Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers, And Did Not Tell Them About It

The Commonwealth Bank, the largest bank in Australia, has lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, BuzzFeed News reports. From the report: BuzzFeed News can reveal that the nation's largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016. While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank's culture released on Tuesday. Angus Sullivan, Commonwealth Bank's acting group executive of retail banking services told BuzzFeed News in a statement: "We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologise for any concern the incident may cause." "We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred."

Intersting wording "breach"

[thegarbz]

That is an interesting choice of words leading into the summary. The bank chose not to disclose a "breach". The only thing here which was "breached" was a chain of custody for a data tape. The regulator was informed, and investigations were undertaken which identified the most likely outcome was that the tapes were destroyed which is what was intended for them anyway. Oh and the regulator didn't require customer notification.

The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.

So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.

How would the customer (I have 4 accounts with this bank) benefit in knowing?

Copy of email from the bank

[yobjob]

This is what the bank in question emailed me today: Dear CommBank Customer, Following recent media reports detailing an incident in May 2016, we want to reassure you there is no evidence of your information being compromised and you do not need to take any action. Here is what you need to know: There is no evidence that any customer information was compromised. In May 2016 we were unable to confirm the scheduled destruction of two magnetic tapes used by a supplier to print bank statements. These tapes contained information including customer names, addresses, account numbers and transaction details. They did not contain passwords or PINs which could enable fraud. We deployed enhanced reporting and ongoing monitoring of customer accounts to ensure customers were protected. These protections are still in place today. This was not cyber-related. CommBank's technology platforms, systems, services, apps and websites were not compromised. CommBank offers you a 100% security guarantee against fraud for all your accounts, where you are not at fault. We cover any loss should someone make an unauthorised transaction. Here is what you can do: Continue using your accounts as you always have. Please remember that CommBank staff will never ask you to divulge your passwords or PINs. We do not send emails with links requesting you to confirm, update or disclose your confidential banking information. If you have questions or would like to discuss, please call us at 1800 316 433. If you would like to find more information you can visit www.commbank.com.au/customerassurance I want to apologise for any concern this incident may have caused. If there is any change in circumstances I will let you know.