The Commonwealth Bank of Australia has released details of an investigation into hundreds of emails containing customer information being erroneously sent to external addresses.
From April 2016, some 651 emails with information relating to around 10,000 customers were sent to @cba.com addresses instead of the intended @cba.com.au addresses.
Although since April 2017 the bank has owned cba.com, prior to that it was owned by a US financial services firm, Cheslock Bakker & Associates, and later a US cyber security company, CBA said. Beginning in January 2017, the bank blocked internal emails sent to cba.com addresses.
“We want our customers to know that we are committed to being more transparent about data security and privacy matters,” the bank’s acting group executive, Retail Banking Services, Angus Sullivan said.
“Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge however that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”
CBA said its “extensive and detailed investigation” of the issue confirmed that the erroneously addressed emails were not retained by the successive cba.com operators.
Although the bank says that customer data wasn’t compromised it is contacting customers whose information was included in the emails.
The bank has set up a website with more information on the issue.
Last month CBA revealed that it could not confirm the destruction of magnetic tapes that contained financial data relating to some 19.8 million customer accounts. The tapes were misplaced in 2016.
There is no evidence that the customer information on the tapes has been accessed by any third parties, the bank said.