The Commonwealth Bank of Australia has confirmed that it lost the personal financial histories of millions of its clients years ago but never informed them about it. It admitted to the incident only after media broke the story.
Australia’s largest bank lost the banking statements of as many as 12 million of its customers during a period between 2004 and 2014 according to one source. Further reports in the Australian media have suggested that almost 20 million bank account records were lost in the incident.
The potential privacy breach occurred back in 2016, when the bank’s subcontractor apparently lost several magnetic tapes containing clients’ personal information from 2000 to early 2016. Personal banking statements contain sensitive, private information that can provide a detailed picture of the financial and personal affairs of a person.
After media broke the story, the Commonwealth Bank of Australia (CBA) issued a statement, confirming that the incident indeed had occurred. The bank gave no details concerning the exact number of affected customers but rushed to assure them that “there is no evidence that any customer information was compromised.”
“In May 2016 we were unable to confirm the scheduled destruction of two magnetic tapes used to print bank statements. These tapes contained information including customer names, addresses, account numbers and transaction details,” the statement says, adding that the lost data storage tapes did not contain “passwords, PIN numbers, or other data which could enable account fraud.”
“I want to assure our customers that we have taken the steps necessary to protect their information and we apologize for any concern this incident may cause,” CBA’s acting group executive for retail banking services, Angus Sullivan, told the Australian media, adding that the bank had “heightened the ongoing monitoring of accounts” and these measures still remain in place.
The CBA notified Australian regulators, the Office of the Australian Information Commissioner (OAIC) and the Australian Prudential Regulation Authority (APRA) about the incident but decided a public announcement would do more harm than good.
During its own “investigation” into the issue the bank came to the conclusion that the tapes had been “most likely” disposed of. “We concluded, given the results of the investigation, that we would not alert customers,” Sullivan said in a statement, adding that the bank consulted with the OAIC on that matter.
The fate of the lost records, meanwhile, remains a mystery. The bank investigation team failed to find any traces of the tapes. An independent probe conducted by a forensic team from accounting firm KPMG also did not provide any conclusive evidence on what happened to the tapes.
The investigators assumed that the tapes might have not been secured properly and had fallen from a truck in transit that was carrying the data for destruction, some reports allege. Others suggest that a person tasked with destroying the tapes might have left them unattended.