back to article Commbank data loss: Non-disclosure was pretty reasonable

“Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers” screams the headline at Buzzfeed. It’s a great story: the Commonwealth Bank (CBA) can’t say with 100 per cent certainty that two tapes containing data used to prepare bank statements were securely destroyed. And those tapes were not …

  1. Jonbays

    Recovering data from tapes isn't trivial but if it's not encrypted then I assure you any junior hacker could have posted the data up on the dark web and asked for help where the resources would be available. As for notifiable data breach, I think it certainly should be now under the new legislation as unless it was encrypted then there is a risk that harm could be caused to someone given the amount of data and type of data makes it worth spending effort on recovering off the lost tapes. Of course the legislation is very open ended and open to wide interpretation here so without actual prosecuted breaches and fines we will never know how the courts take these breaches of the privacy act

    1. Anonymous Coward
      Anonymous Coward

      Some young gun just ran up an old IBM mainframe in his basement, retrieving data from a tape wouldn't be much of a task.

    2. Andrew Commons

      The Reg piece suggests that the appropriate authorities were notified and that they made the determination that there was not a real risk of serious harm to the CBA customers involved.

      Note that it is not there is a distinction between 'harm' and 'serious harm' that was made deliberately to minimise the number of breaches that needed to be reported.

      The explanatory memorandum that accompanies the legislation makes quite interesting reading in this context.

  2. Phil Kingston

    Another factor is that Joe Bloggs finding a tape of an unfamiliar-to-most media format lying on the street, or the back of a dusty office cupboard etc, is unlikely to know what the hell to do with it. Unless it was labelled with something like "Super-important backup tape containing banking details of 12 million customers".

    Still, no encryption is an epic fail for CommBank's IT bods. The idea that they'd accept the risk of shunting unencrypted tapes to/from a third party speaks volumes about the culture in their IT depts.

  3. TReko
    Big Brother

    George Orwell would be proud of CBA

    You gotta love modern corporate double-speak; this is an "customer data incident" not a breach.

    1. Anonymous Coward
      Anonymous Coward

      Re: George Orwell would be proud of CBA

      Because if it was, them some exec's bonus would be at risk. Instead its just swept under the carpet, like CBA always do.

  4. Shadow Systems Silver badge

    It was secure & encrypted, sorta...

    The password was "password" & the encryption ROT13.

  5. Donald Telfer

    Where are the Keystone Kops ?

    Try looking for the lost hardware / data in secondhand discount office equipment dealer stores, especially in and around Canberra.

    Aside from that, this incident has holes in it. "we want to assure our customers that no action is required" ... because we do not know what actually happened, and we have paid good money to the KPMG forensic squad to tell the regulators (sic, the Keystone Kops) everything is OK.

  6. chuckm
    Stop

    Leave it out Arfur

    Possibly if you had the right kind of hardware you could do a scan of the raw tape and piece some or all of the contents together. regardless of the all true things said in the article. I know this is possible because I've had to do it, as have many others faced with disasters of various types and falling back to the last line of defence which is that pile of tapes over there in the corner...

    That said, isn't this really Fuji Xerox's fail and not the bank's?. Presumably the bank engaged FX in good faith to provide a service, which is this respect they botched, Add it to the list, outsourcing bah humbug.

  7. Anonymous Coward
    Meh

    a wealth of mistakes

    Apparently they are sending out email to customers saying there is nothing to worry about and you do not have to do anything. Isn't that nice in 2018 of a problem in 2016.

    They could have just said since it happened in 2016 and you still have your $$$$ then so it's probably OK.

    Or perhaps

    Since the media has drawn attention to the importance of the tapes the people who have them are now sourcing means of access them and will impersonate you using your details soon......

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020