After an exposure of BuzzFeed News revealed that the Commonwealth Bank had lost data from some 12 million customers (in nearly 20 million accounts) in May 2016, the Australian financial giant has published a statement in his defense.
The data took the form of bank statements covering the years 2000-2016 and were stored in two magnetic tapes that were to be destroyed by a third-party contractor, Fuji-Xerox.
There was no official documentation on the destruction of these tapes and, as such, their whereabouts are not yet known.
While the Commonwealth Bank states that these bank statements did not contain any information on customer passwords and PIN numbers, they do contain their names, addresses, account numbers and transaction details.
Okay, however …
CBA has released a statement to its customers by email addressing the situation and assuring them that "there is no evidence that the client's information is compromised" and that "customers do not need to take any action".
Immediately after the incident in 2016 an independent forensic investigation was initiated and it was discovered that the tapes were "most likely" removed. "
The affected accounts were also subject to high monitoring, which allegedly did not show signs of malicious activity in the last two years.
CBA notified the appropriate regulators of the possible violation and kept them up to date with the ongoing investigation, but chose not to inform the clients "in light of the results of Investigations and supervision of the account in place. "
… is not it?
In a conversation with ABC News & # 39; AM radio show, The Boss CBA retail banking, Angus Sullivan, said that "when incidents like these are shared more broadly, they create risks in themselves."
While there may be some truth in this, recent legislation means that Australian companies must report if they have suffered a data breach to both regulators and affected individuals if they were deemed at risk.
While CBA notified the regulators (in this case, the Australian Bureau informs the Commission and the Australian Prudential Regulation Authority), they decided not to disclose the non-compliance to clients, as they were considered "protected".
Although continuous monitoring can protect against any fraud or theft directed at CBA accounts, are customers entitled? Know when the names, addresses and detailed finances of 12 million customers are out of place?