Industry

CBA secretly loses 20 million accounts

CBA secretly loses 20 million accounts

Australia's Commonwealth Bank lost the bank records of nearly 20 million people and decided not to reveal the breach to customers upon discovery since 2016, according to news-media reports.

The Commonwealth Bank says it sent customer information to Fuji Xerox to be destroyed in 2016, but some of the information went missing.

The forensic team formulated the view that the data had most likely been destroyed, without conclusive evidence.

Northam Police began investigating the identity theft with the help of Mr Shannon, who took the case to the bank-funded Financial Ombudsman Service set up to handle customer complaints.

The Commonwealth Bank has taken two years to admit it lost 15 years' worth of customer statements which included names, addresses and account numbers.

In a statement, the bank said it had and had now confirmed there was no evidence of information being compromised for the 19.8 million accounts involved or suspicious activity following the incident.

Although the incident occurred in 2016, before new laws that require mandatory reporting for serious breaches, the attorney general told Sky News on Thursday that he and other customers of the bank would expect to have been notified.

They did not contain passwords, PINs or other data which could be used to enable account fraud, CBA said in a statement on Wednesday night. The bank immediately put in place monitoring mechanisms to further protect customers.

While there may be truth to this, recent legislation means that Australian businesses must report if they've suffered a data breach to both the regulators and the affected individuals if they were deemed at risk.

"The 2016 incident was not cyber-related and there has been no compromise of CBA's technology platforms, systems, services, apps or websites".

Mr Sullivan added: "The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion". It did not tell customers because "we balanced the need to alert customers without unnecessarily alarming them", he said.

CEO of CBA Matt Comyn said all of the APRA recommendations would be implemented:"We will establish a higher level of accountability and effect for our actions and the impact we have on customers".

"[We have] sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learned from this incident, to ensure the privacy of customer's personal information is adequately protected", the office said.

The bank said it had also ordered an independent investigation.

Additionally,"if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the commissioner", the OAIC advises.