Commonwealth Bank confirms loss of nearly 20 million customers’ financial statements
The Commonwealth Bank has confirmed it lost the historical financial statements of nearly 20 million accounts but insists its customers’ information has not been compromised.
The statements, containing customers’ names, addresses, account numbers and transaction details from 2000 to 2016, were stored on two magnetic tapes which were lost by sub-contractor Fuji-Xerox last year.
When the bank became aware of the incident, it ordered an independent “forensic” investigation to figure out what had happened and informed the Office of the Australian Information Commissioner [OIAC].
The inquiry, conducted by KPMG, determined the tapes had most likely been disposed of.
Commonwealth Bank’s Angus Sullivan described the incident as “unacceptable” but said the tapes did not contain any passwords or PINs that could compromise customers’ accounts.
“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause,” he said in a statement.
“The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion.”
As a precaution, the bank said it has been monitoring the 19.8 million accounts involved and had so far found “no evidence of customer harm or suspicious account activity”.
But the bank never alerted its customers to the potentially massive privacy breach and has only gone public after BuzzFeed News broke the story.
Mr Sullivan has defended the bank’s decision, saying it had discussed the matter with the OIAC which told the bank it did not intend to take any further action.
However, Mr Sullivan said the OIAC contacted the bank this week seeking more information about the possible breach.
The ABC understands the breach happened when Fuji-Xerox was decommissioning a data storage centre where the customer records were being held.
The two magnetic drives were scheduled to be destroyed, but when the company failed to produce the “destruction certificate”, the Commonwealth Bank launched an investigation.
It caps off a bad week for bank which was slammed by the regulator, APRA, for “widespread sense of complacency” and “lack of accountability” that has led to multiple regulatory breaches.