Massive data leak exposes the details of countless customers

Font Size:

A massive data breach has exposed the sensitive medical details of countless bank insurance customers.

CommBank has admitted that medical data held by its insurance arm, CommInsure, was accessible to staff members, such as those making decisions on loan applications, with potential for the data to be misused. 

CommBank is investigating the potential breach but has not yet found any evidence of data being “accessed inappropriately” by employees or of information being accessed outside of its insurance arm.

The breach was discovered in late July 2018 when the bank was preparing for the $3.8 billion sale of CommInsure to the Hong Kong-listed AIA life insurance group.

The bank said it felt compelled to inform the Office of the Australian Information Commissioner, the Australian Securities and Investments Commission (ASIC) and the Australian Prudential Regulation Authority (APRA) of the breach.

The bank was obliged to inform customers if “there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds”, and that “this is likely to result in serious harm to one or more individuals”. Although CommBank told its customers it did not believe a privacy breach had occurred, it would not clarify how many people might be affected.

“We understand that some customers will be concerned about this shared internal access and we are taking steps to ensure access to all sensitive information associated with CommInsure is provided on a need to know basis,” said a CommBank spokesperson.

Regardless of the bank’s opinion of the extent of the breach, one privacy expert said the onus was on the bank to inform all of its customers of the potential for their information to be abused.

“It’s arguable that making health information accessible to unauthorised recipients is a notifiable breach and that, if it isn’t, I don’t think that’s consistent with community expectations,” said University of New South Wales data privacy expert Katharine Kemp.

“Whether or not CBA can rely on its interpretation as a matter of law, the community has a reasonable expectation that it would be notified of such a failure in CBA’s governance controls, especially given the sensitive nature of health information.

“Consent is very important here because it goes to the customer’s reasonable expectation about what is going to happen with their information,” said Dr Kemp.

CommBank’s culture had been called into question in the banking royal commission, after a number of scandals within the organisation were exposed, including questionable financial advice, rate manipulation and accusations of money laundering by organised crime groups.

It seems we may potentially be able to add questionable use of customer data to the list.

Speaking to the Leigh Sales on 7.30 Report, former CommBank employee turned whistleblower Jeff Morris said the bank’s culture of pressuring staff to meet targets sometimes involved accessing customer information to identify potentially vulnerable people who may have been more susceptible to certain sales approaches.

“This is just a symptom of the greed, and the focus on profits, and the bonuses and everything that’s come out in the royal commission,” said Mr Morris.

“This sort of breach of people’s privacy is exactly what you would expect.”

Although Mr Morris said the potential disclosure of private medical information might not be unlawful.

“Whether or not it’s a breach of the Privacy Act, it’s certainly an ethical breach, and that sort of thing was just an everyday event at CBA,” said Mr Morris.

However, he still says customers have the right to be concerned about the potential misuse of their medical information.

“It may have been used to identify someone for a certain sort of product, but at this stage we don’t know,” said Mr Morris.

“We may never know.”


Are you a CommBank customer? Are you surprised by this latest example of potentially unethical behaviour?

Join YourLifeChoices today
and get this free eBook!

By joining YourLifeChoices you consent that you have read and agree to our Terms & Conditions and Privacy Policy


How to have faith in financial planning advice

There is a way to rebuild trust in the financial planning sector, a peak body says.

Is this why banks got away with dodgy practices?

Most Australians are bombing when it comes to financial literacy.

Who will pocket CommBank $700m fine?

CommBank cops hefty fine, but market doesn't blink and instead pushes shares higher.

Written by Leon Della Bosca

Leon Della Bosca is a voracious reader who loves words. You'll often find him spending time in galleries, writing, designing, painting, drawing, or photographing and documenting street art. He has a publishing and graphic design background and loves movies and music, but then, who doesn’t?



Total Comments: 16
  1. 0

    This is the world we live in. Safe NEVER means safe as businesses demand more and more sensitive information.
    I found it quite incredible that in Italy last year they demanded to photocopy our passports at hotels and even a couple of Airbnbs. It was either hand it over or go pitch a tent and I could not help but think how easy they have made it for identity fraud to occur.
    Comminsure is a small player and last week there was news of the Mariott chain having been compromised. We had our credit card hacked whilst at the Mariott in America in 2014 but they seemed not to care. Never fixed by the sound of and one wonders how many other businesses fail the secure test because they do not care.
    The solution? There is none as cash will be gone in 5 years from what I can see. Been saying that for a couple of years and the noose has been tightening so even the unbelievers will start to come around.

    • 0

      Handing over passports in European hotels has been the norm for many many years and I have never yet heard or read about fraud occuring there. They are a safeguard against dishonest people running away without paying, and have proved useful over and again in helping with identification when people go missing or are found dead.

      Hotels keeping credit card details is another matter. They do that for their own protection too (and having seen hotel towels in bathrooms in many places other than where they belong I understand that.) However once they have assured themselves that nothing is missing they should delete those details immediately.

