Commonwealth Bank: Here’s what you should know about the data breach if you’re a customer
The Commonwealth Bank has confirmed it doesn’t know what happened to two magnetic tapes that had been scheduled to be destroyed — and that it’s known about this without telling customers since 2016.
It’s a big deal because those tapes included information from 19.8 million customer accounts from 2000 to 2016.
So, if you were a CBA customer at the time, there’s a good chance you’re affected. Here’s what you need to know.
Why was this data on tapes anyway?
Professor Richard Buckland, an expert in cybercrime at UNSW, said tapes are used in banking because that used to be the best way of storing large amounts of information (back before the cloud) and because they’re still used for keeping physical back-ups of data.
The tapes lost by the Commonwealth Bank were supposed to be destroyed by Fuji-Xerox last year.
But the Commonwealth Bank has been unable to confirm this actually happened.
Does the fact the data was on tapes make it less likely someone could access it?
Professor Buckland says it can be quite hard to access the data on old tapes, though you could probably find the drives required on eBay.
“You’d likely have to go to a fair bit of trouble to work out how to use them … It’s not like leaving a printout in a taxi,” he said.
He says his guess is that the tapes are in a dump somewhere — or, he joked, “a filing cabinet near Canberra”.
“I often see old tapes around, you see them at the second-hand shop or you see them at the dump,” he said.
“I think the chances are that it’s safe. But, that it happened is alarming.”
The Commonwealth Bank says an independent forensic investigation conducted by KPMG determined the most likely scenario was that the tapes had been destroyed.
But Professor Buckland says you really want more assurance than that.
“It’s like getting on a plane and saying, ‘As far as we know, the engine is fine and isn’t going to explode’,” he said.
What sort of data are we talking about?
The Commonwealth Bank says the tapes contained customer names, addresses, account numbers and transaction details.
Should I be worried about this?
Professor Buckland says someone with that data could find out how much you were paid and what you bought, as examples.
Depending on your circumstances, that could be a very bad thing.
“What if it had information about a famous political figure, and it had brothel receipts or something strange like that?” he said.
Dr Jodie Siganto, a partner at data privacy and security consulting firm Ringrose Siganto, says as a CBA customer herself, she’s very concerned.
“I really would not want anyone to have access to my bank statements to find out what I spend money on and how much I spend,” she said.
Dr Siganto says it’s about the embarrassment of someone able to go through your transactions — “all of your habits, basically”.
That leaves the possibility of information being made public or used for blackmail.
Dr Siganto said it’s not so much about the risk of fraudulent activity, because the bank would cover for that.
But could someone use the data to access my account?
Not on its own. But Professor Buckland says the data could be useful for someone trying to impersonate an account holder and steal their money.
“If you knew someone’s account number, that’s a really important piece of information,” he said.
“If you knew my account number, my BSB, my home address and my full name as my bank knew it, that’s a lot of the information you need to impersonate me to the bank.”
But Professor Buckland says banks work really hard on security, and have lots of threat teams and response teams.
“If someone tried to exploit this information at scale, the bank would get onto it,” he said.
“The people would probably get some money, but the bank would spot it and Australian banks have a good track record with refunding.”
What can I do about this data breach?
There’s nothing you can do about the information that’s unaccounted for.
And Professor Buckland says there’s probably nothing you can do yourself to find out if your data was lost, so if you were a Commonwealth Bank customer at the time, you should just act as if you have been affected.
But what you can do is keep a close eye on your bank statements — and Professor Buckland says you should be doing this anyway, because your data is always under threat.
“Your account number is constantly leaking; your address is constantly leaking; you do transactions with people, it leaks things; you give someone a cheque, it has your account number on it,” he said.
The Commonwealth Bank says “ongoing monitoring of accounts by CBA confirms customers do not need to take any action”.
If this happened in 2016, should the Commonwealth Bank have told me before now?
Professor Buckland says it looks like the Commonwealth Bank was given permission by the bank regulator, APRA, not to alert customers to the breach.
But that doesn’t mean that was the right decision.
“I would expect that it would be a decent thing to do to tell people,” Professor Buckland said.
He says he’d also like to think the Commonwealth Bank will eventually tell individuals whether or not they were affected if it is able to work that out.
Dr Siganto says the fact the bank hasn’t tried to narrow down which customers are affected suggests it affects everybody.
“If it was just their business customers, or their home loan customers, or something, I’m sure they would have come out and said that,” she said.
Dr Cassandra Cross from QUT’s School of Justice, whose research focuses on online fraud, says victims of identity theft suffer more if they’re unable to identify how and when their identity was compromised.
She says the Commonwealth Bank shouldn’t have tried to protect its reputation by keeping information from customers.
“By not telling customers of this breach, the CBA has denied the customers the ability to put measures into place to monitor their own credit and financial matters,” she said.
Dr Siganto says the decision not to tell customers sooner was clearly out of line with public expectation.
“It seems to me that people think they should at least have been told, even if it was, ‘Don’t worry’,” she said.
Disclosure: The Commonwealth Bank gives money to Professor Richard Buckland’s university for cybersecurity education.