Australia’s Commonwealth Bank admitted losing years’ worth of data backup containing the financial details of some 12 million customers. When the breach occurred in 2016, the bank informed the Office of the Australian Information Commissioner, yet chose not to notify its customers. As a consequence, the CBA is facing further investigations.
BuzzFeed News revealed that the backup contained banking statements collected between 2004 and 2014, while News.com.au claims the loss affects data of almost 20 million customers, collected between 2000 and 2016.
Because bank data was kept on magnetic tape drives, subcontractor Fuji Xerox accidentally destroyed some of them; that data was never retrieved and the bank is now investigating what happened and why a destruction certificate was not found.
The CBA assures its customers that no sensitive information, such as PIN codes and passwords, was leaked, nor was suspicious activity detected. The tapes contained names, addresses, account numbers and transaction details.
“We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologize for any concern the incident may cause,” said Angus Sullivan, acting group executive.
“We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred.”
One possible scenario, as initially concluded by a forensic team hired to investigate the privacy breach, is that “the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction.”