The Commonwealth Bank of Australia (CBA) has been forced to apologize for failing to disclose the loss of 12 million user records in 2016, following an investigation by BuzzFeed that revealed the tapes on which the information was stored were mishandled by the subcontractor paid to destroy them.

The publication discovered that in 2016, Fuji Xerox, a joint venture between Japanese photographic film provider and the US document management company, was tasked with decommissioning a data center which stored CBA customer data on unencrypted magnetic tapes. In the process, the tapes went missing.

Two tapes, bad times

Commonwealth Bank of Australia ATM
Commonwealth Bank of Australia ATM – Flickr

Having not received the confirmation that the data had indeed been destroyed, the bank hired consultancy firm KPMG to perform an independent investigation into the matter.

The investigators concluded that the “most likely scenario” was that “the tapes had been disposed of,” but they were unable to prove this. Another possibility considered by KPMG was that the tapes were lost while they were being transported to be destroyed. In any case, the data has never been recovered.

In an announcement to the Australian Stock Exchange, CBA claimed that there was “no evidence” that customer information was compromised.

While it admitted that the bank had been “unable to confirm the scheduled destruction by a supplier of two magnetic tapes which contained historical customer statements,” including “names, addresses, account numbers and transaction details” of customers dating from 2000 to 2016, it stated that the tapes didn’t contain “passwords, PINs, or other data which could be used to enable account fraud.”

In an email sent to customers, the company’s group executive for retail banking services, Angus Sullivan, recommended that they continue using their accounts as normal, apologizing for “any concern this incident may have caused.”

The episode has unfolded in an atmosphere of public distrust towards the country’s major banks, following allegations of widespread misconduct, leading the financial services royal commission to conduct an inquiry into their practices.

In 2016, the country’s four biggest banks, including CBA, ANZ, National Australia Bank (NAB), and Westpac, as well as Macquarie, were all implicated in a US class action lawsuit, in which they were accused of rigging Australian interest rate benchmark, the bank bill swap rate (BBSR), and generating hundreds of billions of Australian dollars in illegal profits.

Other accusations against the Commonwealth Bank include inappropriate advice from financial planners, and alleged breaches of anti-money laundering laws.

The commission’s inquiry also uncovered that the bank knowingly collected fees from deceased customers for more than a decade.