CBA loses 12 million records, doesn’t tell customers

UPDATE / 4.30pm: ASB Bank says none of its customers was affected by parent CBA's data breach.

"It’s solely a CBA issue. No ASB customers or data involved," a spokeswoman says.

 On NBR's second question submitted this morning: "What is ASB's policy around disclosing data breaches to customers?," the spokeswoman says: "The security of customer information is a priority for ASB and we constantly review our processes and systems to ensure our customers' personal data is well-protected. If customer information is compromised by a breach we would act in accordance with the NZ Privacy Commissioner guidelines and the Privacy Act (1993)."

That would appear to translate as "No." The Privacy Act (1993) does not require disclosure of a breach.

An overhaul of the act, making its way through Parliament, will make disclosure mandatory.

EARLIER 8.30am: The Commonwealth Bank of Australia has admitted it lost track of 12 million customer records – and that it did not inform the customer involved.

The bank has only admitted the 2016 incident late yesterday after it was revealed by Australian media overnight.

NBR has asked ASB Bank (owned by CBA) if any New Zealand customer records were involved, and for the bank’s policy on data breaches.

An update of the Privacy Act now going through Parliament will make data breach disclosure mandatory. Presently, it is voluntary.

CBA says a forensic investigation by KPMG found two magnetic tapes, holding 19.8 million account records relating to 12 million customers, were not properly disposed of.

CBA Retail Banking Service acting group executive Angus Sullivan says the tapes stored personal data such as names and addresses but not pins, passwords “or other data that could enable account fraud.”

He adds there is no evidence that data had been compromised or accessed by third parties because of the incident, and that it was likely the tapes had in fact been destroyed even if the usual procedures were not followed.

Although customers were not informed, CBA says it does it did inform a regulator (the Australian Prudential Regulation Authority) and the Australian Privacy Commissioner.

While the pending NZ Privacy Act overhaul includes a mandatory data breach provision, Privacy Commissioner John Edwards has proposed a two-tier system whereby his office would be informed, then make a judgment call on whether on whether an organisation’s customers or the public at large had to be told.

As it stands, the bill has provision for the Privacy Commissioner to impose a fine of up to $10,000 for an organisation that does not disclose a data breach.

Mr Edwards is lobbying for fines of up to $1m.

The commissioner says breaches are on the rise, and notes companies including Facebook, Uber and Yahoo have all concealed data breaches involving New Zealand customers in recent times.