CYBER NEWS

Australia’s Commonwealth Bank Lost Financial Data of 12 Million Accounts

Two magnetic tapes containing transaction details for 12 million accounts that belong to Australia’s Commonwealth Bank are missing. This incident is perhaps the largest data loss in Australia. Curiously, the incident stayed under the radar for two years – until Buzzfeed published a report about it just a few days ago.

Related Story: UniCredit Bank Breach Affected 400,000 Customers

How Did the Data Go Missing?

The Commonwealth Bank lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, Buzzfeed uncovered. The incident happened after a subcontractor lost several tape drives with the financial data in 2016.

While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank’s culture released on Tuesday.

Angus Sullivan, Commonwealth Bank’s acting group executive of retail banking services has said in a statement that the bank takes the protection of customer data very seriously and incidents like this are not acceptable. The bank is also reassuring their customers that no action is required, apologizing for any concern the incident may have caused.

We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred,” Sullivan said in the statement.

An investigation was started on May 9, 2016, after the bank didn’t receive any certification about the tapes being destroyed.

Magnetic Tape Data Not Easy to Exploit, Troy Hunt Says

Commonwealth Bank started notifying it customers on Thursday via email. It should be noted that since the potential data breach took place two years ago, Australia’s mandatory breach notification law doesn’t apply. The breach notification law came into effect in February this year, requiring organizations to notify regulators and consumers within 30 days of breaches that have a likelihood of resulting in serious damage, privacy experts explained.

Related Story: Deloitte’s Data Breach Compromised All Admin Accounts

According to the Troy Hunt from the popular Have I Been Pwned service, the fact that the data was on magnetic tapes probably influenced the bank’s decision to not inform its consumers.

Magnetic tapes are not the same as a USB stick, Hunt explained, adding that “you’re not just going to chuck it [a tape] into a drive and you’re good to go. It would take someone who knew there was value in this thing and then went out and invested effort to do it [read the data].”

Nonetheless, it is still a security and privacy incident of huge proportions.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...