CBA slapped with a court-enforceable undertaking after loss of data on 20m customers

Follows inquiries by the OAIC into the bank's handling of personal information in relation to two data incidents.
Written by Asha Barbaschow, Contributor

The Office of the Australian Information Commissioner (OAIC) has asked the Commonwealth Bank of Australia (CBA) to "substantially improve" its privacy practices under a court-enforceable undertaking.

The binding commitment follows the OAIC probing two separate incidents on how the yellow bank handled data.

The first incident was the loss of magnetic storage tapes containing historical customer statements for up to 20 million bank customers.

In May 2016, the bank was unable to confirm that two magnetic tapes containing information used to print account statements were securely disposed of following the scheduled destruction by a supplier.

CBA acting group executive of Retail Banking Service, Angus Sullivan, two years later said the tapes did not contain PINs, passwords, or other data that could enable account fraud.

"Most likely the tapes have been disposed of, but without evidence, we immediately launched an investigation and notified the Australian Prudential Regulation Authority and the privacy commissioner," he said in May last year.

See also: Boards of Australian financial firms face tougher infosec rules from 1 July  

The other incident was the inadequate internal access controls to customer data reported to the OAIC in August 2018, Information Commissioner and Privacy Commissioner Angelene Falk said.

"Our inquiries identified deficiencies in CBA's management of personal information, specifically its internal access controls and approach to retention and destruction," she said.

"As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices."

The enforceable undertaking requires CBA to review its privacy policies, procedures, and retention standards, and provide staff training to ensure compliance.

CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers' personal information.

According to the OAIC, the undertaking will be overseen by an independent external reviewer, who will consult with, and report to, the OAIC on the bank's compliance.

The OAIC may take court action at any stage if CBA does not fully comply with the terms of the undertaking, it explained.

The enforceable undertaking is part of the OAIC's work in regulating data handling practices in the financial services sector, including compliance with the Notifiable Data Breaches scheme.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

For the first half of the 2019 financial year, CBA posted AU$4.6 billion in statutory net profit, down AU$300 million from the bank's H1 2018 AU$4.9 billion profit.

CBA reported AU$12.4 billion operating income, while IT services expenditure increased by AU$89 million to AU$904 million year on year.


Editorial standards