The bank has admitted it lost financial statements spanning 15 years in 2016, after the story was uncovered by Buzzfeed News.

But the bank says the lost data did not include customers’ passwords or PINs and there was no evidence the information had been compromised.

However, customers have vented their fury at the bank for not informing them of the data breach at all.

When the data stored on tape drives was lost by a subcontractor in 2016, CBA launched an investigation to find out what happened, but the documents were never found.

One theory suggested by a forensic team from accounting firm KPMG was that the tapes might have fallen off the back of a truck taking the data to be destroyed.

But the data was never located — either on the road or on the dark web — and it was decided that had most probably been disposed of as planned.

However, one Western Australian farmer living with bone cancer claims he was the victim of identity theft after his CBA documents were found in a gutter in Victoria.

‘IT AFFECTED OUR CREDIT RATING’

Barry Lakeman said he ended up in debt after criminals used his identity to borrow money and buy goods and services.

He approached Geoff Shannon from Unhappy Banking, who told news.com.au he had been dealing with the Lakemans’ “many loans and credit issues” resulting from the fraud ever since.

Mr Lakeman said CBA told him in 2014 that his statements had been found in a gutter in Victoria, a state he and his wife hadn’t visited for three years. He said the bank suggested his wife must have taken the statements there and left them behind.

Police then called Mr Lakeman in August last year to say they had found his gun licence — only the membership number was wrong, the 59-year-old told The Conversation.

“It was a forgery,” he told Sydney University Adjunct Associate Professor Michael West, who wrote about the issue in September. “The number at the top of the card was different from the number on my card.”

And there have been other incidents too, Mr Lakeman claimed. “In 2015, a company in Victoria rang me and said, ‘We have finished the canvas for your caravan’ ... I don’t even own a caravan.”

Northam Police began investigating the identity theft with the help of Mr Shannon, who took the case to the bank-funded Financial Ombudsman Service set up to handle customer complaints.

But Mr Lakeman still doesn’t know what really happened, telling Prof West: “It really hurt us because when we tried to move and buy a house there was a black mark against us. It affected our credit rating.”

‘A CLEAR BREACH OF TRUST’

While the bank does not comment on individual cases, it has said it immediately put mechanisms in place to protect customers after the 2016 data loss.

But Mr Lakeman is not alone in claiming identity theft. There have been various reports of counterfeit credit cards and identities from CBA-owned BankWest available for sale on the dark web.

CBA is not the only bank vulnerable to data losses and thefts, but it has suffered major damage to its reputation following an embarrassing recent money-laundering scandal.

Customers took to social media overnight to express their fury that they had not been told about the loss of their data.

“Why weren’t customers notified?” asked David Rae, who said he would need to inform his customers. “Why wasn’t the market informed?”

He called it a “clear breach of trust” as well as “incompetence”, while Nelly jane added, “This needs explaining!”

The incident has been called one of the largest financial services privacy breaches in Australia.

CBA is still unable to confirm the destruction of the two magnetic tapes containing customer statements featuring names, addresses, account numbers and transaction details from 2000 to early 2016.

Acting group executive for retail banking services Angus Sullivan issued a statement on YouTube after BuzzFeed exposedthe massive data breach. “The tapes did not contain PINs, passwords or other data that could enable account fraud,” he said.

CBA said it had informed the Office of the Australian Information Commissioner and the Australian Prudential Regulation Authority of the incident and provided a briefing.

“The decision not to notify customers was made in light of the investigation’s findings and the account monitoring in place,” said the bank.

‘CUSTOMERS DO NOT NEED TO TAKE ANY ACTION’

The bank has sought to assure customers that there is nothing to worry about from the data loss.

“Commonwealth Bank today confirmed that there was no evidence of customer information being compromised or suspicious activity following an incident in 2016. Ongoing monitoring of accounts by CBA confirms customers do not need to take any action,” the bank said statement published on its website.

“CBA’s advice today follows a media report of an incident in May 2016 where the bank was unable to confirm the scheduled destruction by a supplier of two magnetic tapes which contained historical customer statements. The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016. The tapes did not contain passwords, PINs or other data which could be used to enable account fraud.

“An independent forensic investigation ordered by CBA in 2016 and conducted by KPMG determined the most likely scenario was the tapes had been disposed of. The bank immediately put in place monitoring mechanisms to further protect customers.

“The 2016 incident was not cyber-related and there has been no compromise of CBA’s technology platforms, systems, services, apps or websites.”

‘SENSE OF COMPLACENCY’

But OAIC is now making further inquiries after a report by APRA slammed the bank for its “widespread sense of complacency”.

The banking regulator said on Tuesday that community trust in Australia’s banks had been “badly eroded” after CBA had failed to meet expectations and “fallen from grace”.

The bank’s chief executive Matt Comyn went into damage control, as Treasurer Scott Morrison called for more executives from the financial company to step down.

Mr Comyn admitted he had made errors after the inquiry found the bank broke anti-money laundering and counter-terrorism financing laws more than 50,000 times. He told the board he would be refusing his short-term bonus this year — a move that will cost him $2.2 million.

The CEO also said the bank’s top 500 executives would be given printed copies of the 100-plus page APRA report. The executives will have a week to read and respond to the report and make suggestions as to how the bank can change its culture.

Mr Morrison called the report “very damning” and said it should be “required reading” not only for every financial institution in Australia but for board members of any company.

In a statement, CBA said it had and had now confirmed there was no evidence of information being compromised for the 19.8 million accounts involved or suspicious activity following the incident.

emma.reynolds@news.com.au | @emmareyn