After Commonwealth Bank of Australia (CBA) financial staff inadvertently didn't include an “.au” on a domain name, the bank exposed information on 10,000 customers to a foreign company.
The bank investigated the incident, which occurred last year, finding that 651 internal emails were sent to cba.com instead of cba.com.au, according to a report in The Sydney Morning Herald. CBA has since bought the domain, which was previously owned by a financial services company then more recently by a cyber-security firm.
“Our investigation confirmed that no customer data has been compromised as a result of this issue,” Angus Sullivan, CBA's acting group executive for retail banking services, said in a statement, noting that the bank had already started notifying those customers whose data was affected. “We want our customers to know that we are committed to being more transparent about data security and privacy matters."
Anthony James, CMO at CipherCloud, said CBA dodged a regulatory bullet, pointing to Australia's new mandatory data breach reporting law, the Notifiable Data Breaches (NDB) act, that went into effect on 22 February, as well as General Data Protection Regulation (GDPR). “If the Commonwealth Bank of Australia (CBA) breach had been discovered after 22 February, 2018, then the NDB stipulates a 30-day maximum window to provide notification,” said James. “Note that if the breach involved even the records of one (1) European customer, then they would have also likely been subject to 72-hour notification requirement and extremely onerous” GDPR provisions.
“The moral of the story? Customer data must be carefully protected,” said James. “New best practices require a deeper focus on data and threat protection, especially in support of challenging new compliance requirements.”