Two magnetic tapes containing transaction details for 12 million accounts that belong to Australia’s Commonwealth Bank are missing. This incident is perhaps the largest data loss in Australia. Curiously, the incident stayed under the radar for two years – until Buzzfeed published a report about it just a few days ago.
How Did the Data Go Missing?
The Commonwealth Bank lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, Buzzfeed uncovered. The incident happened after a subcontractor lost several tape drives with the financial data in 2016.
While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank’s culture released on Tuesday.
Angus Sullivan, Commonwealth Bank’s acting group executive of retail banking services has said in a statement that the bank takes the protection of customer data very seriously and incidents like this are not acceptable. The bank is also reassuring their customers that no action is required, apologizing for any concern the incident may have caused.
“We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred,” Sullivan said in the statement.
An investigation was started on May 9, 2016, after the bank didn’t receive any certification about the tapes being destroyed.
Magnetic Tape Data Not Easy to Exploit, Troy Hunt Says
Commonwealth Bank started notifying it customers on Thursday via email. It should be noted that since the potential data breach took place two years ago, Australia’s mandatory breach notification law doesn’t apply. The breach notification law came into effect in February this year, requiring organizations to notify regulators and consumers within 30 days of breaches that have a likelihood of resulting in serious damage, privacy experts explained.
According to the Troy Hunt from the popular Have I Been Pwned service, the fact that the data was on magnetic tapes probably influenced the bank’s decision to not inform its consumers.
Magnetic tapes are not the same as a USB stick, Hunt explained, adding that “you’re not just going to chuck it [a tape] into a drive and you’re good to go. It would take someone who knew there was value in this thing and then went out and invested effort to do it [read the data].”
Nonetheless, it is still a security and privacy incident of huge proportions.