The Commonwealth Bank is facing a fresh scandal after admitting it lost backup data for more than 15 years of customer statements in 2016, affecting almost 20 million accounts.
The CBA’s acting group executive for retail banking services, Angus Sullivan, issued a video statement on YouTube after reports emerged Wednesday that magnetic tapes storing the data was lost.
Mr Sullivan assured customers their information had not been compromised and no action was required after BuzzFeed Australia published details of the breach.
“The tapes did not contain PINs, passwords or other data that could enable account fraud,” Mr Sullivan said.
In a statement the bank said it had confirmed there was no evidence of suspicious activity involving the 19.8 million accounts affected following the incident.
We take your privacy seriously. You may have read a recent media report about an event in May 2016. There’s no evidence of your information being compromised and you don’t need to take any action. Visit https://t.co/x63uw2SVRf to learn more.
— CommBank (@CommBank) May 2, 2018
“An independent forensic investigation ordered by CBA in 2016 and conducted by KPMG determined the most likely scenario was the tapes had been disposed of,” the CBA statement said.
“The 2016 incident was not cyber-related and there has been no compromise of CBA’s technology platforms, systems, services, apps or websites.”
CBA says it had been unable to confirm the destruction of two magnetic tapes containing historical customer statements.
The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016.
CBA believes a person handling the sensitive tapes that were scheduled for destruction instead left them unattended, and did not go through with destroying them, Fairfax media reported.
An investigation in 2016, when the incident occurred, determined it was most likely the tapes had been disposed of and the bank immediately put mechanisms in place to further protect customers.
“We take the protection of customer data very seriously and incidents like this are not acceptable,” Mr Sullivan said.
“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”
He added that the relevant regulators were informed in 2016 but that the bank had decided it was not necessary to alert customers after discussion with the Office of the Australian Information Commissioner (OAIC).
However, BuzzFeed reports the OAIC is now making further inquiries into the incident, following a report by the banking regulator that slammed the bank for its “widespread sense of complacency”.
The latest embarrassing development came just a day after the Australian Prudential Regulation Authority said on Tuesday that community trust in Australia’s banks had been “badly eroded” and CBA had failed to meet expectations and “fallen from grace”.
APRA released its final report of an inquiry into CBA over events leading to allegations that it broke anti-money laundering and counter terrorism financing laws on almost 54,000 occasions.
APRA said CBA’s framework for managing risks were “cumbersome” and senior leadership was slow to react to emerging threats.
The report concluded the lender’s governance, culture and accountability frameworks and practices were in need of “considerable improvement”.
Treasurer Scott Morrison said he expected more executives at Commonwealth Bank of Australia to lose their jobs after the “damning” report.
Watch Angus Sullivan’s statement below: