CBA has announced that more than fifteen years of back-up data collected between 2000 – 2016 has been lost, affecting almost 20 million accounts. Angus Sullivan, CBA’s acting group executive for retail banking services, said that the information lost contained customer names, addresses and account numbers but did not include passwords, PINs or other data which could be used to access accounts, and therefore CBA claim they did not need to notify affected account holders. Sullivan has also tried to assure customers that CBA are taking this breach seriously after being made aware of it in 2016, by putting in place mechanisms to enhance the protection of customer information and informing the relevant authorities, including the OAIC.

The Daily Telegraph has reported that the OAIC is now seeking assurances from CBA that it has learnt from its mistakes and will ensure the protection of personal data appropriately going forward. They have also advised customers to contact them in the event that they do not receive a satisfactory response from CBA about their data breach. 

Continuing the theme, Cambridge Analytica (who used social media platform Facebook to obtain information from around 87 million Facebook users without their knowledge) has issued a blunt statement confirming that it has entered into voluntary administration. The consulting firm suggests that its closure has been forced upon them as a result of media attention, stripping it of its customers and suppliers for (it claims) activities that were both legal and widely accepted.

Both Facebook and Cambridge Analytica became the subject of heavy media scrutiny when the story broke in February this year, which saw members of the US House of Representatives’ Energy and Commerce Committee question Mark Zuckerberg, CEO of Facebook, over their concerns of privacy breaches.

What lessons should be learnt from this?

Both CBA and Facebook are yet to learn their fate for failing to protect their customers’ personal information. The privacy laws in Australia and overseas, plus increased media focus in this area, mean the likely output from all of this could be significant. As Cambridge Analytica claim, however, it is often the reputational damage that causes the biggest impact, both financially and non-financially.   

Misconduct is the word for the year and it’s becoming ever more important that organisations know how to protect data they obtain, and what to do in the event of a breach.

For further information, see our previous Briefing Paper and blog.