Commonwealth Bank Data Security Breach – Because the Banking Royal Commission Was Not Embarrassing Enough

It is not a good time to be a banker! With the Royal Commission into Misconduct in Banking shining a spotlight on misconduct, incompetence, and the necromantic practice of charging dead customers, you would think the banks would be keeping their heads down.

The Commonwealth Bank it seems did not get the memo, this week admitting to a potential data breach affecting an estimated 19.8 million customers’ accounts (presumably every single Commonwealth Bank customer).


In 2016 the Commonwealth Bank contracted Fuji Xerox to decommission one of its data centres.

This process involved the destruction of magnetic tapes used for backing up data. The tapes included 16 years’ worth of bank statements with customer names, addresses, account numbers, and transaction details.

The Commonwealth Bank later realised it had not been provided with a certificate confirming the tapes had been destroyed. KPMG was hired to conduct an independent forensic investigation (think Sherlock Holmes, without the inevitable success).

Unsurprisingly, no trace of the tapes was found. It was concluded that the tapes had most likely been destroyed as originally intended.

The Commonwealth Bank notified the Office of the Australian Information Commissioner (OAIC) about the incident, as well as informing the Australian Prudential Regulation Authority (APRA).

Customers were not notified.

Fast forward three years and Buzzfeed broke the story

And the media storm erupted…


One of the concerns raised by this incident was the Commonwealth Bank’s failure to notify customers of the potential data breach before the media picked up the story. Whilst, at the time, they were under no legal obligation to do so, the Commonwealth Bank has been heavily criticised for this decision.

A question arises as to whether, if this happened today, the recent mandatory data breach reporting law would have made a difference.

You can read Kott Gunning’s summary of the mandatory data breach reporting changes in the Update titled 404 Cyber Security for Business

In short, under the Privacy Act organisations are now required to notify affected individuals of eligible data breaches. An eligible data breach includes the circumstance where information is lost, unauthorised access to or disclosure of that information is likely, and this would be likely to result in serious harm to affected individuals. This is to be assessed having regard to the nature of the information lost and any security measures in place.

In the Commonwealth Bank case, the currently known facts suggest the tapes were probably destroyed as was intended. The only thing missing (apart from the tapes!) is a certificate confirming their destruction. Given the lack of certification, there is always the possibility they were not destroyed, and therein lies the risk.

The Privacy Act also provides that, where remedial action has been taken, making it unlikely that access or disclosure will result in serious harm, the data breach will not be notifiable.

The Commonwealth Bank has confirmed that account monitoring has been in place since the incident, to mitigate any possible consequences from the unauthorised use of the information. Given the nature of the information lost, we do question whether this would be sufficient to avoid the requirement to notify.

In our view, despite the sensitivity of the information lost, the likelihood of unauthorised access or disclosure, and subsequent serious harm, would appear to be slight given the probability the tapes were destroyed.


Aside from the PR headaches, the Commonwealth Bank will doubtless face further regulatory scrutiny from this bungle. The OAIC has now requested further information about the action taken by the Commonwealth Bank since the incident.

On the current evidence, had this occurred after the new mandatory reporting laws came into effect, arguably the Commonwealth Bank would still not have been legally required to notify customers.

However, this is a prime example of the risks associated with failing to be open and transparent when it comes to the loss of personal information. Had the Commonwealth Bank taken a proactive approach, with appropriate PR management, and made a mea culpa admitting the loss, the fallout would arguably have been far less damaging.

Will this now lead to a review of the only just enacted data breach provisions, to ensure they are tightened up to prevent a repeat performance? We must await the outcome of the OAIC’s further enquiries.

Please also stay tuned for Kott Gunning’s forthcoming update on the EU General Data Protection Regulation, in force from 25 May 2018.

The information published in this paper is of a general nature and should not be construed as legal advice. Whilst we aim to provide timely, relevant and accurate information, the law may change and circumstances may differ. You should not therefore act in reliance on it without first obtaining specific legal advice.