Massive data leak exposes the details of countless customers

Massive data breach exposes sensitive medical details of bank customers.

Massive data leak exposes the details of countless customers

A massive data breach has exposed the sensitive medical details of countless bank insurance customers.

CommBank has admitted that medical data held by its insurance arm, CommInsure, was accessible to staff members, such as those making decisions on loan applications, with potential for the data to be misused. 

CommBank is investigating the potential breach but has not yet found any evidence of data being “accessed inappropriately” by employees or of information being accessed outside of its insurance arm.

The breach was discovered in late July 2018 when the bank was preparing for the $3.8 billion sale of CommInsure to the Hong Kong-listed AIA life insurance group.

The bank said it felt compelled to inform the Office of the Australian Information Commissioner, the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) of the breach.

The bank was obliged to inform customers if “there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds”, and that “this is likely to result in serious harm to one or more individuals”. Although CommBank told its customers it did not believe a privacy breach had occurred, it would not clarify how many people might be affected.

“We understand that some customers will be concerned about this shared internal access and we are taking steps to ensure access to all sensitive information associated with CommInsure is provided on a need to know basis,” said a CommBank spokesperson.

Regardless of the bank’s opinion of the extent of the breach, one privacy expert said the onus was on the bank to inform all of its customers of the potential for their information to be abused.

“It's arguable that making health information accessible to unauthorised recipients is a notifiable breach and that, if it isn’t, I don’t think that's consistent with community expectations,” said University of New South Wales data privacy expert Katharine Kemp.

“Whether or not CBA can rely on its interpretation as a matter of law, the community has a reasonable expectation that it would be notified of such a failure in CBA’s governance controls, especially given the sensitive nature of health information.

“Consent is very important here because it goes to the customer's reasonable expectation about what is going to happen with their information,” said Dr Kemp.

CommBank’s culture had been called into question in the banking royal commission, after a number of scandals within the organisation were exposed, including questionable financial advice, rate manipulation and accusations of money laundering by organised crime groups.

It seems we may potentially be able to add questionable use of customer data to the list.

Speaking to the Leigh Sales on 7.30 Report, former CommBank employee turned whistleblower Jeff Morris said the bank’s culture of pressuring staff to meet targets sometimes involved accessing customer information to identify potentially vulnerable people who may have been more susceptible to certain sales approaches.

“This is just a symptom of the greed, and the focus on profits, and the bonuses and everything that’s come out in the royal commission,” said Mr Morris.

“This sort of breach of people’s privacy is exactly what you would expect.”

Although Mr Morris said the potential disclosure of private medical information might not be unlawful.

“Whether or not it’s a breach of the Privacy Act, it’s certainly an ethical breach, and that sort of thing was just an everyday event at CBA,” said Mr Morris.

However, he still says customers have the right to be concerned about the potential misuse of their medical information.

“It may have been used to identify someone for a certain sort of product, but at this stage we don’t know,” said Mr Morris.

“We may never know.”

Read more at www.abc.net.au

Are you a CommBank customer? Are you surprised by this latest example of potentially unethical behaviour?

RELATED ARTICLES





    COMMENTS

    To make a comment, please register or login
    MICK
    3rd Dec 2018
    11:26am
    This is the world we live in. Safe NEVER means safe as businesses demand more and more sensitive information.
    I found it quite incredible that in Italy last year they demanded to photocopy our passports at hotels and even a couple of Airbnbs. It was either hand it over or go pitch a tent and I could not help but think how easy they have made it for identity fraud to occur.
    Comminsure is a small player and last week there was news of the Mariott chain having been compromised. We had our credit card hacked whilst at the Mariott in America in 2014 but they seemed not to care. Never fixed by the sound of and one wonders how many other businesses fail the secure test because they do not care.
    The solution? There is none as cash will be gone in 5 years from what I can see. Been saying that for a couple of years and the noose has been tightening so even the unbelievers will start to come around.
    Maggie
    3rd Dec 2018
    12:02pm
    Handing over passports in European hotels has been the norm for many many years and I have never yet heard or read about fraud occuring there. They are a safeguard against dishonest people running away without paying, and have proved useful over and again in helping with identification when people go missing or are found dead.

