The Commonwealth Bank says there is “no evidence of customer information being compromised or suspicious activity” as a result of copies of financial data relating to some 19.8 million customer accounts being misplaced in 2016.
The bank confirmed a May 2016 incident when it was unable to confirm the scheduled destruction of two magnetic tapes with customer statements. The tapes included customer names, addresses, account numbers and transaction details from 2000 to early 2016, CBA said.
BuzzFeed News’ Paul Farrell broke the story, revealing that the incident took place when Fuji Xerox was decommissioning a CBA data centre.
The bank says it notified the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) after it discovered the breach.
“We take the protection of customer data very seriously and incidents like this are not acceptable,” acting group executive retail banking services, Angus Sullivan, said in a statement.
“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”
The tapes “did not contain passwords or PINs which could enable fraud,” the bank said in a letter to customers.
“This was not cyber-related,” the bank said. “CommBank's technology platforms, systems, services, apps and websites were not compromised.”
“The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion,” Sullivan said. “We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred.
“We concluded, given the results of the investigation, that we would not alert customers. We discussed this course of action with the OAIC who subsequently advised that it did not intend to take any further action in relation to the matter. We have however been contacted by the OAIC this week for additional information about this matter and the actions CBA undertook in 2016.”
The OAIC confirmed that the bank had notified it of the incident in 2016. The privacy watchdog said it made further inquiries in relation to the incident following a scathing APRA report on CBA released this week.
APRA said its CBA inquiry “found a number of prominent cultural themes such as a widespread sense of complacency, a reactive stance in dealing with risks, being insular and not learning from experiences and mistakes”.
The OAIC said it has “sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learned from this incident, to ensure the privacy of customer’s personal information is adequately protected.”
Earlier this year Australia’s Notifiable Data Breach (NDB) scheme came into effect. Under the NDB rules, businesses with an annual turnover greater than $3 million or that handle certain sensitive categories of information will have to notify their customers and the OAIC when a data breach takes place.
Last month the OAIC released its first quarterly report on the NDB scheme, revealing that it received 63 reports of data breaches during the scheme’s first six weeks of operation. Eight of the reports related to organisations in the financial sector.