Commonwealth Bank lost data on nearly 20m customers

The Commonwealth Bank of Australia (CBA) is unsure of where data on millions of customers has gone, after it was revealed that magnetic tapes comprising information used to print account statements may not have been properly disposed of.

Following a report from BuzzFeed News, CBA published a video explaining the issue potentially affecting 19.8 million customers.

"Firstly, I want to reassure you that there is no evidence that any customer records have been compromised," CBA acting group executive of Retail Banking Service Angus Sullivan said in the video.

Sullivan explained that in May 2016, the bank was unable to confirm that two magnetic tapes containing information used to print account statements were securely disposed of following the scheduled destruction by a supplier.

He affirmed the tapes did not contain PINs, passwords, or other data that could enable account fraud.

"Most likely the tapes have been disposed of, but without evidence, we immediately launched an investigation and notified the Australian Prudential Regulation Authority and the privacy commissioner," he continued.

"We consulted with the privacy commissioner at the time and the decision was made not to alert customers given the outcome of our investigation which found the tapes were most likely disposed of.

"In these cases, we balance the need to alert customers without unnecessarily alarming them."

Must read: OAIC received 31 notifications in the first three weeks of data breach scheme

The bank said a forensic investigation conducted by KPMG in 2016 determined the "most likely scenario" was that the tapes had been disposed of. The bank, however, immediately put in place monitoring mechanisms to further protect customers, it said.

It also said the incident did not result in the compromise of CBA's technology platforms, systems, services, apps, or websites.

The Australian Prudential Regulation Authority (APRA) on Monday published its report [PDF] into CBA, which kicked off following a "number of incidents" in recent years that damaged the bank's reputation.

"In brief, the panel has identified a number of shortcomings in CBA's governance, culture, and accountability frameworks, particularly in dealing with non-financial risks, and has made a series of recommendations designed to strengthen these frameworks," it wrote.

CBA is also facing the Australian Transaction Reports and Analysis Centre (Austrac) after it initiated civil penalty proceedings in August alleging that the bank had "serious and systemic non-compliance" with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.

Austrac detailed 53,700 alleged breaches of the Act, which included failing to hand 53,506 threshold transaction reports (TTRs) for cash transactions over AU$10,000 to Austrac through intelligent deposit machines (IDMs) for almost three years between November 2012 and September 2015.

The bank in December admitted that disparate datasets contributed to a contravention of the Act.

CBA faces a maximum penalty of AU$18 million for each of the contraventions if found guilty; however, the bank in February said it has provided for a civil penalty of AU$375 million.

"The group believes this to be a reliable estimate of the level of penalty that a court may impose," the bank wrote in its half-year results as it posted almost AU$5 billion in after-tax profit. "This takes into account currently available information, including legal advice received by the group in relation to Austrac's claims."

The write-down is included in the bank's H1 profit.

"We recognise, and regret, that these costs arise from our failure to meet some standards that we should have. We will continue to work hard to do better," former CEO Ian Narev said at the time.

Retail banking services group executive Matt Comyn moved into the CEO role in April.

"As incoming CEO, I am focused on building an executive leadership team that will work to exceed the expectations of our customers, the community, and regulators; rebuild the trust and pride in our bank; and enhance the financial wellbeing of every customer we serve," Comyn said previously.

PREVIOUS AND RELATED COVERAGE

CBA admits disparate data contributed to anti-money laundering contravention

The bank has admitted it was late in filing more than 53,500 reports as required under the Anti-Money Laundering and Counter-Terrorism Financing Act, but has asked for Austrac to consider them as one course of conduct, arguing that it was due to one systems-related error.

Australian 'big four' to align their data-sharing ducks ahead of Open Banking

A review has requested that Australia's largest banks be ready to hand over customer data at request from the day an Open Banking regime becomes legislated.

CBA preparing for 'digital gorillas' to join fintechs as competitors

The Commonwealth Bank of Australia knows it is not immune to the threat of disruption, so it is redefining how it structures its organisation and how it consumes technology to keep the Amazons and Googles, as well as fintechs, at bay.

Commonwealth Bank to deliver 'world-first' issuance of a bond on the blockchain

The bank's head of blockchain has revealed the Commonwealth Bank is currently implementing with a large world issuer in what will be a 'world-first' issuance of a bond on the blockchain that it hopes to bring to market in 2018.