Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers, And Did Not Tell Them About It (buzzfeed.com) 23
The Commonwealth Bank, the largest bank in Australia, has lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia, BuzzFeed News reports. From the report: BuzzFeed News can reveal that the nation's largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016. While the bank initially notified the Office of the Australian Information Commissioner (OAIC) of the breach shortly after it became aware of it in 2016, a spokesperson for the OAIC told BuzzFeed News it was now making further inquiries into the privacy breach, following a damning report into the bank's culture released on Tuesday. Angus Sullivan, Commonwealth Bank's acting group executive of retail banking services told BuzzFeed News in a statement: "We take the protection of customer data very seriously and incidents like this are not acceptable. We want to assure our customers that no action is required and we apologise for any concern the incident may cause." "We undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred."
One possibility that was canvassed by KPMG is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction. Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route, but were unable to find any trace of them.
Literally they say it may have fallen off the back of a truck, and here I thought that was only ever hyperbole for theft. Well, I'm glad that irresponsible phase is behind them and their rigorous adherence to data security and unparalleled altruism when it comes to customers will carry them forward.
Indeed, I was about to post something funny about "Everyone's loan is now considered paid in full!" or something.
That is an interesting choice of words leading into the summary. The bank chose not to disclose a "breach". The only thing here which was "breached" was a chain of custody for a data tape. The regulator was informed, and investigations were undertaken which identified the most likely outcome was that the tapes were destroyed which is what was intended for them anyway. Oh and the regulator didn't require customer notification.
The customer can't do anything about this. Largely they should be unaffected by it as well. Unless you're worried someone may find your receipt from "Illegal and Immoral things R Us" along with your name at the top the only other exposure is that this contributes 25 points towards a 100 point identity check. So not even enough information for identity theft.
So... the customer can do nothing. It's not confirmed that the data was mishandled. The regulator was informed and deemed it all okay. And all that really was identified is that a receipt for the destruction was missing.
How would the customer (I have 4 accounts with this bank) benefit in knowing?
And how did you draw that conclusion? Bank statements for a decade were lost. That's a lot of information on any particular person. Were other account numbers in those statements? For example if you paid your credit card bill then the CC number might be exposed or at a minimum the bank that issued the credit card. You've asserted a lot based on a lack of information.
Which is troubling. The data should have been destroyed. In the bank's best case scenario, they were destroyed but someone was lax in confirmin
1) Encrypt your backups
2) If your backups are being sent off-site for destruction, do a preliminary bulk-erase before they are sent off-site so if they are stolen en route it will be harder to recover the hopefully-encrypted data. "Harder" means a normal tape drive will have a very high error rate reading the data, but someone with forensic tools might be able to recover it.