The personal information of a number of customers of an Australian bank was inadvertently published on a public government website for two months, despite being subject to a non-publication order.
The addresses, phone numbers, email addresses, employment details, salaries, gender, date of birth, insurance status, beneficiary nominations and superannuation balance of a number of Suncorp superannuation members were mistakenly published on the public website of the Royal Commission into the Banking, Superannuation and Financial Services Industry on September 7. They were only removed when Suncorp discovered the publication on November 8.
Suncorp, a mid-sized Australian bank based in Brisbane, declined to say how many customers were affected.
The information was in a spreadsheet in a confidential exhibit which Suncorp handed over in a response to a request from the commission, in relation to the fifth round of public hearings on superannuation. The commission routinely publishes exhibits on its website.
"We contacted the royal commission immediately to have the document removed once becoming aware of the matter" on November 8, a Suncorp spokesperson told BuzzFeed News.
A commission spokesperson said in a statement that it had "established practice guidelines and procedures in place to enable parties to request that personal information, including personal information of customers, is not published unless appropriate to do so". That includes allowing parties to make redactions before documents are published.
BuzzFeed News understands that a non-publication order was issued over the entire document, and so it did not require redaction. Suncorp has told its affected customers that it only provided the information after the commission confirmed that it would not be published.
Suncorp CEO of Banking & Wealth, David Carter, wrote to affected customers last week, informing them of the privacy breach. In the letter, Carter said that the spreadsheet "contained more information about some superannuation members than others." He advised customers who wanted to know specifically which of their information was published to call the company.
The royal commission spokesperson said it was working with Suncorp to "rectify the situation", including removing the document as soon as Suncorp brought the publication to its attention.
Suncorp says its affected customers will get 12 months of free access to a credit monitoring and identity theft protection service. It has informed the Office of the Australian Information Commissioner, and is also reviewing access to the accounts of affected members.
"Suncorp takes the security of data very seriously and we are disappointed these details have been made publicly available," the spokesperson said in a statement. The company says it is working to contact the "small number" of affected customers whose contact details with them were not current.
"The commission does not propose to comment further on the details," the commission's spokesperson said.
The Office of the Australian Information Commissioner declined to comment on the specifics of this case.