The Commonwealth Bank of Australia admitted to accidentally sending 10,000 emails containing customer information to a wrong email address, the Sydney Morning Herald reports.
The staff is responsible for the gaffe. In total, throughout 2016 and 2017, 651 internal emails, containing data related to 10,000 customers, were mistakenly sent to a wrong email address.
Apparently, internal investigation reveals, the staff failed to include “.au” at the end of the domain name. Instead of sending the emails to cba.com.au, they sent them to cba.com. Ironically, and luckily for the Commonwealth Bank of Australia, cba.com was, at the time, owned by a United States cybersecurity company. Prior to that, the domain was owned by an American financial services company called Cheslock Bakker & Associates.
“We want our customers to know that we are committed to being more transparent about data security and privacy matters,” bank officials said in a statement supplied to the Sydney Morning Herald.
No customer data was compromised, the bank claims. In order to further deal with the issue, the Commonwealth Bank of Australia bought the domain the emails were mistakenly sent to. As of January 2017, the bank has started blocking any internal emails addressed to cba.com.
This is not the first time for the Commonwealth Bank of Australia to be involved in a scandal pertaining to customer information. A month ago, Buzzfeed revealed that the bank had lost the personal financial histories of 12 million customers. Considered one of the largest privacy breaches in Australian history, the scandal was, according to Buzzfeed, deliberately covered up by the bank.
This breach occurred in 2016 after a subcontractor lost several tape drives containing customer financial information.
The subcontractor, Fuji Xerox, was supposed to destroy backup magnetic tape drives of financial statements. A “destruction certificate,” however, was not found, so the Commonwealth Bank initiated an investigation to find out what happened to the data. After launching the investigation, the bank notified the Office of the Australian Information Commissioner (OAIC), an independent Australian Government agency, acting as the national data protection authority.
According to Buzzfeed, the bank then undertook steps to spin the breach, instead of truthfully informing the public of it. The bank hired a forensic team to conduct an exhaustive search and locate the missing drives, and they also formed a remediation task force called “Project Chesapeake.” The details of the breach were known to around 150 people in the organization.
The forensic team that the bank had hired later revealed that it is possible that the drives weren’t secured properly and fell from a truck carrying the magnetic tapes for destruction.