Australian information watchdog slammed for keeping tight-lipped over lost banking data

Despite two unsuccessful investigations, Australian Information Watchdog failed to notify customers of lost data

Australia's information commissioner has come under fire after it emerged last week that it failed to recover lost customer account data from the Commonwealth Bank and deemed it 'low risk'.

As reported by BuzzFeed Australia on Wednesday, the Commonwealth Bank of Australia (CBA) lost the personal financial history of 12 million of its customers in 2016. The bank informed the Office of the Australian Information Commissioner (OAIC), which after an unsuccessful investigation, deemed the data breach low risk despite never finding the lost information.

The data was lost when the bank's subcontractor, Fuji Xerox, was decommissioning a data storage centre and the backup magnetic tape drives of financial instalments were believed to have been sent to be destroyed.

However, a destruction certificate for the data has never been found and despite an internal investigation from the bank and then a further search by the OAIC, the magnetic tape drives were not recovered.

While the OAIC knew of the lost drives it failed to notify customers of CBA that their personal account information had been lost.

Kat Lane, the vice chair of the Australian Privacy Foundation, heavily criticised the Office of the Australian Commissioner, reported The Guardian

"They're the commissioner that's supposed to put privacy and control of personal information at the forefront, and everybody's entitled to know their personal information is possibly leaked somewhere," she said.

"They could have easily disclosed and given the details about the risk, and that would have been the mature thing to do, because people could then say 'OK, the risk is low, but we are entitled to know.

"It's unclear to me how the bank and the two regulators came to this view that we aren't entitled to know. They dropped the ball," she added.

The magnetic tape drives held data including customer names, addresses, account numbers and transaction details of almost 19 million customer accounts, covering a period from 2000 to early 2016.

Following the Cambridge Analytica scandal, storing and processing data securely has become a big concern for companies of all sizes and the decision by both the bank and the OAIC to not inform customers of the lost data has left them open for questioning.

"This is the thing that needs to change," Lane added. 'We've only just taken the first steps of getting data breach notification laws in, but we haven't even made the step of acknowledging that people's personal information is extremely valuable, and we should be acknowledging that given the Facebook scandal.

"Our data is incredibly valuable and we should be able to seek compensation. These businesses that hold our personal information should be incentivised heavily by penalties to keep our data confidential.

"Obviously there's a major failure here, and the data breach notification laws haven't gone nearly far enough to resolve those failures."

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020