Slashdot Mirror
Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers, And Did Not Tell Them About It (buzzfeed.com)
The Commonwealth Bank, the largest bank in Australia, has lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, BuzzFeed News reports. From the report: BuzzFeed News can reveal that the nation's largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016. While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank's culture released on Tuesday. Angus Sullivan, Commonwealth Bank's acting group executive of retail banking services told BuzzFeed News in a statement: "We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologise for any concern the incident may cause." "We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred."
I suggest the C-level execs go 10 rounds each with an angry roo, and then are injected with platypus venom for the coup de grace.
Like you never misplaced your keys.
Don't be so sanctimonious!
Buy new ones on ebay?
Or have buzzfeed learn that tapes are not the tape drives themselves?
"KPMG's forensic investigation "found the most likely scenario was the tapes were disposed of"."
They couldn't find evidence of any outcome, so they just assumed the most beneficial one. How convenient for *almost* everyone involved.
One possibility that was canvassed by KPMG is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction. Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route, but were unable to find any trace of them.
Literally they say it may have fallen off the back of a truck, and here I thought that was only ever hyperbole for theft. Well, I'm glad that irresponsible phase is behind them and their rigorous adherence to data security and unparalleled altruism when it comes to customers will carry them forward.
Federal government has lost more. Tapes can get mangled and put in the bad/duplicate tape rack with dumb auditors know nothing about. My bet the the tape exploded in a degaussing machine.
You dont have to be dumb and steal tapes - every day teh backups are moved offsite is a new opportunity to make backups of backups on the sly. A contractor on $23 an hour.
That is an interesting choice of words leading into the summary. The bank chose not to disclose a "breach". The only thing here which was "breached" was a chain of custody for a data tape. The regulator was informed, and investigations were undertaken which identified the most likely outcome was that the tapes were destroyed which is what was intended for them anyway. Oh and the regulator didn't require customer notification.
The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.
So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.
How would the customer (I have 4 accounts with this bank) benefit in knowing?
This is what the bank in question emailed me today: Dear CommBank Customer, Following recent media reports detailing an incident in May 2016, we want to reassure you there is no evidence of your information being compromised and you do not need to take any action. Here is what you need to know: There is no evidence that any customer information was compromised. In May 2016 we were unable to confirm the scheduled destruction of two magnetic tapes used by a supplier to print bank statements. These tapes contained information including customer names, addresses, account numbers and transaction details. They did not contain passwords or PINs which could enable fraud. We deployed enhanced reporting and ongoing monitoring of customer accounts to ensure customers were protected. These protections are still in place today. This was not cyber-related. CommBank's technology platforms, systems, services, apps and websites were not compromised. CommBank offers you a 100% security guarantee against fraud for all your accounts, where you are not at fault. We cover any loss should someone make an unauthorised transaction. Here is what you can do: Continue using your accounts as you always have. Please remember that CommBank staff will never ask you to divulge your passwords or PINs. We do not send emails with links requesting you to confirm, update or disclose your confidential banking information. If you have questions or would like to discuss, please call us at 1800 316 433. If you would like to find more information you can visit www.commbank.com.au/customerassurance I want to apologise for any concern this incident may have caused. If there is any change in circumstances I will let you know.
Czech language for absolute beginners
Which Bank?
My ism, it's full of beliefs.
They all had one full backup in 14 years, the rest is incremental, they they are also all lost , that is a lot of tapes. Maybe someone wanted to convert them to deck tapes and listen to the music like back in 80s...
It is not uncommon for financial records from the pre-internet epoch to disappear. We owned two homes before 1985 and all the bank mortgage records were unavailable by 2001. If you have some special need for long term storage, you may need to DIY.
So in the end the "breach" was that a 3rd party contractor that handled the printing and mailing of account statements was unable to provide documentation proving that tapes with statement data had been destroyed by another company.
