Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management
Australian Bank Lost Data for 19.8 Million AccountsCommonwealth Bank Claims Risks From Loss of Two Magnetic Tapes Are Low
Australia's Commonwealth Bank has confirmed that two magnetic tapes containing transaction information for 19.8 million accounts went missing two years ago after being mishandled by a subcontractor.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The incident likely ranks as one of the largest losses of data to become public in Australia, which has a population of about 26 million people.
The data gaff stayed under wraps for two years until Buzzfeed published a report on Thursday. The tapes were supposed to be destroyed by Fuji Xerox, a contractor that offers data destruction services, it reported. Fuji Xerox officials could not be immediately reached for comment.
"In these cases, we balance the need to alert customers without unnecessarily alarming them."
—Angus Sullivan, Commonwealth Bank
The bank says it launched an investigation on May 9, 2016, after it didn't receive certification that the tapes were destroyed. Executives opted to not inform customers after the investigation suggested that the tapes had likely been destroyed, says Angus Sullivan, Commonwealth's acting group executive for retail banking services.
"In these cases, we balance the need to alert customers without unnecessarily alarming them," Sullivan says in a video.
However, Commonwealth began sending emails to customers on Thursday, notifying them of the incident.
Because the potential breach occurred two years ago, Australia's mandatory breach notification law doesn't apply. The law, which came into effect in February, requires organizations to notify regulators and consumers within 30 days of breaches that have a likelihood of resulting in "serious harm" (see Australia Enacts Mandatory Breach Notification Law).
Troy Hunt, an Australian data breach expert who runs the Have I Been Pwned data breach notification website, says the fact that the data was on magnetic tapes likely influenced the bank's decision to not notify consumers.
The incident is "not the same as a USB stick, let's be fair," Hunt says. "You're not just going to chuck it [a tape] into a drive and you're good to go. It would take someone who knew there was value in this thing and then went out and invested effort to do it [read the data]."
Commonwealth Bank says it notified the Office of the Australian Information Commissioner, the country's data protection regulator, on May 20, 2016. At the time, the OAIC indicated it would take not action. The bank also notified the Australian Prudential Regulation Authority.
On Thursday, the OAIC says it has made "further inquiries" in the matter "to satisfy the OAIC that the CBA has taken on board lessons learned from this incident" and "to ensure the privacy of customer's personal information is adequately protected."
So far, Commonwealth says there's no evidence that the information has been misused. It is continuing to monitor the affected accounts for suspicious activity.
The tapes contained customer names, addresses, account numbers and transaction details, but not passwords or PINs "that could be used to enable account fraud," according to a statement from the bank. The transaction data on the tapes range from 2000 through early 2016.
Commonwealth also hired KPMG to conduct an independent investigation. KPMG determined that "the most likely scenario was the tapes had been disposed," the bank says.
Hunt says there's a reasonable expectation for organizations that know data has fallen into the wrong hands to notify consumers.
With Commonwealth, Hunt says he can appreciate the evidence-based decision the bank made with the tapes, particularly since the OAIC left it to the bank to make the call on whether to notify.
"I think we have to appreciate there's business impacts on disclosure," Hunt says. "That's not to say they shouldn't disclose when necessary, it's just saying, if it was not necessary, I could very well them understand not disclosing."
Buzzfeed reports the data on the tapes was not encrypted. Hunt says that's a bit alarming, but not surprising, because some banking systems may be old. Another question is why Commonwealth did not delete the information on the tapes before sending them off for destruction.
"Saying that we're going to put all this stuff unencrypted on a moving vehicle and ship it from one location to another and hoping nothing goes wrong along the way I think, to be honest, is problematic," Hunt says.
Commonwealth's disclosure couldn't come at a worse time for the bank or broadly, the banking industry. In December, Australia launched a Royal Commission into misconduct in financial services.
The commission's findings, which have included overcharging and misleading customers, has resulted in the resignations of high-level executives at another large bank, AMP.
In mid-April, the commission heard that Commonwealth Bank had continued to charge deceased customers for financial services' advice. In one egregious example, one former client had continued to be charged for service 10 years after his death, the BBC reported.