Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Australia Businesses Security

Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers, And Did Not Tell Them About It (buzzfeed.com) 52

The Commonwealth Bank, the largest bank in Australia, has lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, BuzzFeed News reports. From the report: BuzzFeed News can reveal that the nation's largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016. While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank's culture released on Tuesday. Angus Sullivan, Commonwealth Bank's acting group executive of retail banking services told BuzzFeed News in a statement: "We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologise for any concern the incident may cause." "We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred."
This discussion has been archived. No new comments can be posted.

Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers, And Did Not Tell Them About It

Comments Filter:
  • by Anonymous Coward
    I suggest the C-level execs go 10 rounds each with an angry roo, and then are injected with platypus venom for the coup de grace.
    • That’s lenient and mercifully quick. I suggest at least a month of daily irukanji stings first.

      • by ixuzus ( 2418046 )
        Australia has better than that to offer. Meet the Gympie-Gympie Tree [odditycentral.com] Brushing against it is described as being like being burned with hot acid and electrocuted at the same time. Animals as large as horses have died within hours after being stung. People have been driven mad by the pain levels which can persist for months or years. A military officer who used a leaf off this bush as toilet paper reportedly immediately shot himself to escape the pain.
  • by Anonymous Coward

    Like you never misplaced your keys.

    Don't be so sanctimonious!

  • by Anonymous Coward

    "KPMG's forensic investigation "found the most likely scenario was the tapes were disposed of"."

    They couldn't find evidence of any outcome, so they just assumed the most beneficial one. How convenient for *almost* everyone involved.

  • by burtosis ( 1124179 ) on Thursday May 03, 2018 @09:11AM (#56546406)
    The entire database of these 12m customers history was stored, unencrypted, on tapes (of all things in 2012), then just lost? I was going to make a snarky comment but rtfa just in case and it didn't disappoint:

    One possibility that was canvassed by KPMG is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction. Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route, but were unable to find any trace of them.

    Literally they say it may have fallen off the back of a truck, and here I thought that was only ever hyperbole for theft. Well, I'm glad that irresponsible phase is behind them and their rigorous adherence to data security and unparalleled altruism when it comes to customers will carry them forward.

    • by orev ( 71566 ) on Thursday May 03, 2018 @09:21AM (#56546458)
      Tapes are still one of the most economically efficient and reliable mediums available, in 2012 and even in 2018. Obviously the one drawback is they can be easily transported and lost...
      • Or the station wagon can crash.

      • Comment removed based on user account deletion
      • by mjwx ( 966435 )

        Tapes are still one of the most economically efficient and reliable mediums available, in 2012 and even in 2018. Obviously the one drawback is they can be easily transported and lost...

        This, I've worked with several banks in the UK, one of the key requirements is a secure offsite and offline backup location. This is usually provided by a secure storage company like Chubb or Iron Mountain. However backups should have been encrypted first, although with a physical copy, encryption only delays the data being publishable.

        However what many non-Australians may not know is that there is currently a government enquiry called a "royal commission" into banks in Australia and this is far from th

    • by anegg ( 1390659 ) on Thursday May 03, 2018 @09:44AM (#56546570)
      12 million financial histories were not LOST. They were potentially disclosed to unknown person(s). As with other cases involving copies of digital data, language originally developed for a world of unique exemplars fails in the domain of easily replicated elements.
      • Indeed, I was about to post something funny about "Everyone's loan is now considered paid in full!" or something.

      • by Anonymous Coward

        That happened in the Great Depression in the US. Many banks went bankrupt and vanished obscurely, and nobody bought the debts in time to keep them alive, so there was no longer an identifiable debtholder who could legally or practically demand further payments.

    • by quenda ( 644621 )

      Which bank?

    • by fisted ( 2295862 )

      on tapes (of all things in 2012)

      By saying that, all you demonstrate is that the biggest system you're dealing with is your sorry ass home network.

      Tape is old, but far from outdated.

    • Literally they say it may have fallen off the back of a truck

      Or more likely the tapes were destroyed by the contractor as intended and a receipt has gone missing.

      "may" is a powerful word.

  • by thegarbz ( 1787294 ) on Thursday May 03, 2018 @09:19AM (#56546448)

    That is an interesting choice of words leading into the summary. The bank chose not to disclose a "breach". The only thing here which was "breached" was a chain of custody for a data tape. The regulator was informed, and investigations were undertaken which identified the most likely outcome was that the tapes were destroyed which is what was intended for them anyway. Oh and the regulator didn't require customer notification.

