Federal

May 3, 2018

How the government helped the Commonwealth keep its breach secret

The Commonwealth Bank would have been forced to disclose its mammoth data breach if the government had fulfilled its promise of requiring companies to report breaches. But instead the government took three years to do it.

Bernard Keane — Politics editor

Bernard Keane

Politics editor

On March 3, 2015, then-Attorney-General George Brandis and the then-Communications Minister, Malcolm Turnbull, gave a solemn undertaking in response to the parliamentary committee that had examined, and approved, Tony Abbott's data retention legislation. In the view of the Joint Committee on Intelligence and Security, if the government was going to force companies to retain the private information of citizens, citizens needed to know they would be told if their stored information was stolen. "The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015," its final report said.

Brandis and Turnbull supported that. "The Government agrees to introduce a mandatory data breach notification scheme by the end of 2015, and will consult on draft legislation," they said. It was clear cut, and the government had more than nine months to get it up and running.

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions

27 comments

Leave a comment

27 thoughts on “How the government helped the Commonwealth keep its breach secret

  1. klewso

    What a coven of liars – but that’s all right, “it’s only politics”?

    1. Wallywonga

      The contemptible behaviour of the banks was encouraged by a thumbs up from the LNP and certain journalists, who continually kept saying “we’ve got your back”, most notably the Australian and AFR crews.
      Aaron Patrick’s (AFR) performance on the Drum yesterday was truly bizarre, when he suggested that the struggle for people with low wages was an “emotional irrelevance” to any economic discussion; that continually referring to trickle down policy was ignorant snobbery (!?!). What’s next for Aaron, joining the Outsiders?

      1. klewso

        Urging us to “Listen to the experts”????
        Like the wishful Patrick and his beloved BCA : ‘Just ignore the abundance of evidence contradicting the BCA BS line being peddled and those experts that don’t support that alt-right ideology’?

        1. Wallywonga

          Yes, apparently any position can be supported by “experts for hire” these days. The opposing experts’ view however (Keane’s position on the Drum) just happens to be supported overwhelmingly by worldwide social data on wealth disparity – something Patrick would not address, and just continually kept sliming away from.

          1. klewso

            Imagine the implications if the editorial staff (seemingly existing in a world of theory and ideology) of a “newspaper” that ostensibly exists to “review financial news”, seemed to understood SFA about how the financial system works in reality?

  2. graybul

    Weep, or gnash your teeth! Truth, honesty, accountability; no more lodestone(s) of governance. How quick, democracy erodes. Transparency, merely a carriageway for deceit.

  3. [email protected]

    Quick, contact Michaelia, she’s good at chasing up mobs who allegedly may possibly perhaps have broken a regulation or law. And, just to make sure it’s handled properly, she’ll get the AFP, dozens of them, and the media, dozens of them, on the job.

  4. Nudiefish

    Buzzfeed again?

    How are they getting all these juicy drops? There is yet another story lurking in that direction.

  5. Administrator

    I will endorse this criticism of Brandis and of Turnbull.
    But the CBA cannot escape responsibility by claiming they were not compelled by the legislation to disclose their loss of customer personal information. The bank had a duty of care to customers and breached it and fully merits a class action. Where do I sign?
    Quite apart from the legal consequences are these. A bank runs on trust. Its directors are selected upon that criterion above all. If trust fails, a run on a bank will break it in days (ask any Greek). The challenge for Australian customers is: where to take their business?
    The entire industry in Australia, including its regulators, is undeserving of customer trust.
    For Truffles to ask that he now be trusted to fix the problem is the kind of brazen, stupefying arrogance to which this government has sunk. He (and his learned friend Brandis) has eagerly participated in one Parliamentary wild goose chase after another while letting core business rot.

    1. MJM

      “For Truffles to ask that he now be trusted to fix the problem is the kind of brazen, stupefying arrogance to which this government has sunk.”

      For mine the problem was evident in the msm the day after Trumble replaced Abbott. When questioned about his wealth Trumble batted further questions away by inferring it was vulgar to talk about money and the msm obligingly shut up.

      He is PM of Australia, he has $200 million salted away in the Caymans and we should all just shut up and accept it? We get the government we deserve so long as we keep accepting such deferential treatment of the obscenely wealthy.

      1. [email protected]

        Yes the very best thing he could do for this country is pissoff and live with his millions in the Caymans, and if they wont take him, go anywhere else but back here

    2. Nudiefish

      Explain to me again how banks are better than bitcoin?

      1. Rais

        I’ll explain it after the Royal Commission into Bitcoin submits its report. 🙂 Seriously, most national currencies still represent something concrete, Bitcoin only exists as data and only has the value its purchasers ascribe to it. They aren’t comparable, Bitcoin isn’t a currency – yet.

