Australian information watchdog slammed for keeping tight-lipped over lost banking data

Australia's information commissioner has come under fire after it emerged last week that it failed to recover lost customer account data from the Commonwealth Bank and deemed it 'low risk'.

As reported by BuzzFeed Australia on Wednesday, the Commonwealth Bank of Australia (CBA) lost the personal financial history of 12 million of its customers in 2016. The bank informed the Office of the Australian Information Commissioner (OAIC), which after an unsuccessful investigation, deemed the data breach low risk despite never finding the lost information.

The data was lost when the bank's subcontractor, Fuji Xerox, was decommissioning a data storage centre and the backup magnetic tape drives of financial instalments were believed to have been sent to be destroyed.

However, a destruction certificate for the data has never been found and despite an internal investigation from the bank and then a further search by the OAIC, the magnetic tape drives were not recovered.

While the OAIC knew of the lost drives it failed to notify customers of CBA that their personal account information had been lost.

Kat Lane, the vice chair of the Australian Privacy Foundation, heavily criticised the Office of the Australian Commissioner, reported The Guardian.

"They're the commissioner that's supposed to put privacy and control of personal information at the forefront, and everybody's entitled to know their personal information is possibly leaked somewhere," she said.

"They could have easily disclosed and given the details about the risk, and that would have been the mature thing to do, because people could then say 'OK, the risk is low, but we are entitled to know.

"It's unclear to me how the bank and the two regulators came to this view that we aren't entitled to know. They dropped the ball," she added.

The magnetic tape drives held data including customer names, addresses, account numbers and transaction details of almost 19 million customer accounts, covering a period from 2000 to early 2016.

Following the Cambridge Analytica scandal, storing and processing data securely has become a big concern for companies of all sizes and the decision by both the bank and the OAIC to not inform customers of the lost data has left them open for questioning.

"This is the thing that needs to change," Lane added. 'We've only just taken the first steps of getting data breach notification laws in, but we haven't even made the step of acknowledging that people's personal information is extremely valuable, and we should be acknowledging that given the Facebook scandal.

"Our data is incredibly valuable and we should be able to seek compensation. These businesses that hold our personal information should be incentivised heavily by penalties to keep our data confidential.

"Obviously there's a major failure here, and the data breach notification laws haven't gone nearly far enough to resolve those failures."

Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognise him as the face of many of our video reviews of laptops and smartphones.