A view of a Commonwealth Bank of Australia branch in Sydney, Australia, April 18, 2018.
A view of a Commonwealth Bank of Australia branch in Sydney, Australia, April 18, 2018. Reuters/Edgar Su

Commonwealth Bank has admitted to losing historical financial statements of almost 20 million personal accounts in a 2016 incident and decided not to make it public. The bank statements contained customers’ names, addresses, account numbers and transaction details, but not allegedly passwords and pin numbers.

BuzzFeed News first reports on Wednesday that Australia’s largest bank lost its customers’ banking statements from 2004 to 2014 after its subcontractor lost several tape drives in 2016. Subcontractor Fuji Xerox was decommissioning a data storage centre where some CBA customer data was stored. Backup magnetic tape drives containing the financial statements were believed to have been sent there to be destroyed.

However, when the company failed to produce a “destruction certification,” the CBA launched an investigation. It ordered an independent forensic investigation and informed the Office of the Australian Information Commissioner (OAIC) of what happened. It did not inform the customers about the incident.

A spokeswoman for the OAIC told BuzzFeed News, however, that it was now making further inquiries into the privacy breach.

CBA, in response to the report, said the tapes that were lost contained the customers’ names, addresses, account numbers and transaction details from 2000 to early 2016. They did not contain passwords, PINs or any other data that could be used for account fraud.

The independent forensic investigation ordered by CBA in 2016 was conducted by KPMG, which determined that the tapes had “most likely” had been disposed of. CBA assured customers that the incident was not cyber-related and there has been no compromise of the bank’s platforms, services or websites. Nevertheless, the bank said it has been monitoring the 19.8 million accounts involved in the incident, and it found no evidence that they have been compromised.

“The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred,” Angus Sullivan, acting group executive Retail Banking Services at CBA, said.

The bank explained that it decided not to notify customers given the results of the investigations. It had discussion its step with the OAIC, which advised that it did not intend to take any further action in relation to the matter. However, the OAIC contacted CBA this week to seek more information about the possible breach.

“We take the protection of customer data very seriously and incidents like this are not acceptable. I want to assure our customers that we have taken the steps necessary to protect their information, and we apologise for any concern this incident may cause,” Sullivan said.

Customers are not required to take any action. However, if they had any concern about the incident, they can call 1800 316 433 or visit its website.