Australia's biggest bank has admitted to losing the financial records of almost 20 million customer accounts after a subcontractor lost two magnetic tape drives containing the data in 2016.
The Commonwealth Bank (CBA) confirmed the news on Thursday after Buzzfeed News exposed the breach, reporting that 12 million Australians -- or half the Australian population -- was affected.
In a statement, CBA said the data included customer names, addresses, account numbers and 16 years of transaction information used to print customer account statements (dating from 2000 to early 2016). CBA said it informed Australia's Privacy Commissioner when it became aware of the breach in May 2016, but "a decision was made not to alert customers."
The magnetic tapes were lost by subcontractor Fuji Xerox during the process of decommissioning one of CBA's data centres. When CBA could not confirm the tapes had been destroyed, the bank hired accounting firm KPMG to conduct a forensic investigation. According to CBA, KPMG found the "most likely scenario was the tapes had been disposed of."
However, Buzzfeed News reports that one of the possible scenarios investigated by KPMG was that the tapes fell off the back of a truck when they were being transported to be destroyed.
The bank says the data did not include passwords, PINs or other information that could "enable account fraud" and it was monitoring the 19.8 million customer accounts involved for suspicious activity.
The incident represents one of the largest data and privacy breaches in Australian history and comes at a bad time for the bank.
Over the past two months, CBA has appeared before a major government-backed inquiry into misconduct in the banking industry, facing allegations of money laundering and charging fees to dead clients. Australia's top financial regulator APRA released an excoriating report on CBA this week slamming a "widespread sense of complacency" at the bank, with Australia's Treasurer Scott Morrison saying he expected top executives at CBA would step down.
In relation to this fresh privacy scandal, CBA said on Thursday "no evidence was found of any customer information being compromised, and over the past two years there has been no evidence of customer harm or suspicious account activity."
But asin recent months and years, customers are no longer just concerned about having traditionally sensitive details like passwords compromised.
In an era when identity theft is a growing threat and personal information isas a valuable commodity, a data breach of this size is deeply concerning for customers. Criminals can build a detailed profile of a person with information like a name and address (not to mention 16 years of financial records) and a PIN isn't needed to do serious damage.
While CBA continues to monitor accounts and reassures customers that the tapes were "most likely disposed of," the concerning fact remains -- we may never know.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.