In one of the largest financial services data breach ever to happen in Australia, the Commonwealth Bank (CBA) has lost the personal financial histories of over 19.80 million customers. Notably, the bank chose not to disclose the data breach to its customers. Under the new banking laws, which became effective in February, it is the duty of the financial institution to notify all Australians affected by a major data breach within 30 days. This incident once again underlines the need for distributed ledger technology to ensure secure, private and tamper-free records.
The country’s largest bank has admitted it lost the banking statements of customers from 2000 to early 2016, after several tape drives containing customers financial history were lost by a subcontractor in 2016. The tapes contained customer names, account numbers, addresses,and transaction details.
Angus Sullivan, CBA’s acting group executive for retail banking services, issued a video statement confirming the data breach after Buzz feed exposed details of the incident yesterday. The bank has also announced that it is unable to confirm the destruction of the two magnetic tapes containing financial data of customers.
As a damage control exercise, the bank has sent status notifications to customers. Those not affected by the breach received a statement saying “there is no evidence of your information being compromised and you do not need to take any action”.
When the tapes were lost in 2016, CBA informed about the breach to the Office of the Australian Information Commissioner (OAIC).CBA had contracted Fuji Xerox to dismantle one of its data storage centres. This supposedly involved the destruction of backup magnetic tape drives containing the financial data. The bank later realized that it did not have the certification to prove the destruction of the tapes. Further, CBA was unable to locate (‘Project Chesapeake’) the tapes as well. So, they simply concluded that the tapes could have been destroyed.
The OAIC is now seeking more assurances from the bank and a statement was released by the organization in this regard.The Office of the Australian Information Commissioner (OAIC) is now seeking more assurances from the bank that it has learnt from the massive data breach.
In a statement issued to the Australian Stock Exchange (ASX), the bank has stated that there was no evidence of suspicious activity involving the 19.80 million accounts. Sullivan assured the customers of the bank that no personal data had been compromised and so no action is required from their side, including changing passwords or PIN numbers.
Commenting on the incident, the Australian Prudential Regulation Authority said that community trust in CBA had been “badly eroded” and the bank had “fallen from grace”.
In February 2018, CBA had blocked cryptocurrency purchases using credit cards.