Background

We take the protection of customer data very seriously and that’s why we are contacting around 10,000 customers affected by an issue regarding incorrectly addressed internal emails that we uncovered and investigated in 2017.

No customer data has been compromised as a result of this issue however we know customers want to be informed about data security and privacy issues.

What happened?

In January 2017 we commenced an investigation which found that from April 2016 there were 651 CommBank emails containing information on approximately 10,000 customers that were incorrectly sent to email addresses using the cba.com domain, rather than CommBank’s email domain cba.com.au.

The issue arose because, although CBA owns the cba.com.au domain name, the shorter domain cba.com was owned by several third parties, originally a US-based financial services firm Cheslock Bakker & Associates and more recently during the 2016-17 period it was used by a specialist US cyber-security company.

Our extensive and detailed investigation confirmed the contents of all these emails containing customer information were automatically deleted by the cba.com domain user’s system, which only collected information on CBA sender and recipient email addresses and the subject of the email. We also confirmed that none of the data had been used and that it was deleted permanently from the cba.com domain user’s email servers.

From January 2017, we have been blocking internal emails addressed to the cba.com domain name. And from April 2017, we acquired ownership of the cba.com domain name and now any emails inadvertently addressed to cba.com would be returned as “undeliverable”.

Advice to customers

There is no evidence of customer information being compromised and customers do not need to take any action.

Although no customer information was compromised, CommBank will be contacting customers whose information was included in the 651 internal emails sent inadvertently to cba.com.

CommBank’s investigation has confirmed all 651 internal emails, and any related data, had not been used and have been permanently deleted.

None of the emails contained any customer passwords or PIN codes.

Customers’ funds are safe and they are protected against any unauthorised transactions by our 100 per cent security guarantee.

Please remember that CommBank staff will never contact customers asking for passwords or PINs. We do not send emails with links requesting customers to confirm, update or disclose confidential banking information.

If customers have any further questions about this matter we have a dedicated hotline: 1300 092 864.

Further information

Was my data compromised?

No customer information was compromised. None of the emails contained any customer passwords or PIN codes. CBA’s investigation confirmed all internal emails sent in error to cba.com, and any related data, were permanently deleted. Your funds are safe and they are protected against any unauthorised transactions by our 100 per cent security guarantee.

How did emails get sent to the wrong email address?

These emails were sent in error. We have thoroughly investigated the matter and have taken the necessary steps to prevent this from happening again. While we do not want to minimise any concerns you may have, it is important to note that no customer information was compromised.

Is my data and my accounts safe?

Yes, your data and accounts are safe. Through our detailed investigation we have been able to confirm that no customer information was compromised.  Our investigation can further confirm that all of the internal emails sent in error, and any related data has been permanently deleted.

What steps are you taking to fix this issue?

We now block internal emails addressed to the cba.com domain name. And from April 2017, we acquired ownership of the cba.com domain name and now any emails inadvertently addressed to cba.com would be returned as “undeliverable”.

What are you going to tell customers who have been affected?

We are contacting all the customers affected to let them know of our investigation, and the steps we took to ensure this doesn’t happen again.

Can I see what information of mine was sent?

Yes, of course. Simply complete a request for access to personal information form or contact us on 1300 092 864 for more information.