[BreachExchange] Commbank admits data breach: 15 years of customer statements missing

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 3 19:33:01 EDT 2018


The Commonwealth Bank is reportedly facing renewed investigations after
admitting it lost backup data on tape for more than 15 years of customer
statements in 2016, affecting almost 20 million accounts.

The CBA's acting group executive for retail banking services, Angus
Sullivan, issued a video statement on YouTube after BuzzFeed Australia
published an article about the incident on Wednesday.

Mr Sullivan assured customers their information had not been compromised
and no action was required.

"The tapes did not contain PINs, passwords or other data that could enable
account fraud," he said.

In a statement the bank said it had confirmed there was no evidence of
suspicious activity involving the 19.8 million accounts affected following
the incident.

CBA says it had been unable to confirm the destruction of two magnetic
tapes containing historical customer statements.

The tapes contained customer names, addresses, account numbers and
transaction details from 2000 to early 2016.

An investigation in 2016, when the incident occurred, determined it was
most likely the tapes had been disposed of and the bank immediately put
mechanisms in place to further protect customers.

"We take the protection of customer data very seriously and incidents like
this are not acceptable," Mr Sullivan said.

"I want to assure our customers that we have taken the steps necessary to
protect their information and we apologise for any concern this incident
may cause."

He added that the relevant regulators were informed in 2016 but that the
bank had decided it was not necessary to alert customers after discussion
with the Office of the Australian Information Commissioner (OAIC).

However, BuzzFeed reports the OAIC is now making further inquiries into the
incident, following a report by the banking regulator that slammed the bank
for its "widespread sense of complacency".

The Australian Prudential Regulation Authority said on Tuesday that
community trust in Australia's banks had been "badly eroded" and CBA had
failed to meet expectations and "fallen from grace".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180503/3d38c1a8/attachment.html>

More information about the BreachExchange mailing list