Which Bank Lost The Personal Financial Histories Of 12 Million Customers?

Image: iStock

The Commonwealth Bank, one of several large institutions on the back foot over how they treat customers in the Banking Royal Commission, has revealed that they lost the details of 12 million customers as the result of a contractor losing a stash of tape drives. Those drives contained banking statements for customers from 2004 to 2014.

The bank notified the Office of the Australian Information Commissioner (OAIC) in 2016 after learning of the breach - which is probably the biggest the country has seen - but didn't let customers know, telling Buzzfeed “We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred".

No PIN codes or account log-in details are contained in the data according to the Commonwealth Bank. But the data on the tapes was unencrypted.

However, it would not be unreasonable to expect that if the data on those tapes contained transactions that people might be embarrassed to have revealed that some potential harm might be possible. Saying that the data that was lost "did not contain passwords, PIN numbers, or other data which could enable account fraud" is a limited view of the damage the loss of such data can result in.

In a statement, the bank emphasises that this was not a breach of their security protocols or the result of a cyber-attack.

The tapes were sent to a subcontractor for destruction. But when documentation pertaining to the data's scheduled destruction wasn't found an investigation was launched and the OAIC was informed in May 2016. Under the new National Data Breach (NDB) laws that came into effect in February this year, all the affected customers would need to be notified but there was no such obligation back in 2016.

Australian Prudential Regulation Authority (APRA) was also notified as incidents that can affect the value of a company need to be reported. ASX Listing Rule 3.1 requires companies to disclose any information that a reasonable person would expect to have a material impact on the value of a company. That extends beyond personal identifiable information which is the focus of the NDB laws.

Commonwealth Bank hired forensic investigators to search for the tapes but they were never found. So, it's possible they were destroyed as planned but the paperwork wasn't completed correctly. Or they're sitting in someone's backroom and being scanned for interesting data.

There are some significant lessons in this.

  1. Data should always be encrypted when at rest - especially when stored on removable media
  2. Notifying customers, even when you're not obligated, is better than letting them read about it in the news
  3. Your data security strategy must include physical access
  4. "Trust, but verify" needs to be applied to all third parties you deal with

Comments

    It most likely would have been awarded to the lowest cost provider (all in the name of maximising shareholder value). Then the provider cuts corners to turn a dollar because they've dropped their pants to win the business and the bank ends up with a mess on their hands, therefore destroying the shareholder value they thought they were supporting.
    Pure speculation but I wouldn't be surprised if that's what happened.

      I didn't add the name of the contractor involved as it was unclear who it was from what I can glean. Fujitsu operated a data centre CommBank stoped using which was part of the process that required the destruction of the data. But it was unclear whether Fujitsu was responsible or if they subcontracted the task to someone else.

      I suspect it's someone else as data destruction is a highly specialised service.

      That said - the responsibility for protecting customer data, as per the Privacy Act and associated Australian Privacy Principles is with Comm Bank. You can outsource the activity but not the responsibility.

        It's why, when I'm working on big projects I make it a personal goal to know the friends of my friends. Very easy to lose control if you don't know who your contractors are sub-contracting to. In this day and age, that hand off can be many layers deep.

      It's never pretty when someone drops their pants and you end up with a mess on your hands. :(

        Ha! Especially when it's several layers deep...

    "Australian Prudential Regulation Authority (APRA) was also notified as incidents that can affect the value of a company need to be reported. ASX Listing Rule 3.1 requires companies to disclose any information that a reasonable person would expect to have a material impact on the value of a company. "

    So how many times can ComBank breach theses rules without being delisted?

      Unlimited as long as they issue a statement of apology, Banks are "too big to fail"

    I am not sure what is more clique here, the same old "Contractors Fault" or the literal "Fell off the Back of a Truck"

Join the discussion!

Trending Stories Right Now