The Commonwealth Bank of Australia (CBA) has admitted losing bank data and records of almost 20 million customers

The data lost includes names, addresses, account numbers and bank statements. The data was stored on two magnetic tapes which were supposed to be destroyed by sub-contractor Fuji-Xerox last year after the decommissioning of a data centre.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

However, the bank has stated that it did not receive evidence that the tapes had actually been destroyed.

In a statement, the bank confirmed: “There was no evidence of customer information being compromised or suspicious activity following an incident in 2016.”

Acting head of retail banking at CBA, Angus Sullivan, stated: “We take the protection of customer data very seriously and incidents like this are not acceptable.

“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Sullivan added that the relevant regulators had been notified in 2016, however the bank failed to alert customers to the potentially-disastrous data breach and only went public after BuzzFeed News broke the story.

The data breach comes at a time when Australian banks are under scrutiny from a banking inquiry. Regulator, APRA fired multiple criticisms at the bank on Tuesday.

The banking regulator and Treasurer, Scott Morrison slammed CBA for “widespread complacency.” Morrison warned that financial executives could face heavy fines and potentially jail sentences.

Some of the key points noted in the statement, referring to the 2016 incident included:

  • Ongoing monitoring of the 19.8 million customer accounts involved remains in place as a precaution.
  • Customers’ passwords and PINs were not affected by this incident. The bank highlighted that customers affected do not need to change their PINs or passwords.
  • An independent forensic investigation was conducted, recommendations were made and acted upon to ensure a similar incident would not happen again.

Sullivan concluded: “We discussed this course of action with the OAIC who subsequently advised that it did not intend to take any further action in relation to the matter. We have, however, been contacted by the OAIC this week for additional information about this matter and the actions CBA undertook in 2016.”