Attorney-general Christian Porter has sought "urgent briefings" with the Office of the Australian Information Commissioner after BuzzFeed News revealed that Australia's largest bank, Commonwealth Bank, lost the personal financial histories of 12 million customers.
On Wednesday night, BuzzFeed News first reported that the Commonwealth Bank lost the banking statements for customers from 2004 to 2014 after subcontractor Fuji Xerox lost several tape drives containing the financial information in 2016.
The bank informed the Office of the Australian Information Commissioner (OAIC) about the breach in 2016, but didn't alert customers until BuzzFeed News revealed it this week.
It appears that the Commonwealth Bank also didn't inform higher levels of government outside of OAIC. On Sky News on Thursday finance minister Mathias Cormann said attorney-general Christian Porter – who is responsible for privacy matters – was only informed about it last night.
"I'm advised the attorney-general was advised on this last night," he said, adding that the government was seeking an "urgent briefing" from OAIC on Thursday.
But Porter said he was actually informed about the incident on Tuesday night, after BuzzFeed News had begun making inquiries with Commonwealth Bank about it.
"I was made aware of the 2016 data issue involving the CBA [Commonwealth Bank] on Tuesday night and wrote to the Privacy Commissioner yesterday seeking a detailed briefing on the issue, including actions taken by both the Office of the Australian Information Commissioner (OAIC) and CBA at the time of the data loss and subsequently," Porter said in a statement.
"The acting Privacy Commissioner has indicated she is making further inquiries to ensure CBA has taken action subsequent to the 2016 incident to ensure the privacy of customers’ personal information is protected. That is an appropriate course of action."
Shadow treasurer Chris Bowen said in a statement provided to BuzzFeed News that the report was "extremely concerning" and the government needed to answer questions about what it knew about the breach.
"Why has it taken years – and a media report – for people to find out? CBA needs to provide information to customers today about what has occurred and what actions were taken after the breach was discovered."
Commonwealth Bank issued a statement last night and a video where acting group executive for retail banking Angus Sullivan sought to reassure customers that customer records had not been compromised, and the decision was made not to inform customers so as to not "unduly alarm" them.
The company also began emailing customers about the breach on Thursday.
Greens senator Peter Whish-Wilson said CBA's explanation was "utter bullshit".
"Commbank are saying that the potential loss of 20 million account details is OK because there isn’t enough detail in the data for anyone to access your bank account," he said. "This is utter bullshit.
"For all we know, the details of every transaction of millions of accounts could have potentially have fallen into the hands of organised crime."
Whish-Wilson said CBA was "too big to regulate".
Porter said that the breach occurred before the government implemented mandatory data breach notification laws, which went into effect in February this year. The law requires companies to inform customers "affected by a data breach that is likely to result in serious harm" or risk facing penalties of up to $2.1 million.
In the first two months of the scheme, there were were 55 disclosures from companies, including eight financial services companies. The majority of the breaches were a result of human error.