You’ll need to update your browser so you can continue to log on to your online banking from 28th February. Update now.

Close

On The Record

CBA contacts customers regarding incorrect email addresses

Email domain issue

CBA has discovered an issue with emails going to incorrect addresses. We've investigated and confirmed no customer data was compromised.

Commonwealth Bank (CBA) today advised that an information security investigation had confirmed that no customer data had been compromised by incorrectly addressed internal emails to the cba.com domain name.

The investigation was initiated after a concern was raised about internal CBA emails being inadvertently sent to email addresses using the cba.com domain prior to April 2017 when the bank acquired ownership of the cba.com domain. CBA’s email domain is cba.com.au.

CBA acting Group Executive Retail Banking Services Angus Sullivan said: “We want our customers to know that we are committed to being more transparent about data security and privacy matters.

“Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge however that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”

cba.com investigation: key findings

  • Commonwealth Bank has investigated the entire ownership of the cba.com domain name from the time it was first used by a US-based financial services firm Cheslock Bakker & Associates to the 2016-17 period where it was used by a specialist US cyber-security company.
  • CBA found that 651 internal emails sent during 2016-17, which contained data relating to approximately 10,000 customers, were received by the then user of the cba.com domain.
  • An extensive and detailed investigation by CBA confirmed the contents of all 651 internal emails were automatically deleted by the cba.com domain owner’s system, which only collected information on CBA sender and recipient email addresses and the subject of the email.
  • CBA’s investigation confirmed that the emails and any associated data had not been used and were deleted permanently from the cba.com domain owner’s servers.
  • From January 2017, CBA has been blocking internal emails addressed to the cba.com domain name. And in April 2017, CBA acquired ownership of the cba.com domain name and since that time any emails inadvertently addressed to cba.com have been returned as “undeliverable”.

Advice to customers: Although no customer data was compromised, CBA has begun contacting customers whose information was included in the 651 internal emails sent inadvertently to cba.com. CBA’s investigation has confirmed all 651 internal emails had not been used and have been permanently deleted.

Customers’ funds are safe and they are protected against any unauthorised transactions by our 100 per cent security guarantee. If customers have any questions about this matter, they can visit commbank.com.au/domainissue or call 1300 092 864.