Commonwealth Bank of Australia Suffers Massive Data Breach
The Commonwealth Bank of Australia has reportedly suffered a massive data breach, which has allegedly led to personal data of millions of customers getting compromised.
BuzzFeed News has come up with a report that reveals details about the breach; the report says- “The Commonwealth Bank lost the personal financial histories of 12 million customers, and chose not to reveal the breach to consumers, in one of the largest financial services privacy breaches ever to occur in Australia.”
The report further says- “BuzzFeed News can reveal that the nation’s largest bank lost the banking statements for customers from 2004 to 2014 after a subcontractor lost several tape drives containing the financial information in 2016.”
This media report had reportedly forced CBA’s Acting Group Executive for Retail Banking Services, Angus Sullivan, to issue a video statement explaining that there was no evidence that customer information has been compromised.
A CBA release, published along with the video statement, says- “Commonwealth Bank today confirmed that there was no evidence of customer information being compromised or suspicious activity following an incident in 2016. ” The release clarifies that PINs, passwords or any such data that could be used to cause account fraud have not been stolen. The press release states- “CBA’s advice today follows a media report of an incident in May 2016 where the bank was unable to confirm the scheduled destruction by a supplier of two magnetic tapes which contained historical customer statements. The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016. The tapes did not contain passwords, PINs or other data which could be used to enable account fraud.”
The CBA had reportedly ordered an independent forensic investigation in 2016. The investigation, conducted by KPMG, determined that the magnetic tapes had all been disposed of. The bank also stated that monitoring mechanisms have been put in place to further protect its customers.
BuzzFeed News, however, points out that though the forensic team infers that the data had most likely been destroyed, there is no conclusive evidence of what has happened to the tapes. BuzzFeed News states- “BuzzFeed News understands the magnetic tape drives were also not encrypted. But the information on the drives was difficult to access due to the age of the magnetic drives and the file type the information was stored in…While the bank considered alerting customers, BuzzFeed News understands it ultimately determined that the risk of the data being discovered and misused was low.”
The CBA had decided not to notify customers in the light of the investigations that were done. The Bank’s press release states- “The Office of the Australian Information Commissioner and the Australian Prudential Regulation Authority (APRA) were both notified of the incident and a briefing was provided on the results of the investigation. The decision not to notify customers was made in light of the investigations findings and the account monitoring in place…An independent forensic investigation was conducted, recommendations were made and acted upon to ensure a similar incident would not happen again.”
The Commonwealth Bank of Australia has also clarified that the incident, which is reported to have happened in 2016, was not cyber-related and none of CBA’s technology platforms, systems, services, apps or websites were compromised.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.