Commonwealth Bank lost bank statements linked to 20 million accounts in 2016, but chose not to tell customers.
Commonwealth Bank lost bank statements linked to 20 million accounts in 2016, but chose not to tell customers.

Almost 20 million bank account records lost by CBA

AFTER it emerged that Commonwealth Bank lost customer statements linked to 20 million accounts, the institution has spent the night assuring people they are not at risk.

But is that really true? The bank has admitted it lost financial statements spanning 15 years in 2016, after the story was uncovered by Buzzfeed News.

When the data stored on tape drives was lost by a subcontractor, CBA launched an investigation to find out what happened, but the documents were never found.

One theory suggested by a forensic team from accounting firm KPMG was that the tapes might have fallen off the back of a truck taking the data to be destroyed.

But the data was never located - either on the road or on the dark web - and it was decided that had most probably been disposed of as planned.

However, one Western Australian farmer living with bone cancer claims he was the victim of identity theft after his CBA documents were found in a gutter in Victoria.

Barry Lakeman said he ended up in debt after criminals used his identity to borrow money and buy goods and services.

He approached Geoff Shannon from Unhappy Banking, who told news.com.au he had been dealing with the Lakemans' "many loans and credit issues" resulting from the fraud ever since.

Mr Lakeman said CBA told him in 2014 that his statements had been found in a gutter in Victoria, a state he and his wife hadn't visited for three years. He said the bank suggested his wife must have taken the statements there and left them behind.

Police then called Mr Lakeman in August last year to say they had found his gun licence - only the membership number was wrong, the 59-year-old told The Conversation.

"It was a forgery," he told Sydney University Adjunct Associate Professor Michael West, who wrote about the issue last year. "The number at the top of the card was different from the number on my card."

And there have been "other incidents" too, Mr Lakeman claimed. "In 2015, a company in Victoria rang me and said, 'We have finished the canvas for your caravan' ... I don't even own a caravan."

Northam Police began investigating the identity theft with the help of Mr Shannon, who took the case to the bank-funded Financial Ombudsman Service set up to handle customer complaints.

But Mr Lakeman still doesn't know what really happened, telling Prof West: "It really hurt us because when we tried to move and buy a house there was a black mark against us. It affected our credit rating."

While the bank does not comment on individual cases, it has said it immediately put mechanisms in place to protect customers after the 2016 data loss.

But Mr Lakeman is not alone in claiming identity theft. There have been numerous reports of counterfeit credit cards and identities from CBA-owned BankWest available for sale on the dark web, and staff members were sacked from the WA bank in 2014 for selling documents.

CBA is not the only bank vulnerable to data losses and thefts, but it has suffered major damage to its reputation following an embarrassing recent money-laundering scandal.

Customers took to social media overnight to express their fury that they had not been told about the loss our their data.

"Why weren't customers notified?" asked David Rae, who said he would need to inform his customers. "Why wasn't the market informed?"

He called it a "clear breach of trust" as well as "incompetence", while Nelly jane added, "This needs explaining!"

The incident has been called one of the largest financial services privacy breaches in Australia.

CBA is still unable to confirm the destruction of the two magnetic tapes containing customer statements featuring names, addresses, account numbers and transaction details from 2000 to early 2016.

Acting group executive for retail banking services Angus Sullivan issued a statement on YouTube after BuzzFeed exposedthe massive data breach. "The tapes did not contain PINs, passwords or other data that could enable account fraud," he said.

CBA said it had informed the Office of the Australian Information Commissioner and the Australian Prudential Regulation Authority of the incident and provided a briefing.

"The decision not to notify customers was made in light of the investigations findings and the account monitoring in place," said the bank.

But OAIC is now making further inquiries after a report by APRA slammed the bank for its "widespread sense of complacency".

The banking regulator said on Tuesday that community trust in Australia's banks had been "badly eroded" after CBA had failed to meet expectations and "fallen from grace".

On Tuesday, the bank's chief executive Matt Comyn went into damage control, hours after treasurer Scott Morrison called for more executives from the financial company to step down.

Mr Comyn admitted he had made errors after the inquiry found the bank broke anti-money laundering and counter-terrorism financing laws more than 50,000 times. He told the bank board he would be refusing his short-term bonus this year - a move that will cost him $2.2 million.

The CEO also said the bank's top 500 executives would be given printed copies of the 100+ page APRA report. The executives will have a week to read and respond to the report and make suggestions as to how the bank can change its culture.

Mr Morrison called the report "very damning" and said it should be "required reading" not only for every financial intitution in Australia but for every single board member of any company.

In a statement, the bank said it had and had now confirmed there was no evidence of information being compromised for the 19.8 million accounts involved or suspicious activity following the incident.

It said in a statement published on its website: "Commonwealth Bank today confirmed that there was no evidence of customer information being compromised or suspicious activity following an incident in 2016. Ongoing monitoring of accounts by CBA confirms customers do not need to take any action.

"CBA's advice today follows a media report of an incident in May 2016 where the bank was unable to confirm the scheduled destruction by a supplier of two magnetic tapes which contained historical customer statements. The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016. The tapes did not contain passwords, PINs or other data which could be used to enable account fraud.

"An independent forensic investigation ordered by CBA in 2016 and conducted by KPMG determined the most likely scenario was the tapes had been disposed of. The bank immediately put in place monitoring mechanisms to further protect customers.

"The 2016 incident was not cyber-related and there has been no compromise of CBA's technology platforms, systems, services, apps or websites."


Operator encourages tourists to visit after shark attacks

Operator encourages tourists to visit after shark attacks

Tourist operator hoping shark attacks will not deter visitors.

Doctor reveals what happened following shark attack

Doctor reveals what happened following shark attack

Doctor reveals what happened following shark attack.

'I had no idea it was a shark attack'

'I had no idea it was a shark attack'

Hear from the man who was one of the first on the scene.

Local Partners