Australia’s Commonwealth Bank lost the bank records of almost 20 million people and decided not to reveal the breach to customers upon discovery since 2016, according to news media reports.
The bank admitted its mistake on Wednesday night after Buzzfeed News broke the story. It reported that 12 million – half the Australian population – was affected.
Commonwealth Bank, Australia‘s biggest bank, said it lost two magnetic data tapes that stored names, addresses, account numbers and transaction details from 2000 to 2016.
They were meant to be destroyed by a subcontractor in May 2016, according to national broadcaster ABC, but the bank never received documentation for confirmation.
The bank assured customers that their passwords and PINs that could be used for fraud remain intact.
It also emphasised that “no evidence was found of any customer information being compromised”.
Angus Sullivan, the bank’s acting group executive for retail banking services, released an official statement on Wednesday.
“We take the protection of customer data very seriously and incidents like this are not acceptable,” he said.
“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”
Commonwealth Bank initially notified the Office of the Australian Information Commissioner of the breach shortly after it occurred.
Sullivan said the bank undertook a thorough forensic investigation and provided updates to its regulators.
It also hired accounting firm KPMG to conduct a search to find the missing tape drives, but found no trace.
The forensic team formulated the view that the data had most likely been destroyed, without conclusive evidence.
Only 150 people in the organisations, including risk specialists and senior executive team, were aware of the breach when it occurred.
The bank considered notifying the customers, but ultimately decided that the risk of misuse or discovery of data was low, according to Buzzfeed News.
Ian Narev, the bank’s former CEO, who was in charge at the time of the breach, resigned in August 2017.
Over the past two months, the Commonwealth Bank faced has allegations from the government of money laundering and collecting fees from customers that it knew had died.
The breach is the latest scandal in Australia’s financial industry.
The revelation comes at a time when Australian banks are under unprecedented scrutiny by a royal commission searching for misconduct.