Commonwealth Bank has admitted it lost historical bank statements belonging to almost 20 million personal accounts in a 2016 incident it chose not to make public.
First reported by Buzzfeed, it’s understood two magnetic tapes that contained customer statements were scheduled for destruction by the bank when they disappeared in May 2016.
The tapes contained customer names, addresses, account numbers and transaction details from 19.8 million accounts spanning 2000 to early 2016. They did not contain passwords, PINs or other data which could be used to enable account fraud, CBA said in a statement on Wednesday night.
“An independent forensic investigation ordered by CBA in 2016 and conducted by KPMG determined the most likely scenario was the tapes had been disposed of. The bank immediately put in place monitoring mechanisms to further protect customers.”
As Fairfax Media understands, CBA believes a person handling the sensitive tapes that were scheduled for destruction instead left them unattended, and did not go through with destroying them.
The alarm was raised when the certificate of destruction was not produced, and a search for the tapes came up empty.
It’s thought the tapes were “most likely” destroyed by someone else who came across them, but that has never been confirmed.
After investigating the incident and concluding the missing tapes were probably destroyed, the bank resolved not to tell its customers about the breach.
CBA says it discussed the decision not to inform customers with the Office of the Australian Information Commissioner, and that OAIC advised it would not pursue the issue further.
But this week, the OAIC contacted CBA again, requesting additional information on the matter and the course of action undertaken by the bank.
Fairfax Media understands that CBA’s monitoring of the data in question over the past two years has not identified any cases in which it has been used.
Acting Group Executive of Retail Banking Services Angus Sullivan said incidents like this are “not acceptable” and that the bank takes protection of customer data seriously.
“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”
You can read the original Buzzfeed story here.
Customers seeking information from CBA about the data breach should call 1800 316 433.
Business Insider Emails & Alerts
Site highlights each day to your inbox.