The incident was reported to the government regulator, which did not require public disclosure. Another 3rd party was hired to do a thorough investigation into what happened and see if the tapes could be found. The tapes were most likely destroyed.
I knew BuzzFeed was garbage, but I didn't realise it was such toxic sludge. Anything to beat up on a big corporation. Ironically, the beating is from a big corporation of neo-progressives.
1) Encrypt your backups
2) If your backups are being sent off-site for destruction, do a preliminary bulk-erase before they are sent off-site so if they are stolen en route it will be harder to recover the hopefully-encrypted data. "Harder" means a normal tape drive will have a very high error rate reading the data, but someone with forensic tools might be able to recover it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Maybe it's time to go to "split" backups:
1. First, the data is encrypted.
2. Every other bit/byte/sector goes to tape A, the other bit/byte/sectors go to tape B.
3. Store tape "A" separate from tape "B".
4. When transporting them, transport them separately.
A more redundant version would split the data into 3 groups, every third bit/byte/sector being in group A, B, or C respectively. For redundancy, the backup tapes would be "AB," "BC," and "CA" so that any two backup tapes could be used to recover the data, but having only 1 tape would be useless. Yes, this takes twice as much space on each tape and at least 50% more tapes, but you get some redundancy out of it. Of course you would still need the decryption key to decrypt it.
Here's an example of the 3-tape version:
Data:
Hello and goodbye.
Encrypted data (this is just gibberish for the sake of example):
EEdFJ3rQ]K;]bE0_y
Padded encrypted data so it is a multiple of 3 characters in length:
EEdFJ3rQ]K;]bE0_y[fill value]
ABC splitting by character:
A: EFrKb_
B: EJQ;Ey
C: d3]]0[fill value]
Tape AB: EEFJrQK;bE_y
Tape BC: EdJ3Q];]E0y[fill value]
Tape CA: C: dE3F]r]k0b[fill value]_
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The data was sent out for Destruction. I originally thought, based on the title, that they had accidentally Deleted a bunch of data from the system.
But no. They had sent the backup tapes out for Destruction!! And then they lost chain of control, now somebody somewhere has the backup copy of many years worth of financial records.
So somebody has stolen the backup tapes. Geez. I can't believe they didn't think of this as part of the preparation to ship it. I had to do something similar years ago and we sat down to perform a FMEA-like analysis of things that could go wrong. Our data was on a RAID5 device so we decided to disassemble the drive-shelf and ship the drives in individual boxes and split carriers over several days. This was more than a few years ago and encrypting 2TB of data was not something that would finish in our lifetime. Simply possessing a 2TB "enterprise" RAID5 was costly. Yeah - the old days. Since then we have encrypted USB drives with push-button PINs small enough to fit in our shirt pockets (all the more likely to walk off)
But my point is -- we didn't just drop the thing off at FedEx. We knew what our data was and this wasn't a normal "just ship it" situation.
So the bank lost 10 years (2004-2014) of bank statements (12/year) for 12 million bank customers, that works out to 1.44 BN lost bank statements. (12/year x 10 years x 12 million accounts = 1.44 BN bank statements)
And...
How long are they expected to retain them? Most record retentions I've heard of limit responsibility to the previous 7 years, which means they likely had a responsibility to retain records back to 2010, meaning they lost about 4 years of records they were supposed to retain. That's bad, but it's not end-of-the-world bad IMHO. Sure, someone will lode their job, sure the bank will be embarrassed, but at the end of the day, when was the last time the average person needed to get a copy of a 13 year-old bank statement?
Ken
Fail to secure a certificate of destruction for decommissioned drives.
The bank never lost the data, it was migrated to the new data storage facility, what happened was a bunch of drives being sent out for destruction may not have actually been destroyed - or may have been destroyed, but the notice was lost, or the notice was sent to the wrong customer, etc.
Bottom line, the bank lost control of 1.44 BN bank statements from 2004 to 2010 - if you walk into the branch, they still have access to a complete history of your bank statements - nothing was "lost".
Ken