Australian information watchdog slammed for keeping tight-lipped over lost banking data

Despite two unsuccessful investigations, Australian Information Watchdog failed to notify customers of lost data

Australia's information commissioner has come under fire after it emerged last week that it failed to recover lost customer account data from the Commonwealth Bank and deemed it 'low risk'.

As reported by BuzzFeed Australia on Wednesday, the Commonwealth Bank of Australia (CBA) lost the personal financial history of 12 million of its customers in 2016. The bank informed the Office of the Australian Information Commissioner (OAIC), which after an unsuccessful investigation, deemed the data breach low risk despite never finding the lost information.

Advertisement - Article continues below

The data was lost when the bank's subcontractor, Fuji Xerox, was decommissioning a data storage centre and the backup magnetic tape drives of financial instalments were believed to have been sent to be destroyed.

However, a destruction certificate for the data has never been found and despite an internal investigation from the bank and then a further search by the OAIC, the magnetic tape drives were not recovered.

While the OAIC knew of the lost drives it failed to notify customers of CBA that their personal account information had been lost.

Kat Lane, the vice chair of the Australian Privacy Foundation, heavily criticised the Office of the Australian Commissioner, reported The Guardian

"They're the commissioner that's supposed to put privacy and control of personal information at the forefront, and everybody's entitled to know their personal information is possibly leaked somewhere," she said.

Advertisement
Advertisement - Article continues below

"They could have easily disclosed and given the details about the risk, and that would have been the mature thing to do, because people could then say 'OK, the risk is low, but we are entitled to know.

Advertisement - Article continues below

"It's unclear to me how the bank and the two regulators came to this view that we aren't entitled to know. They dropped the ball," she added.

The magnetic tape drives held data including customer names, addresses, account numbers and transaction details of almost 19 million customer accounts, covering a period from 2000 to early 2016.

Following the Cambridge Analytica scandal, storing and processing data securely has become a big concern for companies of all sizes and the decision by both the bank and the OAIC to not inform customers of the lost data has left them open for questioning.

"This is the thing that needs to change," Lane added. 'We've only just taken the first steps of getting data breach notification laws in, but we haven't even made the step of acknowledging that people's personal information is extremely valuable, and we should be acknowledging that given the Facebook scandal.

Advertisement - Article continues below

"Our data is incredibly valuable and we should be able to seek compensation. These businesses that hold our personal information should be incentivised heavily by penalties to keep our data confidential.

"Obviously there's a major failure here, and the data breach notification laws haven't gone nearly far enough to resolve those failures."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020