CBA staff inadvertently sent e-mails containing the personal account data of 10,000 customers to a domain name not owned by the Australian bank.
The bank said 651 internal e-mails were circulated to cba.com - a domain owned by US cyber-security company - rather than the correct cba.com.au Internet address used by the bank.
The oversight emerged earlier this year and the bank moved to acquire the cba.com domain.
“We want our customers to know that we are committed to being more transparent about data security and privacy matters," says CBA retail banking head Angus Sullivan. “Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge however that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”
CBA is right to be concerned about transparency following the opprobrium heaped on the bank last month when it finally came clean on a potential data breach involving 19.8 million customer accounts in 2016, after initially failing to notify customers.
The latest incident bears resemblance to a 2012 cock-up by rival bank NAB when data on 60,000 customers was sent to a porn site owner squatting on the nab.com address.