Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers, And Did Not Tell Them About It (buzzfeed.com)

Posted by msmash on from the that's-shite,-mate dept.

The Commonwealth Bank, the largest bank in Australia, has lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, BuzzFeed News reports. From the report: BuzzFeed News can reveal that the nation's largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016. While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank's culture released on Tuesday. Angus Sullivan, Commonwealth Bank's acting group executive of retail banking services told BuzzFeed News in a statement: "We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologise for any concern the incident may cause." "We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred."

11 of 52 comments (clear)

  1. Magic auditor handwaving by Anonymous Coward · · Score: 2, Insightful

    "KPMG's forensic investigation "found the most likely scenario was the tapes were disposed of"."

    They couldn't find evidence of any outcome, so they just assumed the most beneficial one. How convenient for *almost* everyone involved.

  2. Let me get this straight by burtosis · · Score: 5, Insightful
    The entire database of these 12m customers history was stored, unencrypted, on tapes (of all things in 2012), then just lost? I was going to make a snarky comment but rtfa just in case and it didn't disappoint:

    One possibility that was canvassed by KPMG is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction. Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route, but were unable to find any trace of them.

    Literally they say it may have fallen off the back of a truck, and here I thought that was only ever hyperbole for theft. Well, I'm glad that irresponsible phase is behind them and their rigorous adherence to data security and unparalleled altruism when it comes to customers will carry them forward.

    1. Re:Let me get this straight by orev · · Score: 3, Insightful

      Tapes are still one of the most economically efficient and reliable mediums available, in 2012 and even in 2018. Obviously the one drawback is they can be easily transported and lost...

    2. Re:Let me get this straight by anegg · · Score: 4, Insightful

      12 million financial histories were not LOST. They were potentially disclosed to unknown person(s). As with other cases involving copies of digital data, language originally developed for a world of unique exemplars fails in the domain of easily replicated elements.

    3. Re:Let me get this straight by thegarbz · · Score: 2

      Literally they say it may have fallen off the back of a truck

      Or more likely the tapes were destroyed by the contractor as intended and a receipt has gone missing.

      "may" is a powerful word.

  3. Intersting wording "breach" by thegarbz · · Score: 4, Informative

    That is an interesting choice of words leading into the summary. The bank chose not to disclose a "breach". The only thing here which was "breached" was a chain of custody for a data tape. The regulator was informed, and investigations were undertaken which identified the most likely outcome was that the tapes were destroyed which is what was intended for them anyway. Oh and the regulator didn't require customer notification.

    The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.

    So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.

    How would the customer (I have 4 accounts with this bank) benefit in knowing?

    1. Re:Intersting wording "breach" by thegarbz · · Score: 2

      They would know that they should switch to a bank with safer procedures

      Sure. And we could all ride unicorns off into the sunset. Banks have the lowest customer satisfaction rates in Australia. Lower than cable companies and telecom companies. Yet they have a really high customer retention rate. People don't even switch banks due to high fees, or service outages, hell most people don't even competitively check their homeloans literally costing them 10s of thousands of dollars.

      What makes you think even a single customer would give a crap that the bank can't prove that a tape full of old bank statements that was sent to be destroyed may not have been destroyed, but likely was anyway?

      because next time (or perhaps already but also not disclosed) it may be current data.

      And it would be just as irrelevant if it was current as if it was in the past.

  4. Copy of email from the bank by yobjob · · Score: 5, Informative

    This is what the bank in question emailed me today: Dear CommBank Customer, Following recent media reports detailing an incident in May 2016, we want to reassure you there is no evidence of your information being compromised and you do not need to take any action. Here is what you need to know: There is no evidence that any customer information was compromised. In May 2016 we were unable to confirm the scheduled destruction of two magnetic tapes used by a supplier to print bank statements. These tapes contained information including customer names, addresses, account numbers and transaction details. They did not contain passwords or PINs which could enable fraud. We deployed enhanced reporting and ongoing monitoring of customer accounts to ensure customers were protected. These protections are still in place today. This was not cyber-related. CommBank's technology platforms, systems, services, apps and websites were not compromised. CommBank offers you a 100% security guarantee against fraud for all your accounts, where you are not at fault. We cover any loss should someone make an unauthorised transaction. Here is what you can do: Continue using your accounts as you always have. Please remember that CommBank staff will never ask you to divulge your passwords or PINs. We do not send emails with links requesting you to confirm, update or disclose your confidential banking information. If you have questions or would like to discuss, please call us at 1800 316 433. If you would like to find more information you can visit www.commbank.com.au/customerassurance I want to apologise for any concern this incident may have caused. If there is any change in circumstances I will let you know.

    --
    Czech language for absolute beginners
  5. Re:Time to do "AB" or "ABC" backups? by nitehawk214 · · Score: 3, Funny

    As an added benefit, this would almost guarantee that a sysadmin will never be able to restore the tape.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  6. Lost? is a misleading title !!! by ripvlan · · Score: 2

    The data was sent out for Destruction. I originally thought, based on the title, that they had accidentally Deleted a bunch of data from the system.

    But no. They had sent the backup tapes out for Destruction!! And then they lost chain of control, now somebody somewhere has the backup copy of many years worth of financial records.

    So somebody has stolen the backup tapes. Geez. I can't believe they didn't think of this as part of the preparation to ship it. I had to do something similar years ago and we sat down to perform a FMEA-like analysis of things that could go wrong. Our data was on a RAID5 device so we decided to disassemble the drive-shelf and ship the drives in individual boxes and split carriers over several days. This was more than a few years ago and encrypting 2TB of data was not something that would finish in our lifetime. Simply possessing a 2TB "enterprise" RAID5 was costly. Yeah - the old days. Since then we have encrypted USB drives with push-button PINs small enough to fit in our shirt pockets (all the more likely to walk off)

    But my point is -- we didn't just drop the thing off at FedEx. We knew what our data was and this wasn't a normal "just ship it" situation.

  7. And by "Data Breech" you mean... by kenh · · Score: 2

    Fail to secure a certificate of destruction for decommissioned drives.

    The bank never lost the data, it was migrated to the new data storage facility, what happened was a bunch of drives being sent out for destruction may not have actually been destroyed - or may have been destroyed, but the notice was lost, or the notice was sent to the wrong customer, etc.

    Bottom line, the bank lost control of 1.44 BN bank statements from 2004 to 2010 - if you walk into the branch, they still have access to a complete history of your bank statements - nothing was "lost".

    --
    Ken