The bank today conceded the spectacular breach occurred after it failed to track the hardware on which the accounts were stored. It had chosen not to alert the public to the 2016 incident, details of which emerged yesterday through media reports.

CBA said there was nothing to indicate customer data had been misused and assured customers they were protected.

The Prime Minister said it was “hard to imagine” how so much data could be lost in such a way.

He said new laws introduced by the government and effective from the beginning of this year would have obliged the bank to advise each customer about the loss of their data.

“Maintaining data security is of vital importance for everybody, whether it’s the private sector or governments and if there is a serious data breach or loss, the people affected should be advised so they can take steps to protect themselves,” Mr Turnbull said.

Commonwealth Bank retail banking services acting group executive Angus Sullivan said it was a “judgment call” at the time not to alert customers, balancing that the “most likely” outcome was that the records had been destroyed with “causing undue concern for customers”.

“I understand that customers are concerned about their data and the privacy of it, and with the benefit of hindsight, perhaps more disclosure would have been helpful,” Mr Sullivan told Sky Business.

Earlier, in a statement, Mr Sullivan told CBA customers: “Following recent media reports detailing an incident in May 2016, we want to reassure you there is no evidence of your information being compromised and you do not need to take any action.”

The correspondence also attempted to reassure clients their accounts were protected and that the financial institution’s cyber products were unaffected.

Mobile users can click here to read the letter

The incident came to light at the bank in 2016, when it discovered two magnetic tapes used to record over 15 years of customer statements may not have been securely disposed of.

Customers whose data was lost do not have to take any action as their accounts have been monitored since the incident, an ASX announcement released this morning advised.

The tapes stored personal data of 12 million customers such as names and addresses, but not pins, passwords “or other data that could enable account fraud,” Mr Sullivan said in a video statement yesterday.

In a statement the bank said it had confirmed there was no evidence of suspicious activity involving the 19.8 million accounts affected following the incident.

CBA says it had been unable to confirm the destruction of two magnetic tapes containing historical customer statements.

The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016.

An investigation in 2016, when the incident occurred, determined it was most likely the tapes had been disposed of and the bank immediately put mechanisms in place to further protect customers.

However, CBA decided not to alert the public of the incident until media reports yesterday publicised the problem.

“We take the protection of customer data very seriously and incidents like this are not acceptable,” Mr Sullivan said.

“I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”

The bank said it had commissioned a “forensic” investigation by KPMG on discovering the incident, and notified the Australian Prudential Regulation Authority and the Australian Privacy Commissioner.

The KPMG probe found no evidence that customers’ data had been compromised, or accessed by third parties, CBA said.

“We balanced the need to alert customers without unnecessarily alarming them,” Mr Sullivan said.

It comes as the banking royal commission has spotlighted endemic cultural problems in Australia’s financial services industry, including multiple failures by CBA to prioritise customer interests.

On Tuesday, a damning review of Commonwealth Bank by APRA found bumper profitability “dulled” the bank’s senses to signals that might have otherwise alerted the board and senior executives to problems emerging inside the banks, as well as a deterioration in CBA’s risk profile.

APRA’s report found CBA guilty of “complacency”, a “reactive stance”, as well as being insular and not learning from experiences and mistakes.

CBA on Wednesday advised its customers to “continue using your accounts as you always have”.

In March this year, mandatory data breach notification laws came into force that require companies to disclose data breaches likely to result in serious harm.

Labor treasury spokesman Chris Bowen said the reports of data loss were “extremely concerning”, asking what the Turnbull government and Australian Information Commissioner knew about the breach and when.

“It’s only natural that CBA customers would be worried about the breach — our financial information is one of the most important things to protect,” Mr Bowen said.

“What did the Turnbull government and Information Commissioner know about the breach?

“Why has it taken years — and a media report — for people to find out?

“The government and the Information Commissioner need to make full statements today on their knowledge and actions in 2016.

“Had the government not stalled in introducing Labor’s data breach notification laws that are now in place, the bank would have been required by law to notify affected customers.

“CBA needs to provide information to customers today about what has occurred and what actions were taken to after the breach was discovered.”

More Coverage

Are the banks really listening?

James Kirby

‘Complacent, reactive, insular’

ANDREW WHITE

More related stories

Mining & Energy

UK battery developer agrees to Palisade deal

British battery developer Pacific Green has agreed a deal to sell off the first stage of its grid-scale storage project in South Australia to Palisade Investment Partners’ green energy vehicle.

Read more

Economics

Only recession can make ‘ruthless’ Victoria great again

Not all is lost. Victoria has a clear competitive advantage across four world-beating exports and these mines won’t run dry. But first there will be pain.

Read more