The Commonwealth Bank, one of several large institutions on the back foot over how they treat customers in the Banking Royal Commission, has revealed that they lost the details of 12 million customers as the result of a contractor losing a stash of tape drives. Those drives contained banking statements for customers from 2004 to 2014.
The bank notified the Office of the Australian Information Commissioner (OAIC) in 2016 after learning of the breach - which is probably the biggest the country has seen - but didn't let customers know, telling Buzzfeed “We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred".
No PIN codes or account log-in details are contained in the data according to the Commonwealth Bank. But the data on the tapes was unencrypted.
However, it would not be unreasonable to expect that if the data on those tapes contained transactions that people might be embarrassed to have revealed that some potential harm might be possible. Saying that the data that was lost "did not contain passwords, PIN numbers, or other data which could enable account fraud" is a limited view of the damage the loss of such data can result in.
In a statement, the bank emphasises that this was not a breach of their security protocols or the result of a cyber-attack.
We take your privacy seriously. You may have read a recent media report about an event in May 2016. There’s no evidence of your information being compromised and you don’t need to take any action. Visit https://t.co/x63uw2SVRf to learn more.
— CommBank (@CommBank) May 2, 2018
The tapes were sent to a subcontractor for destruction. But when documentation pertaining to the data's scheduled destruction wasn't found an investigation was launched and the OAIC was informed in May 2016. Under the new National Data Breach (NDB) laws that came into effect in February this year, all the affected customers would need to be notified but there was no such obligation back in 2016.
Australian Prudential Regulation Authority (APRA) was also notified as incidents that can affect the value of a company need to be reported. ASX Listing Rule 3.1 requires companies to disclose any information that a reasonable person would expect to have a material impact on the value of a company. That extends beyond personal identifiable information which is the focus of the NDB laws.
Commonwealth Bank hired forensic investigators to search for the tapes but they were never found. So, it's possible they were destroyed as planned but the paperwork wasn't completed correctly. Or they're sitting in someone's backroom and being scanned for interesting data.
There are some significant lessons in this.
- Data should always be encrypted when at rest - especially when stored on removable media
- Notifying customers, even when you're not obligated, is better than letting them read about it in the news
- Your data security strategy must include physical access
- "Trust, but verify" needs to be applied to all third parties you deal with