  6. gjb

    I received a email “Response to recent media reports on customer data” from CBA just today.
    Dear CommBank Customer,
    Following recent media reports detailing an incident in May 2016, we want to reassure you there is no evidence of your information being compromised and you do not need to take any action.

    Here is what you need to know:

    There is no evidence that any customer information was compromised.
    In May 2016 we were unable to confirm the scheduled destruction of two magnetic tapes used by a supplier to print bank statements. These tapes contained information including customer names, addresses, account numbers and transaction details.
    They did not contain passwords or PINs which could enable fraud.
    We deployed enhanced reporting and ongoing monitoring of customer accounts to ensure customers were protected. These protections are still in place today.
    This was not cyber-related. CommBank’s technology platforms, systems, services, apps and websites were not compromised.
    CommBank offers you a 100% security guarantee against fraud for all your accounts, where you are not at fault. We cover any loss should someone make an unauthorised transaction.
    Here is what you can do:

    Continue using your accounts as you always have.
    Please remember that CommBank staff will never ask you to divulge your passwords or PINs. We do not send emails with links requesting you to confirm, update or disclose your confidential banking information.
    If you have questions or would like to discuss, please call us at 1800 316 433.
    If you would like to find more information you can visit http://www.commbank.com.au/customerassurance

    I want to apologise for any concern this incident may have caused. If there is any change in circumstances I will let you know.

    Yours sincerely,

    Angus Sullivan
    Acting Group Executive Retail Banking Services

    1. Rais

      Oh, well, that’s all right then. I haven’t received that email but my account is with Bankwest which, although a division of CBA, may have separate records. `\_(”/)_/’

    2. Administrator

      “This is what you need to know”.
      Hell, no ! We already knew the data lost was more about lost privacy than it was about fraud exposure. I for one am way beyond accepting CBA’s view about what I need to know.
      “I want to apologise for any concern this incident may have caused.” Sic. Then apologise, Angus, and fall on your sword. “May have caused…” The man has talent for politics.
      I am also way beyond accepting CBA’s view that an Enforeceable Undertaking over future misdemeanors is an acceptable penalty for its past breaches ! Hell, no! If the Government will not hold the CBA to account, I will lead the charge of departing customers.

      1. Rais

        I wonder if the smaller banks are any better? Until the RC examines them how would we know?

    3. Administrator

      “There is no evidence that any customer information was compromised.”
      It fell of the back of a truck and we have no idea who has it now. Of course, it is “compromised”!
      “We deployed enhanced reporting and ongoing monitoring of customer accounts…”
      This was NOT CBA’s call ! Customer data was lost into unknown hands and the very clear obligation was for the bank to immediately notify customers. There is no question about this. The CBA had no business to accept the many privacy risks on behalf of customers. Nondisclosure is a breach of trust and deceptive, misleading conduct.
      “Here is what you can do: Continue using your accounts as you always have.”
      Here is what else you can do. Discontinue your accounts. I am gone, and it is not because of what the RC found. I am gone because banks have lost my trust by their behaviours before and after the RC.

    4. Administrator

      “Dear CommBank Customer,”
      We cannot address you by name because, um, we lost it…
      We have sent you our updates of our privacy statement every second month since March 2016, whenever our lawyers found another loophole we might want to crawl through… and we hope that one of them has allowed us, in our unchallenged discretion, to decline to disclose to you that our behinds are actually totally exposed to the elements, just like your private records.

  7. Sleuth

    “A cynical observer might think the government had been trying to protect big companies from public exposure of their stuff-ups. But of course, we know that couldn’t be true”.
    It’s not only true, but also intentional. This government couldn’t give a rats arse about customers. Get up to speed, it’s all about profits, without even a skerrick of accountability or transparency.

  8. Sleuth

    “A cynical observer might think the government had been trying to protect big companies from public exposure of their stuff-ups. But of course, we know that couldn’t be true”.
    It’s not only true, but also intentional. This government couldn’t give a rats arse about customers. Get up to speed, it’s all about profits, without even a skerrick of accountability or transparency.

  9. AR

    I remember.. a day 30+ years ago, a very earnest Neal Blewett stood on his hind legs claiming that the Data Protection Agency would ensure the ill fated (from inception) Oz Card could never have information go astray.
    To loud derision from both sides of the Chamber.
    Ah, those Halcyon Daze, when the world was so much simpler and Life was for living, not posting on line.

  10. bref

    And still we see no heads rolling. Where are the regulators? Or, yet again, is no one able to comment on the record because there’s an ongoing investigation. LOL

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details

Sending...