The Commonwealth Bank has confirmed it lost the financial statements of almost 20 million accounts, but insists its customers' information has not been compromised.
The Commonwealth Bank of Australia is the country's largest bank. Photo: 123RF
The statements, containing customers' names, addresses, account numbers and transaction details from 2000 to 2016, were stored on two magnetic tapes which were lost by sub-contractor Fuji-Xerox last year.
When the bank became aware of the incident, it said, it ordered an independent "forensic" investigation to figure out what had happened and informed the Office of the Australian Information Commissioner (OAIC).
The inquiry, conducted by KPMG, determined the tapes had most likely been disposed of.
Commonwealth Bank's Angus Sullivan described the incident as "unacceptable" but said the tapes did not contain any passwords or PINs that could compromise customers' accounts.
"I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause," he said in a statement.
"The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion."
As a precaution, the bank said it has been monitoring the 19.8m accounts involved and had so far found "no evidence of customer harm or suspicious account activity".
But the bank never alerted its customers to the potentially-massive privacy breach and has only gone public after BuzzFeed News broke the story.
Mr Sullivan has defended the bank's decision, saying it had discussed the matter with the OAIC which told the bank it did not intend to take any further action.
However, Mr Sullivan said the OAIC contacted the bank this week seeking more information about the possible breach.
ABC News understands the breach happened when Fuji-Xerox was decommissioning a data storage centre where the customer records were being held.
The two magnetic drives were scheduled to be destroyed, but when the company failed to produce the "destruction certificate", the Commonwealth Bank launched an investigation.
It caps off a bad week for the bank, which was slammed by regulator, the Australian Prudential Regulation Authority (APRA), for "widespread sense of complacency" and "lack of accountability" that has led to multiple regulatory breaches.
The commission heard advisers at a Commonwealth Bank of Australia financial planning business continued to charge fees to customers they knew had died. This included one instance in which fees were charged for more than 10 years.
A 2012 Deloitte report revealed at least $700,000 in ongoing service fees were being charged to more than 1050 clients allocated to more than 50 inactive financial planners who had left the business before 2012.
It also noted that Commonwealth Bank of Australia may have undercharged or overcharged 5000 clients up to $4.3m.
The bank has also accepted the Australian Securities and Investments Commission's enforceable undertaking for fees charged to more than 31,000 financial advice customers who did not receive an annual review.
- ABC
