Commonwealth Bank loses almost 20million customers’ financial statements

Commonwealth Bank has been forced to apologise to millions of customers, after losing 15 years’ worth of customer statements – and seemingly covering the breach up for two years.

Speaking in a video, the bank admitted it lost back up data containing the historical customer statements, which are believed to affect almost 20 million accounts. However, it immediately rushed to reassure people that no customer information had been compromised, in what has now been described as one of Australia’s biggest financial services privacy breaches.

CBA’s acting group executive for retail banking services, Angus Sullivan, appeared on camera to apologise to millions of viewers for the breach, which happened in May 2016. 

The statement was issued in response to an article by BuzzFeed Australia about the incident, which was published on Wednesday. Essentially, Sullivan confirmed that the bank is unable to confirm the destruction of two magnetic tapes containing historical customer statements.

Read more: Commonwealth Bank in hot water over ‘serious’ breaches

“The tapes did not contain PINs, passwords or other data that could enable account fraud,” he insisted. The bank hopes the tapes were destroyed, but as they’re unable to confirm this, they have had to admit they’re missing – with no confirmation of what happened to them.

Having watched closely since, the bank said there is no evidence of information being compromised for the 19.8 million accounts involved. The data on the tapes is said to have included names, addresses, account numbers and transaction details from 2000 to early 2016.

The bank commissioned a “forensic” investigation by KPMG after discovering the incident, and notified the Australian Prudential Regulation Authority and the Australian Privacy Commissioner. The probe found no evidence that customers’ data had been compromised, or accessed by third parties, CBA added.

“We take the protection of customer data very seriously and incidents like this are not acceptable,” Sullivan said. “I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”

Read more: Commonwealth Bank executives hit where it hurts

Sullivan said, while this all unfolded two years ago, the bank had decided it was not necessary to alert customers after discussion with the Office of the Australian Information Commissioner (OAIC).

Buzzfeed has since claimed the OAIC is now making further inquiries, following a report by the banking regulator that slammed the bank for its “widespread sense of complacency”.

Are you a CommBank customer? Do you think they should have come clean when it first happened in 2016?