CBA staff sent emails to cba.com domain by mistake

The Commonwealth Bank has secured and blocked a .com domain that was the inadvertent recipient of 651 internal emails over the course of a year.

The bank said in a disclosure today that internal CBA emails were being sent to email addresses ending in cba.com instead of cba.com.au.

An investigation identified 651 such emails that had been sent in error during 2016-17, “which contained data relating to approximately 10,000 customers”.

The bank said its investigators had “confirmed the contents of all 651 internal emails were automatically deleted by the cba.com domain owner’s system, which only collected information on CBA sender and recipient email addresses and the subject of the email”.

“CBA’s investigation confirmed that the emails and any associated data had not been used and were deleted permanently from the cba.com domain owner’s servers,” it said.

The bank said that no customer data had been compromised but that it had started to contact customers whose data was affected.

It took steps to prevent more emails being sent to the wrong domain, firstly by blocking internal emails addressed to the cba.com domain in January 2017.

In April 2017, it made a more permanent fix by buying the cba.com domain.

“Since that time any emails inadvertently addressed to cba.com have been returned as ‘undeliverable’,” the bank said.

The cba.com domain had been originally owned by a US-based financial services company before being bought by a cybersecurity company and then ultimately by the bank.