Australia’s largest bank fell victim to a massive financial services privacy breach in 2016 but never bothered to alert affected customers.
According to BuzzFeed, the Commonwealth Bank lost the digital banking statements of 12 million customers in 2016. As the story goes, subcontractor Fuji Xerox was tasked with decommissioning a data storage center where some Commonwealth Bank customer data was stored.
Magnetic tape backups containing customer data from 2004 to 2014 was to be sent off for destruction but when the bank never received a “destruction certificate,” an investigation was launched and regulators were alerted. Commonwealth Bank even hired a forensic team from accounting firm KPMG to help conduct a search but the missing tapes were never found.
One possible theory floated by KPMG is that the driver who transported the tapes to be destroyed didn’t properly secure them on the truck and during transit, they simply fell off. After retracing the truck’s route, however, the tapes weren’t located.
The forensic team apparently determined that the tapes had likely been disposed of but with no evidence to support that view, it’s anyone’s guess as to what really happened.
While the bank reportedly considered alerting customers, BuzzFeed understands that it ultimately decided against doing so as the risk of the data being discovered and utilized was low. The data wasn’t encrypted on the drives but given the age of the tapes and the file type the information was stored in, it would have been difficult to access.
Angus Sullivan, Commonwealth Bank’s acting group executive of retail banking services, told BuzzFeed that there is no evidence of the customer records being compromised or any suspicious activity following the incident. As such, no action is required by the impacted customers.