Australian information watchdog slammed for keeping tight-lipped over lost banking data

Despite two unsuccessful investigations, Australian Information Watchdog failed to notify customers of lost data

Australia's information commissioner has come under fire after it emerged last week that it failed to recover lost customer account data from the Commonwealth Bank and deemed it 'low risk'.

As reported by BuzzFeed Australia on Wednesday, the Commonwealth Bank of Australia (CBA) lost the personal financial history of 12 million of its customers in 2016. The bank informed the Office of the Australian Information Commissioner (OAIC), which after an unsuccessful investigation, deemed the data breach low risk despite never finding the lost information.

The data was lost when the bank's subcontractor, Fuji Xerox, was decommissioning a data storage centre and the backup magnetic tape drives of financial instalments were believed to have been sent to be destroyed.

However, a destruction certificate for the data has never been found and despite an internal investigation from the bank and then a further search by the OAIC, the magnetic tape drives were not recovered.

While the OAIC knew of the lost drives it failed to notify customers of CBA that their personal account information had been lost.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Kat Lane, the vice chair of the Australian Privacy Foundation, heavily criticised the Office of the Australian Commissioner, reported The Guardian

"They're the commissioner that's supposed to put privacy and control of personal information at the forefront, and everybody's entitled to know their personal information is possibly leaked somewhere," she said.

"They could have easily disclosed and given the details about the risk, and that would have been the mature thing to do, because people could then say 'OK, the risk is low, but we are entitled to know.

"It's unclear to me how the bank and the two regulators came to this view that we aren't entitled to know. They dropped the ball," she added.

The magnetic tape drives held data including customer names, addresses, account numbers and transaction details of almost 19 million customer accounts, covering a period from 2000 to early 2016.

Advertisement - Article continues below

Following the Cambridge Analytica scandal, storing and processing data securely has become a big concern for companies of all sizes and the decision by both the bank and the OAIC to not inform customers of the lost data has left them open for questioning.

"This is the thing that needs to change," Lane added. 'We've only just taken the first steps of getting data breach notification laws in, but we haven't even made the step of acknowledging that people's personal information is extremely valuable, and we should be acknowledging that given the Facebook scandal.

"Our data is incredibly valuable and we should be able to seek compensation. These businesses that hold our personal information should be incentivised heavily by penalties to keep our data confidential.

"Obviously there's a major failure here, and the data breach notification laws haven't gone nearly far enough to resolve those failures."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/data-insights/data-management/354423/eu-us-data-transfer-tools-used-by-facebook-ruled-legal
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019
Visit/backup/33385/arcserve-udp-9240dr-review-beef-up-your-backups
backup

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020