Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers, And Did Not Tell Them About It (buzzfeed.com) 52
The Commonwealth Bank, the largest bank in Australia, has lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, BuzzFeed News reports. From the report: BuzzFeed News can reveal that the nation's largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016. While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank's culture released on Tuesday. Angus Sullivan, Commonwealth Bank's acting group executive of retail banking services told BuzzFeed News in a statement: "We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologise for any concern the incident may cause." "We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred."
Death by platypus venom (Score:1)
Re: (Score:2)
That’s lenient and mercifully quick. I suggest at least a month of daily irukanji stings first.
Re: (Score:2)
So What? (Score:1)
Like you never misplaced your keys.
Don't be so sanctimonious!
Magic auditor handwaving (Score:2, Insightful)
"KPMG's forensic investigation "found the most likely scenario was the tapes were disposed of"."
They couldn't find evidence of any outcome, so they just assumed the most beneficial one. How convenient for *almost* everyone involved.
Re: (Score:2)
Let me get this straight (Score:5, Insightful)
One possibility that was canvassed by KPMG is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction. Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route, but were unable to find any trace of them.
Literally they say it may have fallen off the back of a truck, and here I thought that was only ever hyperbole for theft. Well, I'm glad that irresponsible phase is behind them and their rigorous adherence to data security and unparalleled altruism when it comes to customers will carry them forward.
Re:Let me get this straight (Score:4, Insightful)
Re: (Score:2)
Or the station wagon can crash.
Re: (Score:2)
Re: (Score:2)
Tapes are still one of the most economically efficient and reliable mediums available, in 2012 and even in 2018. Obviously the one drawback is they can be easily transported and lost...
This, I've worked with several banks in the UK, one of the key requirements is a secure offsite and offline backup location. This is usually provided by a secure storage company like Chubb or Iron Mountain. However backups should have been encrypted first, although with a physical copy, encryption only delays the data being publishable.
However what many non-Australians may not know is that there is currently a government enquiry called a "royal commission" into banks in Australia and this is far from th
Re:Let me get this straight (Score:5, Insightful)
Re: (Score:2)
Indeed, I was about to post something funny about "Everyone's loan is now considered paid in full!" or something.
Re: (Score:1)
That happened in the Great Depression in the US. Many banks went bankrupt and vanished obscurely, and nobody bought the debts in time to keep them alive, so there was no longer an identifiable debtholder who could legally or practically demand further payments.
Re: (Score:2)
Which bank?
Re: (Score:2)
I even tried explaining it [slashdot.org] and no one got the joke!!!
Re: (Score:2)
on tapes (of all things in 2012)
By saying that, all you demonstrate is that the biggest system you're dealing with is your sorry ass home network.
Tape is old, but far from outdated.
Re: (Score:3)
Literally they say it may have fallen off the back of a truck
Or more likely the tapes were destroyed by the contractor as intended and a receipt has gone missing.
"may" is a powerful word.
Intersting wording "breach" (Score:5, Informative)
That is an interesting choice of words leading into the summary. The bank chose not to disclose a "breach". The only thing here which was "breached" was a chain of custody for a data tape. The regulator was informed, and investigations were undertaken which identified the most likely outcome was that the tapes were destroyed which is what was intended for them anyway. Oh and the regulator didn't require customer notification.
The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.
So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.
How would the customer (I have 4 accounts with this bank) benefit in knowing?
Re: (Score:2)
see where I'm going with this?
Re: (Score:2)
For a bit of perspective, the entire Australian banking industry is currently being annihilated in front of a royal commission for shady practices that has among other things caused a CEO of one of the largest banks to resign.
There's no evidence that any information was mishandled. The only evidence they have is a missing destruction receipt. It wasn't just them who decided we didn't need to know, but a regulator and consumer advocating ombudsman also decided that.
We are talking about the equivalent of a he
Re: (Score:2)
As an aside, has the Australian banking cartel stopped airing those weird "Australian banks are owned by Australians?" propaganda pieces on TV over there yet?
I saw one recently and it made me sick to
Re: (Score:2)
At least the NZ Govt has now given the banks an ultimatum of 'Prove it.'
No one trusts those dirty diggers.
Re: (Score:2)
As an aside, has the Australian banking cartel stopped airing those weird "Australian banks are owned by Australians?" propaganda pieces on TV over there yet?
Dunno, don't live there.
Imagine being the sort of whore that would take money to appear in one of those?
I know an actor who does minor things like adverts and being extras in movies. When you get paid fuck all you don't exactly get the luxury of being picky. The Whores of Amsterdam don't do it for shits and giggles. A girls gotta eat.
Re: (Score:3)
They would know that they should switch to a bank with safer procedures
Sure. And we could all ride unicorns off into the sunset. Banks have the lowest customer satisfaction rates in Australia. Lower than cable companies and telecom companies. Yet they have a really high customer retention rate. People don't even switch banks due to high fees, or service outages, hell most people don't even competitively check their homeloans literally costing them 10s of thousands of dollars.
What makes you think even a single customer would give a crap that the bank can't prove that a tape ful
Re: (Score:2)
The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.
And how did you draw that conclusion? Bank statements for a decade were lost. That's a lot of information on any particular person. Were other account numbers in those statements? For example if you paid your credit card bill then the CC number might be exposed or at a minimum the bank that issued the credit card. You've asserted a lot based on a lack of information.
So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.
Which is troubling. The data should have been destroyed. In the bank's best case scenario, they were destroyed but someone was lax in confirmin
Re: (Score:2)
And how did you draw that conclusion? Bank statements for a decade were lost. That's a lot of information on any particular person. Were other account numbers in those statements? For example if you paid your credit card bill then the CC number might be exposed or at a minimum the bank that issued the credit card. You've asserted a lot based on a lack of information.
