Recovering data from tapes isn't trivial but if it's not encrypted then I assure you any junior hacker could have posted the data up on the dark web and asked for help where the resources would be available. As for notifiable data breach, I think it certainly should be now under the new legislation as unless it was encrypted then there is a risk that harm could be caused to someone given the amount of data and type of data makes it worth spending effort on recovering off the lost tapes. Of course the legislation is very open ended and open to wide interpretation here so without actual prosecuted breaches and fines we will never know how the courts take these breaches of the privacy act
Commbank data loss: Non-disclosure was pretty reasonable
“Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers” screams the headline at Buzzfeed. It’s a great story: the Commonwealth Bank (CBA) can’t say with 100 per cent certainty that two tapes containing data used to prepare bank statements were securely destroyed. And those tapes were not …
COMMENTS
-
-
Thursday 3rd May 2018 11:37 GMT Andrew Commons
The Reg piece suggests that the appropriate authorities were notified and that they made the determination that there was not a real risk of serious harm to the CBA customers involved.
Note that it is not there is a distinction between 'harm' and 'serious harm' that was made deliberately to minimise the number of breaches that needed to be reported.
The explanatory memorandum that accompanies the legislation makes quite interesting reading in this context.
-
Thursday 3rd May 2018 02:12 GMT Phil Kingston
Another factor is that Joe Bloggs finding a tape of an unfamiliar-to-most media format lying on the street, or the back of a dusty office cupboard etc, is unlikely to know what the hell to do with it. Unless it was labelled with something like "Super-important backup tape containing banking details of 12 million customers".
Still, no encryption is an epic fail for CommBank's IT bods. The idea that they'd accept the risk of shunting unencrypted tapes to/from a third party speaks volumes about the culture in their IT depts.
-
Thursday 3rd May 2018 07:50 GMT Donald Telfer
Where are the Keystone Kops ?
Try looking for the lost hardware / data in secondhand discount office equipment dealer stores, especially in and around Canberra.
Aside from that, this incident has holes in it. "we want to assure our customers that no action is required" ... because we do not know what actually happened, and we have paid good money to the KPMG forensic squad to tell the regulators (sic, the Keystone Kops) everything is OK.
-
Thursday 3rd May 2018 12:51 GMT chuckm
Leave it out Arfur
Possibly if you had the right kind of hardware you could do a scan of the raw tape and piece some or all of the contents together. regardless of the all true things said in the article. I know this is possible because I've had to do it, as have many others faced with disasters of various types and falling back to the last line of defence which is that pile of tapes over there in the corner...
That said, isn't this really Fuji Xerox's fail and not the bank's?. Presumably the bank engaged FX in good faith to provide a service, which is this respect they botched, Add it to the list, outsourcing bah humbug.
-
Thursday 3rd May 2018 23:08 GMT Anonymous Coward
a wealth of mistakes
Apparently they are sending out email to customers saying there is nothing to worry about and you do not have to do anything. Isn't that nice in 2018 of a problem in 2016.
They could have just said since it happened in 2016 and you still have your $$$$ then so it's probably OK.
Or perhaps
Since the media has drawn attention to the importance of the tapes the people who have them are now sourcing means of access them and will impersonate you using your details soon......