After an exposé from BuzzFeed News (opens in new tab) revealed that the Commonwealth Bank had lost the data of some 12 million customers (across almost 20 million accounts) in May 2016, the Australian financial giant has released a statement in its defence.
The data took the form of bank statements spanning the years 2000-2016 and was stored on two magnetic tapes that were due to be destroyed by a third-party contractor, Fuji-Xerox.
No official documentation on the destruction of these tapes was ever produced and, as such, their whereabouts are still unaccounted for.
While the Commonwealth Bank claims these bank statements didn’t contain any information on customers’ passwords and PIN numbers, they did contain their names, addresses, account numbers and transaction details.
It's fine, though...
CBA has now released a statement (opens in new tab) to its customers via email addressing the situation and assuring them that there’s “no evidence of customer information being compromised” and that “customers do not need to take any action”.
An independent forensic investigation was immediately launched after the incident in 2016 and found that the tapes had “most likely” been disposed of.
The affected accounts were also subject to elevated monitoring, which allegedly returned no signs of malicious activity over the last two years.
CBA notified the appropriate regulators of the potential breach and kept them up to speed with the ongoing investigation but chose not to inform customers “in light of the investigations findings and the account monitoring in place”.
In a conversation with ABC News’ (opens in new tab) AM radio program, CBA’s head of retail banking, Angus Sullivan, said that “when incidents like these are shared more broadly, they create risks in and of themselves”.
While there may be truth to this, recent legislation means that Australian businesses must report if they’ve suffered a data breach to both the regulators and the affected individuals if they were deemed at risk.
While CBA did notify the regulators (in this case, the Office of the Australian Information Commission and the Australian Prudential Regulation Authority), they chose not to disclose the breach to customers as they were deemed ‘protected’.
Although ongoing monitoring may protect from any fraud or theft targeted at CBA accounts, do customers have a right to know when the names, addresses, and detailed finances of 12 million customers are misplaced?