Commonwealth Bank of Australia has lost track of some 20 million customer statements scheduled for destruction two years ago — records that contain personal details but no passwords or PINs.
The records were stored on two magnetic tapes used to print bank records, the financial institution said this week when announcing the incident. Those tapes were supposed to be destroyed in May 2016. The decision to reveal the loss of the data came after the Office of the Australian Information Commissioner, which focuses on data protection, decided it needed more information about the apparent loss of those records, according to a report in the The Sydney Morning Herald.
“There is no evidence any customer records have been compromised,” said Angus Sullivan, Commonwealth’s acting group executive of retail banking services, in a video message on the bank’s website. “Most likely, the tapes have been disposed of. But without the evidence, we immediately launched an investigation.”
Sullivan said Commonwealth contacted its regulators. The investigation revealed that the tapes held no data that could enable account fraud, only information such as customer names, addresses, account numbers and transaction details. The investigation, for which the bank hired KPMG, also found no sign of any cyber breaches or that anyone had broken into the financial institution’s technology platforms, systems, services, apps or website.
The bank began what it called “enhanced reporting and ongoing monitoring of customer accounts to ensure customers were protected. These protections are still in place today.” According to The Sydney Morning Herald, the bank “believes a person handling the sensitive tapes that were scheduled for destruction instead left them unattended,” but the bank has not publicly confirmed that.
Commonwealth this week stood by its decision to keep quiet about the incident. “The decision was made not to alert customers, given the outcome of our investigation, which found that the tapes were most likely (destroyed),” Sullivan said. “In these cases, we balance the need to alert customers without unnecessarily alarming them.”