Australia's Largest Bank Lost The Personal Financial Histories Of 12m Customers

The Commonwealth Bank lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia.

It has been revealed that the nation’s largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016.

While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC said it was now making further inquiries into the privacy breach, following a damning report into the bank's culture released recently.

Angus Sullivan, Commonwealth Bank’s acting group executive of retail banking services said in a statement: “We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologise for any concern the incident may cause."

“We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred."

Personal banking statements contain potentially sensitive personal information, and can paint a detailed portrait of the financial and personal affairs of a person. They could potentially be misused by organised crime groups if they fell into the wrong hands, or exploited by commercial companies that could use the data for illegitimate or unethical purposes.

Sullivan said in his statement the information disclosed in the breach did not contain anything that could directly compromise accounts, such as passwords or PIN numbers.

The revelation of the breach has come at a time when Australia’s financial industry is under unprecedented scrutiny during the financial services royal commission, and a global debate about privacy triggered by Facebook’s handling of user information.
BuzzFeed News has learned the breach occurred in 2016 when the bank’s subcontractor Fuji Xerox was decommissioning a data storage centre where some Commonwealth Bank customer data was stored.

Backup magnetic tape drives of financial statements were believed to have been sent to be destroyed. But when a "destruction certificate" for the data wasn't found on 9 May 2016, the Commonwealth Bank initiated an investigation to find out what happened to the data.

The bank notified the OAIC, which regulates privacy in Australia, on 20 May 2016 and told the regulator what had occurred.
The bank then undertook significant steps to attempt to retrieve the information. BuzzFeed News understands that after the breach was discovered, the company spent a number of weeks formulating a range of potential responses. It formed a remediation task force from within the bank’s ranks and called the team “Project Chesapeake".

The details of the breach were known to around 150 people in the organisation, including members of the senior executive team, data managers, risk specialists, and in-house and external legal services. The bank hired a forensic team from accounting firm KPMG to conduct an exhaustive search to locate the missing tape drives, but they were never recovered.
One possibility that was canvassed by KPMG is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction. Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route, but were unable to find any trace of them.

Sullivan also said that KPMG's forensic investigation "found the most likely scenario was the tapes were disposed of". The customer data has never been recovered.

BuzzFeed News says the magnetic tape drives were also not encrypted. But the information on the drives was difficult to access due to the age of the magnetic drives and the file type the information was stored in. While the bank considered alerting customers, BuzzFeed News understands it ultimately determined that the risk of the data being discovered and misused was low.

The Commonwealth Bank initially notified the OAIC and the Australian Prudential Regulation Authority (APRA) on 20 May 2016. It later met with the OAIC on 7 June 2016, and provided the OAIC with a further follow-up report into the breach on 20 October 2016 once KPMG's report was complete. The OAIC replied several days later informing the bank that no further action would be taken. The bank also briefed APRA about the incident on 7 December 2016.

The bank ultimately made the decision not to notify customers, in a move that may come under scrutiny in a climate where Australians are increasingly demanding more transparency and oversight over the way large corporations handle customers' personal information.

Sullivan said in his statement: “We concluded, given the results of the investigation, that we would not alert customers. We advised the OAIC who subsequently advised us that it did not intend to take any further action in relation to the matter."

He added: “We can confirm there was no evidence of customer records being compromised or suspicious activity following an incident in 2016. Ongoing monitoring of accounts by CBA confirms customers do not need to take any action."

The Commonwealth Bank’s former CEO Ian Narev, who was in charge when the breach occurred, resigned in August 2017.
The current CEO Matt Comyn assumed the role in April 2018. In a statement released by Comyn in January 2018 he said that “the last six months in particular have been very challenging and I am committed to working with the board, the executive team and our wonderful people to rebuild trust in the Commonwealth Bank together”.

Under Australia’s privacy laws organisations have an obligation to take reasonable steps to protect personal information they hold from “misuse, interference and loss”.

Had the breach occurred after March this year, it is possible the bank would have been required under law to disclose the breach to customers. New mandatory data breach notification laws came into force in Australia this year that require companies to reveal data breaches to affected individuals and to the OAIC where the breach is “likely to result in serious harm".

A spokesperson for the OAIC said in a statement: "The Office of the Australian Information Commissioner was notified of this incident by the CBA in 2016 and based on the information provided by the CBA at the time, decided that no further regulatory action would be taken, in accordance with the OAIC’s Regulatory Action Policy.

"Having regard to the findings in the report by APRA into the CBA released yesterday, the OAIC today made further inquiries in relation to this matter and has sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learned from this incident, to ensure the privacy of customers' personal information is adequately protected."
Fuji Xerox declined to comment on its role in the breach. APRA also declined to comment, citing the strict secrecy provisions that set out how it handles matters that are brought to its attention.

The bank is already facing intense scrutiny in public hearings convened by the royal commission. Earlier in April at a hearing an internal document from the bank revealed that Commonwealth Bank financial advisers had been charging dead clients for financial services for up to a decade.

This week APRA released its report into the culture inside the Commonwealth Bank. It found the bank had '"fallen from grace" and had been reactive in dealing with risks.

The report found the bank had "inadequate oversight and challenge by the Board and its gatekeeper committees of emerging non-financial risk" and "weaknesses in how issues, incidents and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution".

APRA accepted a series of enforceable undertakings from the Commonwealth Bank to improve its internal culture. On Tuesday 2nd May, the bank's CEO Matt Comyn agreed to implement all APRA's recommendations. He said in a statement:

"We will establish a higher level of accountability and consequence for our actions and the impact we have on customers."

Buzzfeed

You Might Also Read:

TSB's IT Meltdown Was Evident A Year Before:

Bank Data Breaches Are Up And It's An Inside Job:
 

 

« British Healthcare System Spends £150m Extra On Cybersecurity
Re-Thinking The Threat Of Ransomware »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation is Europe's leading centre for research & education in cybersecurity, cybercrime and digital forensics.

Telefonica Tech

Telefonica Tech

Telefónica Cyber Security Tech is focused on the prevention, detection and appropriate response to security incidents aimed at protecting your digital services.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

Mantix4

Mantix4

Mantix4’s M4 Cyber Threat Hunting Platform actively defends against cyber threats.

HorizonIQ

HorizonIQ

HorizonIQ (formerly Internap Corp / INAP) maximizes efficiency and innovation with flexible infrastructure solutions.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

ProcessUnity

ProcessUnity

ProcessUnity is a leading provider of Third-Party Risk Management software, helping companies remediate risks posed by third-party service providers.

Birch Cline Cybersecurity

Birch Cline Cybersecurity

Birch Cline specializes in helping Local Government and Education agencies, as well as mid-market organizations, build and maintain successful cybersecurity programs.

Menaya

Menaya

Menaya provide Ethical Hackers for leading companies while also providing cyber security solutions to help major infrastructures protect against cyber crime.

Tenchi Security

Tenchi Security

Tenchi Security are specialized in Third-Party Cyber Risk Management (TPCRM) and aim to reduce information asymmetry when it comes to third and Nth-Party security and compliance risk management.

CyberSalus

CyberSalus

CyberSalus is a pioneering cyber tech services company dedicated to protecting the digital integrity of healthcare organizations.

Dialog Enterprise

Dialog Enterprise

Dialog Enterprise is the corporate ICT solutions arm of Dialog Axiata, Sri Lanka’s leading connectivity provider.