Commonwealth Bank of Australia blunders

The Commonwealth Bank of Australia, the nation’s largest lender has admitted to losing the bank records of nearly 20 million of its customers.

Background

Founded on 1911, the Commonwealth Bank of Australia is the country’s largest bank. The multinational bank has businesses across New Zealand, Fiji, Asia, the United States and the United Kingdom. It is also the largest Australian listed company on the Australian Securities Exchange as of August 2015 with brands including Bankwest, Colonial First State Investments Limited, ASB Bank (New Zealand), Commonwealth Securities Limited and Commonwealth Insurance Limited. Commonwealth Bank is also the largest bank in the Southern Hemisphere. It was founded in 1911 by the Australian government, the Commonwealth Bank is one of the "big four" Australian banks, with National Australia Bank (NAB), ANZ and Westpac. The bank listed on the Australian Stock Exchange in 1991 and the government fully privatized it in 1996.

The bank has been embroiled in multiple scandals over the years. In 2016 it was revealed that some CBA staff were implicated in an alleged $76m Ponzi scheme fraud. There have also been reports of alleged systemic issues about the insurance division of CBA.

In August 2017, the Australian Transaction Reports and Analysis Centre (Austrac), the financial intelligence agency, that it was suing the Commonwealth bank for 53,700 breaches of money laundering and counter-terrorism-financing laws. The breaches related to the bank's use of intelligent deposit machines (IDMs) between November 2012 and September 2015. The bank has claimed that a programming error allowed depositors to instantly credit cash deposits to their accounts, whilst failing to report amounts over $10,000 to AUSTRAC, and not enforcing any limits to the number of transactions.

Analysis

The bank is once again embroiled in controversy. In May 2018, the bank admitted to losing bank records of almost 20 million people. The information includes names, addresses, account numbers and statements. This data had been stored on two magnetic tapes and was meant to be destroyed by a subcontractor in 2016.

At the time, even though the bank had not received any confirmation that the data had been destroyed, it did not reveal this fact to its customers. “This is an extraordinary blunder,” Prime Minister Malcolm Turnbull told reporters. “It’s hard to imagine how so much data could be lost in this way. If that had happened today, the bank would have to advise each of their customers,” Turnbull added.

Kat Lane, the vice chair of the Australian Privacy Foundation, has criticized the Office of the Australian Information Commissioner (OAIC) after it failed to tell customers of CBA that had been misplaced. “They’re the commissioner that’s supposed to put privacy and control of personal information at the forefront, and everybody’s entitled to know if their personal information is possibly leaked somewhere,” Lane said.

The revealed this information to the Australian Stock Exchange. It also noted that it could not confirm or deny whether or not tapes that contained 15 years of data had been destroyed securely. The bank, however, revealed that an independent forensic investigation had been conducted by KPMG (an accounting firm). According to this investigation, “the most likely scenario was the tapes had been disposed of." It added "the tapes did not contain passwords, PINs or other data which could be used to enable account fraud".

Meanwhile, Angus Sullivan, the acting head of retail banking at the Commonwealth Bank, has apologized to customers and said that the incident was “unacceptable.”

The latest revelation comes less than a year after America’s Equifax announced that a large-scale data breach had taken place in the company. It stated that an unauthorized third party was able to gain access to Equifax data on as many as 143 million Americans. A similar breach took place in Uber and the company had failed to disclose the details immediately after the fact.

Assessment

Our assessment is that CBA’s mistakes and its oversight could result in serious consequences. It is likely that failure to report suspicious activity on time could hurt the nation’s security especially if terror elements are involved. There is also an additional fear that millions of the bank’s customers could become vulnerable to a variety of threats if the data had been breached.