SYDNEY (Reuters) - Commonwealth Bank of Australia (CBA), the country’s top lender, confirmed on Thursday it lost records of almost 20 million accounts and decided to not inform its clients, a breach the nation’s prime minister called “an extraordinary blunder”.
CBA’s announcement, which was made in a YouTube video by a senior bank executive a day after BuzzFeed Australia reported the data breach, puts further pressure on Australian banks already reeling from revelations of widespread misconduct in a judicial inquiry.
It is also the latest blow to CBA, which has been accused in a federal lawsuit of breaching anti-money laundering protocols more than 50,000 times and has admitted to using outdated medical definitions to refuse sick customers health insurance payouts.
Earlier this week, a regulator ordered CBA to keep an extra A$1 billion ($750 million) in cash reserves as punishment for the alleged money laundering breaches, which it is contesting.
In a YouTube video, CBA’s acting head of retail banking services, Angus Sullivan, said the bank found in May 2016 it had lost two magnetic tapes containing 15 years of data on customer names, addresses and account numbers for 19.8 million accounts.
The tapes were due to be disposed of, but CBA could not confirm they were securely destroyed, Sullivan said. The tapes did not contain PINs, passwords or other data that could enable account fraud, he said.
The bank informed its regulators and launched an internal investigation which found the tapes had “most likely been disposed of”, Sullivan said. It did not tell customers because “we balanced the need to alert customers without unnecessarily alarming them”, he said.
“This is an extraordinary blunder,” Prime Minister Malcolm Turnbull told reporters.
“It’s hard to imagine how so much data could be lost in this way. If that had happened today, the bank would have to advise each of their customers,” Turnbull added.
CBA is seen as a stable part of life in the country of 24 million where most people have had a mortgage, insurance policy or regular savings account with CBA at some point - often starting with its famed “Dollarmites” deposit account for school children.
But the crises have started affecting its financial performance because of concerns it will result in heightened regulations, and CBA shares are down about 7 percent so far this year while the broader market is up. CBA shares ended up 0.6 percent on Thursday, roughly in line with the broader market.
Reputation management experts, however, said CBA’s move to use YouTube to take responsibility for the incident and reassure customers no personal data was stolen was a smart one.
“They’ve so overdrawn their goodwill cheque account that there’s not much they can do to push back on this,” said Steve Harris, CEO of The Brand Agency, a communications and image consultant.
“They need to bypass the media and communicate directly to get their message through, because whatever they (say) via media it will be put into a whirlpool of Royal Commission, money laundering and other filters,” added Harris, referring to the powerful independent inquiry into the broader finance sector.
Consumer psychologist Adam Ferrier said posting a YouTube video and “trying to put a face to the banks and admitting to errors is always a good strategy”.
By mid-afternoon, the video had been viewed 3,798 times, according to data published on YouTube.
($1 = 1.3296 Australian dollars)
Reporting by Byron Kaye and Wayne Cole; Editing by Muralikumar Anantharaman
Our Standards: The Thomson Reuters Trust Principles.