    The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.

    So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.

    How would the customer (I have 4 accounts with this bank) benefit in knowing?

    • by jm007 ( 746228 )
      the point is not that you did or did not get damaged *this time*, it's that there was personal/confidential information about you that was mishandled and for some reason, it was decided that you didn't need to know.... by the same folks who did the fuck up to begin with

      see where I'm going with this?
      • For a bit of perspective, the entire Australian banking industry is currently being annihilated in front of a royal commission for shady practices that has among other things caused a CEO of one of the largest banks to resign.

        There's no evidence that any information was mishandled. The only evidence they have is a missing destruction receipt. It wasn't just them who decided we didn't need to know, but a regulator and consumer advocating ombudsman also decided that.

        We are talking about the equivalent of a he

        • The Australian banking cartel owns the New Zealand market also. They are under the gun a bit over here, but are saying things like "we don't need a royal commission in New Zealand because there is no evidence we have done anything wrong", as if any royal commission would not be the one looking for evidence.

          As an aside, has the Australian banking cartel stopped airing those weird "Australian banks are owned by Australians?" propaganda pieces on TV over there yet?

          I saw one recently and it made me sick to

          • At least the NZ Govt has now given the banks an ultimatum of 'Prove it.'
            No one trusts those dirty diggers.

          • As an aside, has the Australian banking cartel stopped airing those weird "Australian banks are owned by Australians?" propaganda pieces on TV over there yet?

            Dunno, don't live there.

            Imagine being the sort of whore that would take money to appear in one of those?

            I know an actor who does minor things like adverts and being extras in movies. When you get paid fuck all you don't exactly get the luxury of being picky. The Whores of Amsterdam don't do it for shits and giggles. A girls gotta eat.

    • The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.

      And how did you draw that conclusion? Bank statements for a decade were lost. That's a lot of information on any particular person. Were other account numbers in those statements? For example if you paid your credit card bill then the CC number might be exposed or at a minimum the bank that issued the credit card. You've asserted a lot based on a lack of information.

      So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.

      Which is troubling. The data should have been destroyed. In the bank's best case scenario, they were destroyed but someone was lax in confirmin

      • And how did you draw that conclusion? Bank statements for a decade were lost. That's a lot of information on any particular person. Were other account numbers in those statements? For example if you paid your credit card bill then the CC number might be exposed or at a minimum the bank that issued the credit card. You've asserted a lot based on a lack of information.

        Nope. Bank statements weren't lost. Bank statements sent to be destroyed don't have a receipt for being destroyed despite being on general nondescript tapes in a large collection of other tapes that were destroyed. Credit card numbers? What are you talking about? There's not enough credit card information on a bank statement to financially affect a customer. Maybe in some other countries stuff that is normally sent by unsecured mail has such stupid security practices, but not here. The biggest concerns even

        • Nope. Bank statements weren't lost. Bank statements sent to be destroyed don't have a receipt for being destroyed despite being on general nondescript tapes in a large collection of other tapes that were destroyed.

          Again your assertion. The bank cannot confirm the tapes were destroyed.

          Credit card numbers? What are you talking about? There's not enough credit card information on a bank statement to financially affect a customer. Maybe in some other countries stuff that is normally sent by unsecured mail has such stupid security practices, but not here. The biggest concerns even by the Australian media have pointed out to the fact that you could in theory match a transaction to a person. Nothing more.

          Again your assertion. Do you have statements from the bank? Remember these statements go back 10 years and while it is not prudent to list the credit card numbers on a statement these days you cannot say that the bank didn't do that in the past especially with their own cards. On my statement it currently lists the last 4 digits of my CC number. I can assure you at one point, the bank listed the entire CC number as the account number.

          You don't understand quite how benign the data on statements are do you. Here's a hint: They contain: Name, address, your account number, and a list of purchases. In Australia the only thing on that list that isn't routinely shared with anyone who asks is your list of purchases.

