Commonwealth Bank of Australia has finally come clean on a potential data breach involving 19.8 million customer accounts in 2016, after initially failing to notify customers of the incident.
The bank's burying of breach has come into sharp relief in the wake of a damning report by financial regulator Apra into CBA's governance, accountability and culture and may lead to further questioning by data privacy watchdogs.
CBA's decision to open up on the incident follows an investigation by BuzzFeed which reported on the loss of unencrypted magnetic tape drives during the decommissioning of a data storage centre by FujiXerox in 2016. The missing tapes contained customer names, addresses, account numbers and transaction details covering a 16-year period between 2000 and 2016.
The bank kicked the incident into the long grass after notifying regulators and commissioning an independent report by KPMG which concluded that the tapes had most likely been destroyed in transit.
Angus Sullivan, CBA's group executive for retail banking services says that the bank has been monitoring all of the 19.8 million accounts involved in the cock-up over the past two years and has yet to see any evidence of suspicious account activity or customer harm arising from the bungle.
“The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion," he says. “We concluded, given the results of the investigation, that we would not alert customers."
He says the bank discussed its plans with the Office of the Australian Information Commissioner (OAIC) after the watchdog had decided not take any further action.
However, the re-emergence of the story coming in the midst of highly pressurised political environment has re-awoken the regulatory body.
Says Sullivan. "We have...been contacted by the OAIC this week for additional information about this matter and the actions CBA undertook in 2016.”