth that has seen fantastic job growth in our economy in excess of 400,000 jobs last year – a record.

So, we’re not giving a break to any single part of the economy. We are trying to make the business environment more competitive, ensure that businesses reinvest and grow and generate employment. So, having one sector of the business community subject to quite proper scrutiny shouldn’t prevent a government from doing what is needed to be done in the overall tax regime to grow the economy, grow jobs, and produce a better outcome for all Australian families.

DAVID SPEERS: A couple of quick ones, if I can. Tim Hammond has announced he’s resigning, as you know. There will be a by-election in his seat of Perth. This is the Labor frontbencher, he’s going for family reasons. I just want to ask you on the by-election; will the Liberals definitely run a candidate in the seat?

CHRISTIAN PORTER: I would think undoubtedly, and I’m sure that we’ll run a strong candidate and a strong campaign. And it wouldn’t have escaped your notice, David, that last week the Turnbull Government announced a $5.4 billion package, in excess of $3 billion worth of Commonwealth funding, to utterly critical congestion busting infrastructure in WA. So, we have a great story to tell here versus our Labor opponents…

DAVID SPEERS: …so, you might actually be a chance of picking up this seat? Well, I think that on the back of recent announcements and the enormous investment that the Turnbull Government’s making into congestion busting infrastructure in WA, that we would fancy ourselves and we’ll be running a very, very tough campaign.

DAVID SPEERS: And a final one. We’ve been talking your colleague Matt Canavan about Queensland’s new tree clearing laws. I know he’s spoken to you about this as well. As Attorney-General, will the Commonwealth take Queensland to the High Court over this?

CHRISTIAN PORTER: I have spoken to Matt Canavan about it and listened to the concerns that have been expressed to him, particularly by Indigenous groups, whose view is that this legislation prevents them from being able to deal in an appropriate and fair way with land that, in effect, they own.

So, I’ve listened to those. I will consider the matter and it is a very complicated question, but you’ll find that, generally speaking, when these types of legislations that exist at a state level and pertain to the ways in which people can deal with their land are challenged, they’re challenged by plaintiff groups which aren’t the Commonwealth Government and that’s been the history of these matters. So, I think at this stage it’s certainly a watching brief.

DAVID SPEERS: Attorney-General Christian Porter, thanks so much for joining us this afternoon. Appreciate it.

CHRISTIAN PORTER: Thank you, David. Cheers


Leave a Reply