The Commonwealth Bank of Australia (CBA) has lost the records for almost 20 million accounts and failed to inform its customers, the bank confirmed today.
The CBA this morning released a YouTube video explaining that the records went missing after a subcontractor lost two magnetic tape drives containing the data in 2016.
The announcement came after BuzzFeed News broke the story yesterday. BuzzFeed reported that the lost tapes contained the personal financial histories of 12 million customers – roughly half of Australia’s population.
The Australian Prime Minister Malcolm Turnbull told reporters:
This is an extraordinary blunder.
It is hard to imagine how so much data could be lost in this way. If that had happened today, the bank would have to advise each of their customers.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Company Profile – free sampleThank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData
In CBA’s video statement – titled “Customer information incident” – the acting head of retail banking services, Angus Sullivan, explained that the tapes contained information needed to print customer account statements.
This data included 15 years-worth of customer names, address and account numbers for 19.8 million accounts. Sullivan said that customers’ passwords and pins were not affected and that customers didn’t need to take any action.
Explaining the decision by the bank not to tell customers about the incident, Sullivan said:
We consulted with the privacy commissioner at the time and a decision was made not to alert customers, given the outcome of our investigation, which found the tapes were most likely disposed of.
In these cases we balance the need to alert customers without unnecessarily alarming them.
CBA says that it informed the office of the Australian information commissioner and the Australian Prudential Regulation Authority (APRA) at the time of the incident.
It also launched an independent forensic investigation, which concluded that no customer data was compromised, and made recommendations to avoid a similar incident occurring.
Sullivan said:
We take the protection of customer data very seriously and incidents like this are not acceptable.
I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.
This incident is not likely to increase public perceptions of CBA. In the last two months, the bank has appeared before a major government-backed inquiry about banking misconduct, and has faced accusations of money laundering and that it charged fees to dead clients.
The APRA also widely criticised CBA in a report released earlier this week.
The regulator said there was a “widespread sense of complacency” and “lack of accountability” at CBA, and that the bank’s “continued financial success dulled the senses of the institution”.
APRA alleges that CBA broke anti-money laundering and counter-terrorism financing laws on almost 54,000 occasions.
Scott Morrison, Australia’s treasurer, said that APRA report was damning but necessary, and that it should be “required reading” for every bank in Australia.
CBA’s CEO Ian Narev left his post earlier this year, and Morrison suggested that more senior officials would leave the bank.
Morrison told reporters:
[The report] found there was a complacent culture, dismissive of regulators, an ineffective board that lacked zeal and failed to provide oversight, a lack of accountability and ownership of key risks by senior executives, a remuneration framework that had no bite and they were reactive, slow and had under-resourced systems and processes internally.