The incident is a remarkable illustration of how sensitive customer information can go astray without hackers getting involved. There was no cyber attack, no malware and no sophisticated technology. CBA lost track of the data because its subcontractor, Fuji Xerox, misplaced a couple of magnetic tapes that stored transaction histories and customer names and addresses.

While no PINs or passwords were lost, cybersecurity firm Crowdstrike’s vice-president of technology strategy, Mike Sentonas, said the information could still be used for identity theft. “The data can be used to get fake credit cards, take out loans. There’s a lot of historical information that has gone missing and we still don’t fully understand the scope of the problem,” he said.

CBA says no customer data was compromised or accessed by third parties as a result of the incident, but we will never know if that is so. There’s no evidence that the tapes have been destroyed nor of whether the data was accessed.

Mr Sentonas says that spells trouble for CBA customers who may feel they have been affected, because the burden of proof lies entirely with them.

“It’s the customer who carries all the risk in this case. They are ones who will have to prove that the incident has caused them harm,” he said.

The element the incident shares with cyber attacks is the role of human error.

While Fuji Xerox lost the hardware, in many data breach cases errors made by third-party contractors or suppliers allow hackers into a system. It’s a complex chain of data custody with plenty of room for error and it is difficult for any organisation to stay on top of.

But it’s how an organisation responds to a breach that matters, and CBA and perhaps the Office of the Australian Information Commissioner could have done a better job, Mr Sentonas said.

“I don’t think it’s good enough that CBA chose not to notify its customers. Maybe the OAIC should have asked more questions as well,” he said.

“Consumers have a right to know.”

More Coverage

Bank opted to keep loss ‘secret’

Supratim Adhikari

CBA’s ‘extraordinary blunder’

Samantha Bailey, Rachel Baxendale, Remy Varga