    • 0

      Safe? In a hotel? Kidding?
      I understand the problem but you miss the fact that hotel staff, let alone the information kept on their computers IS NOT SAFE.
      We had our credit card details stolen whilst staying at the Mariott in America and I am surprised that not more theft of information and/or identity fraud has not come of this.

    • 0

      5 magic beans for a cow?
      The Marriott breach really does bother me. Hotels insist on credit cards and cream off the top with admin fees. I have never felt it was a secure transaction.

    • 0

      Worse than that is that it was happening 4 years ago and still happening. It demonstrates that management has not responsibility towards customers. How many other businesses operate the same way? Italy is a real area of concern though and I’ll await what comes out of that.

    • 0

      I doubt America will go cashless MICK. Even in NY 14% of the population have no bank account and work for cash tips. Any country going cashless will find it’s citizens using US dollars as the default currency.

      I had the experience of being in a foreign city with every possibility neither ATMs nor credit cards would work next day. Never again will I rely on the credit system as it is far to fragile and compromised now.

      Having a credit card from a separate bank to your transaction accounts is a sensible idea.

    • 0

      None of us will have choice Rae as no cash means no tax avoidance as well as being controlled like never before. Think Greece after the GFC. Evene the few Greeks who had money could only access their 30 or so euros a day.
      America will be the last to give up cash. They sure do love it but when the world goes cashless so will America no matter how citizens fight it. Coming…..and already evident with a number of countries pulling their high value notes out of circulation.

  2. 0

    Don’t understand why people are worried if their medical information can be seen by staff members
    What’s the risk ?
    Wish ppl would focus on bigger issues like what a disaster if labor came to power

    • 0

      Or a much bigger disaster if the LNP backed by their top end of town mates get back in & attempt to make the poor poorer & the rich richer.
      History shows Madam guillotine was used on the the top end of town & their supporters that made the poor poorer & the rich richer.

    • 0

      Labor and the Greens will need to wander in the wilderness for 40 years and cleanse themselves before I have any more to do with them.

    • 0

      How do you feel about the LNP Charlie? Blemishless vestal virgins? You may have missed the last 6 years and their debt creation which they want to blame on Labour after being in government for 6 years.
      You may have to vote for Independents. It works in Europe so no reason why it can’t work here as long as Australians are not conned by the Lying media barons again.

    • 0

      You CLOWNS still don’t get it, BOTH major parties are TOXIC.
      Vote independent, give your vote to someone that will work for you..
      ot the party line.

    • 0

      Liberals carry on like a bunch of kids and undoubtedly there will be a display of greed…. But I am more frightened of the social manipulation transexualism and extreme feminism that’s supported by labor and the Greens.

      As I am well into age pension now, neither party is likely to bring me any joy

  3. 0

    Who were the employees who accessed the information?.. I won’t tell anybody..

  4. 0

    Mick re countries withdrawing high value notes has absolutely nothing to do with a cashless society. You can not use these notes in the normal daily routine of life as no shop or hotel you name will accept them. Even before the euro there was a fl 1000 bill the only way to use it was go to the bank and change it for smaller notes. It is only used by criminals to carry a lot of value in a small package and that avenue will be shut of.

  5. 0

    What is my bank doing with my medical records anyway and who released these. Another reason to opt out of the national health register. Good to know that the Chinese have access to my health records as well. Some thing smells here, all care and no responsibility from the relevant authorities that should be safeguarding this info. No kidding this has been going on for decades. I had to deal with this in 1982. nothing has changed.



continue reading

Aged Care

Government releases five-year road map to fix a 'national disgrace'

The federal government has delivered its 'initial' response to the Aged Care Quality and Safety Royal Commission findings, with a...

Aged Care

Aged care, death and taxes after the royal commission

Anna Howe, Macquarie University The governor-general was handed the report of the aged care royal commission on Friday. It will...


Honey drinks could be a tasty cold remedy

If you're feeling under the weather, something as simple and accessible as honey could be a tasty remedy. New research...


How to find and exercise your pelvic floor muscles

Do you wet yourself a little bit when you laugh, cough or sneeze? Then you might be among the one...


What we know about the recently approved single dose vaccine

Some health experts have expressed concern at the efficacy of the AstraZeneca vaccine, with some stating that we 'only get...

Retirement Income

'Secret plan' to force retirees to use their home to fund retirement

Federal Treasurer Josh Frydenberg has backed the Retirement Income Review findings that retirees should use their savings more "efficiently" -...


Do life insurance payouts affect the Age Pension?

Geoff's death policy pays out to his children, not his wife. How does this affect the pension? Q. GeoffMy wife...


Grip strength linked to mental disorders

Mental disorders such as anxiety and depression can increase physical health risks and are a leading cause of disability. Globally,...