CBA lost backup tapes with 20m customers' details

The Commonwealth Bank has admitted a supplier lost two magnetic tapes in 2016 containing backup data on almost 20 million customers.

The loss, which was first reported by BuzzFeed News, is one of Australia’s largest ever privacy lapses.

The bank said in a statement that the tapes “contained customer names, addresses, account numbers and transaction details from 2000 to early 2016”.

“The tapes did not contain passwords, PINs or other data which could be used to enable account fraud,” it said.

BuzzFeed reported that the tapes were lost by subcontractor Fuji Xerox, which was decommissioning a data storage centre containing the tapes.

The tapes were meant to be destroyed; however, the bank admitted it had been “unable to confirm the scheduled destruction” and ordered a forensic investigation by KPMG.

“KPMG determined the most likely scenario was the tapes had been disposed of,” the bank said, however BuzzFeed noted to this day they had still not been found.

CBA said it put in place “monitoring mechanisms” on 19.8 million customer account following the incident, and said that it had seen “no evidence of customer harm or suspicious account activity” that it could link to the data loss over the past two years.

“Ongoing monitoring of the 19.8 million customer accounts involved remains in place as a precaution,” it said.

CBA said it notified both the Office of the Australian Information Commissioner and the Australian Prudential Regulation Authority (APRA) of the incident.

However, the bank ultimately decided not to inform its customers about the massive data loss.

“The decision not to notify customers was made in light of the investigations findings and the account monitoring in place,” it said.

Acting group executive for retail banking services Angus Sullivan defended the decision not to notify customers.

“We concluded, given the results of the investigation, that we would not alert customers,” he said.

“We discussed this course of action with the OAIC who subsequently advised that it did not intend to take any further action in relation to the matter.

“We have however been contacted by the OAIC this week for additional information about this matter and the actions CBA undertook in 2016.”

The OAIC said in statement that it had decided to make "further inquiries in relation to this matter" after reading APRA's report into CBA culture, which was released earlier this week.

The report highlighted systemic issues with the treatment of IT-related risk, as well as IT's lack of voice in executive forums at the bank.

"[We have] sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learned from this incident, to ensure the privacy of customer’s personal information is adequately protected," the office said.

Incidents involving the loss of backup tapes have previously occurred to large companies overseas, particularly as the tapes have been in-transit.

Malaysian Bank CIMB lost several magnetic tapes containing "customer information" at the end of last year.

In 2005, the Bank of America lost several tape drives as they were moved between facilities, affecting about 1.2 million US federal employees.

The same year, Time Warner lost a container of 40 tapes "containing sensitive data, including the names and social security numbers of about 600,000 people", while a division of Citigroup also lost tapes affecting some 3.9 million customers.