You’ll need to update your browser so you can continue to log on to your online banking from 28th February. Update now.


On The Record

CBA confirms no evidence of customer information compromised in 2016 incident

2016 customer information incident

No action required by customers. CBA’s platforms, systems, services, apps and websites unaffected.

Commonwealth Bank today confirmed that there was no evidence of customer information being compromised or suspicious activity following an incident in 2016. Ongoing monitoring of accounts by CBA confirms customers do not need to take any action.

CBA’s advice today follows a media report of an incident in May 2016 where the bank was unable to confirm the scheduled destruction by a supplier of two magnetic tapes which contained historical customer statements. The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016. The tapes did not contain passwords, PINs or other data which could be used to enable account fraud.

An independent forensic investigation ordered by CBA in 2016 and conducted by KPMG determined the most likely scenario was the tapes had been disposed of. The bank immediately put in place monitoring mechanisms to further protect customers.

The 2016 incident was not cyber-related and there has been no compromise of CBA’s technology platforms, systems, services, apps or websites.

2016 Customer Information Incident - Key Points

  • No evidence was found of any customer information being compromised, and over the past two years there has been no evidence of customer harm or suspicious account activity.
  • Ongoing monitoring of the 19.8 million customer accounts involved remains in place as a precaution.
  • Customers’ passwords and PINs were not affected by this incident.  Customers do not have to change their passwords or PINs.
  • The Office of the Australian Information Commissioner and the Australian Prudential Regulation Authority (APRA) were both notified of the incident and a briefing was provided on the results of the investigation. The decision not to notify customers was made in light of the investigations findings and the account monitoring in place.
  • An independent forensic investigation was conducted, recommendations were made and acted upon to ensure a similar incident would not happen again.

Acting Group Executive Retail Banking Services Angus Sullivan said: “We take the protection of customer data very seriously and incidents like this are not acceptable. I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause.”

Advice to Customers*

  • There is no specific action that our customers need to take however customers with any concerns can call CommBank on 1800 316 433 or visit our website
  • CBA offers customers a 100 per cent security guarantee against fraud where the customer is not at fault.

Mr Sullivan added: “The relevant regulators were notified in 2016 and we undertook a thorough forensic investigation, providing further updates to our regulators after its completion. We also put in place heightened monitoring of customer accounts to ensure no data compromise had occurred.

“We concluded, given the results of the investigation, that we would not alert customers. We discussed this course of action with the OAIC who subsequently advised that it did not intend to take any further action in relation to the matter. We have however been contacted by the OAIC this week for additional information about this matter and the actions CBA undertook in 2016.”

* Note: The incident involves Commonwealth Bank customers and Bankwest customers are not affected.