Nope. Bank statements weren't lost. Bank statements sent to be destroyed don't have a receipt for being destroyed despite being on general nondescript tapes in a large collection of other tapes that were destroyed. Credit card numbers? What are you talking about? There's not enough credit card information on a bank statement to financially affect a customer. Maybe in some other countries stuff that is normally sent by unsecured mail has such stupid security practices, but not here. The biggest concerns even
Re: (Score:2)
Nope. Bank statements weren't lost. Bank statements sent to be destroyed don't have a receipt for being destroyed despite being on general nondescript tapes in a large collection of other tapes that were destroyed.
Again your assertion. The bank cannot confirm the tapes were destroyed.
Credit card numbers? What are you talking about? There's not enough credit card information on a bank statement to financially affect a customer. Maybe in some other countries stuff that is normally sent by unsecured mail has such stupid security practices, but not here. The biggest concerns even by the Australian media have pointed out to the fact that you could in theory match a transaction to a person. Nothing more.
Again your assertion. Do you have statements from the bank? Remember these statements go back 10 years and while it is not prudent to list the credit card numbers on a statement these days you cannot say that the bank didn't do that in the past especially with their own cards. On my statement it currently lists the last 4 digits of my CC number. I can assure you at one point, the bank listed the entire CC number as the account number.
You don't understand quite how benign the data on statements are do you. Here's a hint: They contain: Name, address, your account number, and a list of purchases. In Australia the only thing on that list that isn't routinely shared with anyone who asks is your list of purchases.
So
Copy of email from the bank (Score:5, Informative)
Which Bank exposed 12 million customer records? (Score:2)
Financial Archeology (Score:1)
It is not uncommon for financial records from the pre-internet epoch to disappear. We owned two homes before 1985 and all the bank mortgage records were unavailable by 2001. If you have some special need for long term storage, you may need to DIY.
Wow, this was easy to prevent (Score:1)
1) Encrypt your backups
2) If your backups are being sent off-site for destruction, do a preliminary bulk-erase before they are sent off-site so if they are stolen en route it will be harder to recover the hopefully-encrypted data. "Harder" means a normal tape drive will have a very high error rate reading the data, but someone with forensic tools might be able to recover it.
Time to do "AB" or "ABC" backups? (Score:1)
Maybe it's time to go to "split" backups:
1. First, the data is encrypted.
2. Every other bit/byte/sector goes to tape A, the other bit/byte/sectors go to tape B.
3. Store tape "A" separate from tape "B".
4. When transporting them, transport them separately.
A more redundant version would split the data into 3 groups, every third bit/byte/sector being in group A, B, or C respectively. For redundancy, the backup tapes would be "AB," "BC," and "CA" so that any two backup tapes could be used to recover the dat
Re:Time to do "AB" or "ABC" backups? (Score:4, Funny)
As an added benefit, this would almost guarantee that a sysadmin will never be able to restore the tape.
Lost? is a misleading title !!! (Score:3)
The data was sent out for Destruction. I originally thought, based on the title, that they had accidentally Deleted a bunch of data from the system.
But no. They had sent the backup tapes out for Destruction!! And then they lost chain of control, now somebody somewhere has the backup copy of many years worth of financial records.
So somebody has stolen the backup tapes. Geez. I can't believe they didn't think of this as part of the preparation to ship it. I had to do something similar years ago and we sat down to perform a FMEA-like analysis of things that could go wrong. Our data was on a RAID5 device so we decided to disassemble the drive-shelf and ship the drives in individual boxes and split carriers over several days. This was more than a few years ago and encrypting 2TB of data was not something that would finish in our lifetime. Simply possessing a 2TB "enterprise" RAID5 was costly. Yeah - the old days. Since then we have encrypted USB drives with push-button PINs small enough to fit in our shirt pockets (all the more likely to walk off)
But my point is -- we didn't just drop the thing off at FedEx. We knew what our data was and this wasn't a normal "just ship it" situation.
Bank Statements (Score:2)
So the bank lost 10 years (2004-2014) of bank statements (12/year) for 12 million bank customers, that works out to 1.44 BN lost bank statements. (12/year x 10 years x 12 million accounts = 1.44 BN bank statements)
And...
How long are they expected to retain them? Most record retentions I've heard of limit responsibility to the previous 7 years, which means they likely had a responsibility to retain records back to 2010, meaning they lost about 4 years of records they were supposed to retain. That's bad, but
Re: (Score:2)
meaning they lost about 4 years of records they were supposed to retain.
No they didn't lose a single thing. These were backup copies of tapes sent for destruction. The only thing that was "lost" was the chain of custody as they can't confirm in writing that the tapes were actually destroyed. They likely were, but don't have a receipt for it.
And by "Data Breech" you mean... (Score:3)
Fail to secure a certificate of destruction for decommissioned drives.
The bank never lost the data, it was migrated to the new data storage facility, what happened was a bunch of drives being sent out for destruction may not have actually been destroyed - or may have been destroyed, but the notice was lost, or the notice was sent to the wrong customer, etc.
Bottom line, the bank lost control of 1.44 BN bank statements from 2004 to 2010 - if you walk into the branch, they still have access to a complete history of your bank statements - nothing was "lost".
Re: And by "Data Breech" you mean... (Score:2)
Seriously? Have you ever worked in a data center? Not a room with several servers, but a data center for a large, multi-national organization with 5-10,000 sq feet of raised flooring? Sending tapes out for destruction to a third-party.