          So

  • by yobjob ( 942868 ) on Thursday May 03, 2018 @09:20AM (#56546452) Homepage
    This is what the bank in question emailed me today: Dear CommBank Customer, Following recent media reports detailing an incident in May 2016, we want to reassure you there is no evidence of your information being compromised and you do not need to take any action. Here is what you need to know: There is no evidence that any customer information was compromised. In May 2016 we were unable to confirm the scheduled destruction of two magnetic tapes used by a supplier to print bank statements. These tapes contained information including customer names, addresses, account numbers and transaction details. They did not contain passwords or PINs which could enable fraud. We deployed enhanced reporting and ongoing monitoring of customer accounts to ensure customers were protected. These protections are still in place today. This was not cyber-related. CommBank's technology platforms, systems, services, apps and websites were not compromised. CommBank offers you a 100% security guarantee against fraud for all your accounts, where you are not at fault. We cover any loss should someone make an unauthorised transaction. Here is what you can do: Continue using your accounts as you always have. Please remember that CommBank staff will never ask you to divulge your passwords or PINs. We do not send emails with links requesting you to confirm, update or disclose your confidential banking information. If you have questions or would like to discuss, please call us at 1800 316 433. If you would like to find more information you can visit www.commbank.com.au/customerassurance I want to apologise for any concern this incident may have caused. If there is any change in circumstances I will let you know.
  • by Anonymous Coward

    It is not uncommon for financial records from the pre-internet epoch to disappear. We owned two homes before 1985 and all the bank mortgage records were unavailable by 2001. If you have some special need for long term storage, you may need to DIY.

  • 1) Encrypt your backups

    2) If your backups are being sent off-site for destruction, do a preliminary bulk-erase before they are sent off-site so if they are stolen en route it will be harder to recover the hopefully-encrypted data. "Harder" means a normal tape drive will have a very high error rate reading the data, but someone with forensic tools might be able to recover it.

  • Maybe it's time to go to "split" backups:

    1. First, the data is encrypted.
    2. Every other bit/byte/sector goes to tape A, the other bit/byte/sectors go to tape B.
    3. Store tape "A" separate from tape "B".
    4. When transporting them, transport them separately.

    A more redundant version would split the data into 3 groups, every third bit/byte/sector being in group A, B, or C respectively. For redundancy, the backup tapes would be "AB," "BC," and "CA" so that any two backup tapes could be used to recover the dat

  • by ripvlan ( 2609033 ) on Thursday May 03, 2018 @12:22PM (#56547754)

    The data was sent out for Destruction. I originally thought, based on the title, that they had accidentally Deleted a bunch of data from the system.

    But no. They had sent the backup tapes out for Destruction!! And then they lost chain of control, now somebody somewhere has the backup copy of many years worth of financial records.

    So somebody has stolen the backup tapes. Geez. I can't believe they didn't think of this as part of the preparation to ship it. I had to do something similar years ago and we sat down to perform a FMEA-like analysis of things that could go wrong. Our data was on a RAID5 device so we decided to disassemble the drive-shelf and ship the drives in individual boxes and split carriers over several days. This was more than a few years ago and encrypting 2TB of data was not something that would finish in our lifetime. Simply possessing a 2TB "enterprise" RAID5 was costly. Yeah - the old days. Since then we have encrypted USB drives with push-button PINs small enough to fit in our shirt pockets (all the more likely to walk off)

    But my point is -- we didn't just drop the thing off at FedEx. We knew what our data was and this wasn't a normal "just ship it" situation.

  • So the bank lost 10 years (2004-2014) of bank statements (12/year) for 12 million bank customers, that works out to 1.44 BN lost bank statements. (12/year x 10 years x 12 million accounts = 1.44 BN bank statements)

    And...

    How long are they expected to retain them? Most record retentions I've heard of limit responsibility to the previous 7 years, which means they likely had a responsibility to retain records back to 2010, meaning they lost about 4 years of records they were supposed to retain. That's bad, but

    • meaning they lost about 4 years of records they were supposed to retain.

      No they didn't lose a single thing. These were backup copies of tapes sent for destruction. The only thing that was "lost" was the chain of custody as they can't confirm in writing that the tapes were actually destroyed. They likely were, but don't have a receipt for it.

  • by kenh ( 9056 ) on Thursday May 03, 2018 @12:48PM (#56548104) Homepage Journal

    Fail to secure a certificate of destruction for decommissioned drives.

    The bank never lost the data, it was migrated to the new data storage facility, what happened was a bunch of drives being sent out for destruction may not have actually been destroyed - or may have been destroyed, but the notice was lost, or the notice was sent to the wrong customer, etc.

    Bottom line, the bank lost control of 1.44 BN bank statements from 2004 to 2010 - if you walk into the branch, they still have access to a complete history of your bank statements - nothing was "lost".

You know you've landed gear-up when it takes full power to taxi.

Working...