Australian information watchdog slammed for keeping tight-lipped over lost banking data

Despite two unsuccessful investigations, Australian Information Watchdog failed to notify customers of lost data

Australia's information commissioner has come under fire after it emerged last week that it failed to recover lost customer account data from the Commonwealth Bank and deemed it 'low risk'.

As reported by BuzzFeed Australia on Wednesday, the Commonwealth Bank of Australia (CBA) lost the personal financial history of 12 million of its customers in 2016. The bank informed the Office of the Australian Information Commissioner (OAIC), which after an unsuccessful investigation, deemed the data breach low risk despite never finding the lost information.

Advertisement - Article continues below

The data was lost when the bank's subcontractor, Fuji Xerox, was decommissioning a data storage centre and the backup magnetic tape drives of financial instalments were believed to have been sent to be destroyed.

However, a destruction certificate for the data has never been found and despite an internal investigation from the bank and then a further search by the OAIC, the magnetic tape drives were not recovered.

While the OAIC knew of the lost drives it failed to notify customers of CBA that their personal account information had been lost.

Kat Lane, the vice chair of the Australian Privacy Foundation, heavily criticised the Office of the Australian Commissioner, reported The Guardian

"They're the commissioner that's supposed to put privacy and control of personal information at the forefront, and everybody's entitled to know their personal information is possibly leaked somewhere," she said.

Advertisement
Advertisement - Article continues below

"They could have easily disclosed and given the details about the risk, and that would have been the mature thing to do, because people could then say 'OK, the risk is low, but we are entitled to know.

Advertisement - Article continues below

"It's unclear to me how the bank and the two regulators came to this view that we aren't entitled to know. They dropped the ball," she added.

The magnetic tape drives held data including customer names, addresses, account numbers and transaction details of almost 19 million customer accounts, covering a period from 2000 to early 2016.

Following the Cambridge Analytica scandal, storing and processing data securely has become a big concern for companies of all sizes and the decision by both the bank and the OAIC to not inform customers of the lost data has left them open for questioning.

"This is the thing that needs to change," Lane added. 'We've only just taken the first steps of getting data breach notification laws in, but we haven't even made the step of acknowledging that people's personal information is extremely valuable, and we should be acknowledging that given the Facebook scandal.

Advertisement - Article continues below

"Our data is incredibly valuable and we should be able to seek compensation. These businesses that hold our personal information should be incentivised heavily by penalties to keep our data confidential.

"Obviously there's a major failure here, and the data breach notification laws haven't gone nearly far enough to resolve those failures."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354842/irish-data-regulator-racks-up
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020