(Bloomberg) -- Commonwealth Bank of Australia, castigated by the regulator this week for complacency, didn’t tell customers about a potential data breach affecting almost 20 million accounts that included names, addresses and years of transaction details.
The bank said Thursday it couldn’t confirm in May 2016 that records of customer statements had been destroyed as planned. It decided not to let clients know after an investigation concluded “the most likely scenario was that the tapes had been disposed of.”
According to BuzzFeed News, whose report triggered today’s disclosure, investigators hired by the bank even wondered if the magnetic data tapes that were scheduled for destruction might have fallen off the back of a truck. Teams retraced the route of a bank subcontractor’s vehicle to look for the backup drives but couldn’t find any trace of them, BuzzFeed reported.
It’s another blow to Commonwealth Bank’s image, days after a regulatory probe blasted the lender for a lack of oversight and accountability. While Commonwealth Bank said passwords and personal identification numbers weren’t affected, the information did include account numbers and transaction details from 2000 to 2016.
“Incidents like this are not acceptable,” Angus Sullivan, acting group executive for retail banking services, said in the statement.
There’s been no evidence of suspicious activity or that customer data was compromised, and the bank is still monitoring the accounts as a precaution, it said. The lender said it told the Office of the Australian Information Commissioner and the banking regulator about the incident and the results of the investigation in 2016.
©2018 Bloomberg L.P.