Following the news that Australia’s Commonwealth Bank may have lost the data of 20 million accounts in 2016 when it failed to confirm that magnetic tapes had been destroyed by a subcontractor, IT security experts commented below.
Tony Pepper, CEO and Co-founder at Egress Software Technologies:
“The potential loss of 15 years of banking data is a serious breach of customer trust. Whether the data has been compromised or not, the principle remains that customers trust organisations like banks with highly sensitive information, and they therefore have a responsibility to those customers to guarantee that the data they hold is protected for however long they process it and then properly erased.
“At its heart, this breach lies in human error – someone was meant to destroy the data and make a record to that effect, and they failed to do so. But the responsibility lies with the organisation because such a monumental opportunity for error shouldn’t exist. There should be policies, procedures and technology in place that ensures data is protected at all stages of its life cycle, for example by encryption, and then erased. The third party also cannot be used as a scapegoat. Increasingly legislation is making it clear that it is the responsibility of the data processor – in this case the bank – to ensure that the third parties they use also have the correct tech, policies and procedures in place to protect sensitive information.”
Michael Jordan, Senior Director at Shared Assessments:
“The control that failed, backup media management, is one of the oldest IT controls around. Sometimes the focus on newer threats draw attention away from fundamental controls. In those cases, errors like this can happen more frequently and often without detection.
“From a response perspective, the bank appears to have gone through the right motions, activating a response team, performing a detailed investigation using third party expertise, and even coming up with a decision on whether to notify using the best information available. While encryption was not enabled, if the reports are correct, there were other legitimate mitigating factors and external guidance that led the bank to the conclusion that the risk of loss was low.
“However, the decision became less prudent over time. At the time, even only two years ago, there was not such sensitivity to data privacy as there is today. The lack of credentials in the data that could lead to fraud was the bank’s primary concern in their decision. Now, with the focus on data privacy and frequent data breaches in the news, the impact of private data loss is much higher in their customers’ eyes. It is also higher in the eyes of regulators enforcing new laws that did not exist at the time.
“When making risk-based decisions, it is important to consider the effects of a risk in today’s environment, but also what could be the environment in the future.”
Catherine A. Allen, Chairman & CEO at Shared Assessments:
“The loss of the tapes highlights the importance of risks inherent with third parties handling sensitivity be data for organizations. Hopefully the tapes were encrypted, therefore harder to access. If not, it creates the same concerns of a breach: who has access to the data and how might they use it in negative ways. “