Prime minister Malcolm Turnbull has slammed Australia's largest bank over its loss of the financial records of 12 million of its customers.
At a press conference in Nowra in NSW, Turnbull was asked about BuzzFeed News revelations that Commonwealth Bank lost the banking statements for customers from 2004 to 2014 after subcontractor Fuji Xerox lost several tape drives containing the financial information in 2016. He said it was an "extraordinary blunder".
"It's hard to imagine how so much data could be lost in this way," the prime minister said. "I have to say that ... if that had happened today, the bank would have to publicly, would have to advise each of their customers about the loss of data under new laws we have brought in and have been operating since the beginning of this year.
"But this maintaining data security is of vital importance for everybody, whether it's the private sector or governments, and if there is a serious data breach or loss, the people affected should be advised so they can take steps to protect themselves."
The mandatory data breach notification laws came into effect in February this year and can result in businesses being fined up to $2.1 million for failing to disclose serious data breaches to affected customers and the Office of the Australian Information Commissioner (OAIC).
Labor said the government's stalling on mandatory data breach laws, which the government had initially agreed to introduce by the end of 2015, had meant Commonwealth Bank did not have to report it to customers in 2016.
In this instance, Commonwealth Bank informed the OAIC in 2016, but didn't disclose to the public until the BuzzFeed News report on Wednesday. Attorney-general Christian Porter was seeking briefings from the OAIC about the incident today, and was informed about it by Commonwealth Bank on Tuesday.
Commonwealth Bank has insisted that the decision to not inform customers was in order to "not unduly alarm" them. The bank began emailing customers on Thursday. Acting group executive for retail banking Angus Sullivan told radio station 3AW that while the bank is aware that 19.8 million customer accounts were affected by the lost tapes, it is not clear exactly which customers were affected.
"Obviously without the tapes at hand, its difficult to identify what is and isn't on them," he said.
Sullivan said that no fraudulent activity had been detected by the bank using the data that was on the tapes in the two years since the tapes went missing.
"A data disaster is coming"
The Consumer Action Law Centre said it was concerned that OAIC and Commonwealth Bank had decided against informing the public.
"No matter how small the risk might have been, we should have been told," CEO Gerard Brody said in a statement. "Even if the breach was inadvertent and the risks are small, people need to know. Banks and corporates profess transparency and honesty, but we still find out about these incidents through the media."
Brody said a situation like this could be worse next time because new laws on credit reporting that come into effect on July 1, 2018, will allow banks to access more of the credit history of Australians than they currently have access to.
"A data disaster is coming," Brody said. "Credit reporting is already a mess of bad data, confusing processes and poor oversight. We’re about to see a major expansion in the collection and sharing of data that will have serious impacts on people’s lives."