​CBA sent over 650 emails holding data on 10k customers in error

The bank has admitted discovering an issue with emails going to incorrect addresses.
Written by Asha Barbaschow, Contributor

The Commonwealth Bank of Australia (CBA) has once again found itself in the spotlight for the potential mishandling of customer information, admitting it had sent over 650 incorrectly addressed internal emails.

The bank said on Friday it had completed an investigation that was initiated after a concern was raised about internal CBA emails being inadvertently sent to email addresses using the cba.com domain, prior to taking ownership of that domain in April 2017.

Its usual email domain is cba.com.au.

According to the bank, the cba.com domain name was first used by US-based financial services firm Cheslock Bakker & Associates up until the 2016-17 period, where it was used by a US cybersecurity firm.

CBA found that 651 internal emails sent during 2016-17, which contained data relating to approximately 10,000 customers, were received by the then user of the cba.com domain.

"An extensive and detailed investigation by CBA confirmed the contents of all 651 internal emails were automatically deleted by the cba.com domain owner's system, which only collected information on CBA sender and recipient email addresses and the subject of the email," the bank wrote in a statement on Friday.

The bank claims its investigation found that the emails and any associated data had not been used and were permanently deleted from the domain owner's servers.

"We want our customers to know that we are committed to being more transparent about data security and privacy matters," CBA acting group executive Retail Banking Services Angus Sullivan said.

"Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge however that customers want to be informed about data security and privacy issues and we have begun contacting affected customers."

The bank said that from January last year it has been blocking internal emails addressed to the cba.com domain name.

Since CBA acquired ownership of the cba.com domain name, any emails inadvertently addressed to cba.com have been returned as "undeliverable", it said.

During the dates highlighted by CBA, fellow big four member the National Australia Bank (NAB) came clean on a similar incident, admitting it had sent the details of approximately 60,000 customers to an email address on nab.com rather than on the nab.com.au domain.

The email contained each customer's name, address, email address, branch and account number, as well as an NAB identification number for some customers.

This is the second data concern the Commonwealth Bank has dealt with this year; it recently said it was unsure where data on millions of customers has gone, after it was revealed that magnetic tapes comprising information used to print account statements may not have been properly disposed of.

In May 2016, the bank was unable to confirm that two magnetic tapes containing information used to print account statements were securely disposed of following the scheduled destruction by a supplier.


Editorial standards