    Hotels keeping credit card details is another matter. They do that for their own protection too (and having seen hotel towels in bathrooms in many places other than where they belong I understand that.) However once they have assured themselves that nothing is missing they should delete those details immediately.
    MICK
    3rd Dec 2018
    12:31pm
    Safe? In a hotel? Kidding?
    I understand the problem but you miss the fact that hotel staff, let alone the information kept on their computers IS NOT SAFE.
    We had our credit card details stolen whilst staying at the Mariott in America and I am surprised that not more theft of information and/or identity fraud has not come of this.
    Rosret
    3rd Dec 2018
    12:37pm
    5 magic beans for a cow?
    The Marriott breach really does bother me. Hotels insist on credit cards and cream off the top with admin fees. I have never felt it was a secure transaction.
    MICK
    3rd Dec 2018
    1:50pm
    Worse than that is that it was happening 4 years ago and still happening. It demonstrates that management has not responsibility towards customers. How many other businesses operate the same way? Italy is a real area of concern though and I'll await what comes out of that.
    Rae
    3rd Dec 2018
    1:54pm
    I doubt America will go cashless MICK. Even in NY 14% of the population have no bank account and work for cash tips. Any country going cashless will find it's citizens using US dollars as the default currency.

    I had the experience of being in a foreign city with every possibility neither ATMs nor credit cards would work next day. Never again will I rely on the credit system as it is far to fragile and compromised now.

    Having a credit card from a separate bank to your transaction accounts is a sensible idea.
    MICK
    3rd Dec 2018
    4:46pm
    None of us will have choice Rae as no cash means no tax avoidance as well as being controlled like never before. Think Greece after the GFC. Evene the few Greeks who had money could only access their 30 or so euros a day.
    America will be the last to give up cash. They sure do love it but when the world goes cashless so will America no matter how citizens fight it. Coming.....and already evident with a number of countries pulling their high value notes out of circulation.

    3rd Dec 2018
    2:01pm
    Don’t understand why people are worried if their medical information can be seen by staff members
    What’s the risk ?
    Wish ppl would focus on bigger issues like what a disaster if labor came to power
    OlderandWiser
    3rd Dec 2018
    2:41pm
    Or a much bigger disaster if the LNP backed by their top end of town mates get back in & attempt to make the poor poorer & the rich richer.
    History shows Madam guillotine was used on the the top end of town & their supporters that made the poor poorer & the rich richer.
    Charlie
    3rd Dec 2018
    2:48pm
    Labor and the Greens will need to wander in the wilderness for 40 years and cleanse themselves before I have any more to do with them.
    MICK
    3rd Dec 2018
    4:49pm
    How do you feel about the LNP Charlie? Blemishless vestal virgins? You may have missed the last 6 years and their debt creation which they want to blame on Labour after being in government for 6 years.
    You may have to vote for Independents. It works in Europe so no reason why it can't work here as long as Australians are not conned by the Lying media barons again.
    Retired Knowall
    3rd Dec 2018
    5:05pm
    You CLOWNS still don't get it, BOTH major parties are TOXIC.
    Vote independent, give your vote to someone that will work for you..not the party line.
    Charlie
    3rd Dec 2018
    9:54pm
    Liberals carry on like a bunch of kids and undoubtedly there will be a display of greed.... But I am more frightened of the social manipulation transexualism and extreme feminism that's supported by labor and the Greens.

    As I am well into age pension now, neither party is likely to bring me any joy
    Charlie
    3rd Dec 2018
    2:29pm
    Who were the employees who accessed the information?.. I won't tell anybody..
    vincent
    12th Dec 2018
    9:40am
    Mick re countries withdrawing high value notes has absolutely nothing to do with a cashless society. You can not use these notes in the normal daily routine of life as no shop or hotel you name will accept them. Even before the euro there was a fl 1000 bill the only way to use it was go to the bank and change it for smaller notes. It is only used by criminals to carry a lot of value in a small package and that avenue will be shut of.
    vincent
    12th Dec 2018
    9:47am
    What is my bank doing with my medical records anyway and who released these. Another reason to opt out of the national health register. Good to know that the Chinese have access to my health records as well. Some thing smells here, all care and no responsibility from the relevant authorities that should be safeguarding this info. No kidding this has been going on for decades. I had to deal with this in 1982. nothing has changed.


    Join YOURLifeChoices, it’s free

    • Receive our daily enewsletter
    • Enter competitions
    • Comment on articles