Some of the major news out of Australia last week, was that of the Commonwealth Bank of Australia (CBA) losing 20 million customer statements. If you, or someone you know, happens to bank with CBA, you can rest-assured, according to Angus Sullivan, CBA’s Acting Group Executive, that none of your records have been breached “…we want to reassure you that there is no evidence of your information being compromised.”
He continued on in his press release on 2nd May “In May 2016, we were unable to confirm that two magnetic tapes were securely disposed of.” During an interview with ABC’s AM program, he went on to say, “We’ve been unable to assure ourselves that the drives have been destroyed, but the investigation that we undertook indicates that the most likely outcome was that they were.”
Fortunately for the bank, no data has been breached; as far as they can currently prove. However, the main issue here lies in the faith of their customers and their key stakeholders. Rightfully, many CBA customers are concerned that it was the media that broke the news on this investigation, not the bank themselves. Additional, many are concerned that it should not have taken two years for CBA to inform customers.
Sullivan has backed CBA’s decision, “When we look back now, the decision that was made at the time has probably been borne out to be a good decision in as much that the data hasn’t turned into fraudulent activity.”
CBA claims that the magnetic tapes in question were “supposed to be destroyed by sub-contractor Fuji-Xerox” last year after the decommissioning of a data centre.
Interestingly, it’s the Commonwealth Bank who was forced to step into the bright, agonising spotlight of the media, not Xerox who supposedly lost the tapes.
What they got right
The steps that CBA took immediately after the investigation were generally correct.
According to Sullivan, they notified their regulators, APRA and the Privacy Commissioner. This was followed by the commissioning of an independent forensic investigation conducted by KPMG “to help us identify steps we can take to avoid similar incidents in the future.”
RiskLogic sees this often; organisations that go through an event to be convinced on the importance of reviewing and implementing internal analysis and continuity procedures – when they should actually be doing it in advance. The point is, they are doing it.
They also heightened the ongoing monitoring of accounts to ensure they can promptly identify suspicious activity upon accounts.
CBA took no chances and enforced larger measures in their security operations for their customers. It seems they learnt quickly from this event and enforced the correct procedures.
It must be noted too that the media coverage was handled well. CBA openly shared their investigations and steps to both their customers and the press.
They centred all media communication from one man; Angus Sullivan. This is a good technique to put one face to a situation, as opposed to many. In the media, one face is better than dozens and when it’s well-spoken face, the audience can begin to trust the brand again.
Sullivan confirmed to CBA customers that, “the information on the tapes has partial information used to generate statements, in and of itself not entirely sufficient for fraudulent activity”. No pins or passwords were stored on these tapes; that’s the silver lining here to CBA customers.
But why did this happen in the first place?
Third party hits again
If we had an article every time a third party disrupted the operations of an organisation, this website would begin to replicate the New York Times.
In September 2017, we covered the story on the Auckland Fuel crisis which was the lead to Brad Law, Senior Consultant and Country Manager NZ, presenting at the Auckland BCI forum on his findings of this event, courageously delivering whilst a member of the affected Air NZ sat opposite.
An even bigger example was that of Facebook’s biggest hurdle yet; thanks to the acts of Cambridge Analytica.
Another, almost comical example comes from Britain’s Prime Minister, Theresa May who put her trust in a party member. This individual left a briefcase with physical copies of May’s travel movements on a train heading to Scotland. And obviously these high-security files were not handed back to the Government, no, they were handed to the Daily Mail. A literal treasure trove for anyone wanting to cause harm.
Unfortunately, there is no single answer to combat the mistakes by third parties and sub-contractors. They are subject to happen whether you pick wisely or not. The fundamental lesson, therefore, is to put procedures in place to overcome a similar event. This is likely what CBA already had in place, but do you?
In the manufacturing space, RiskLogic has serviced over 50 different suppliers. As part of our offerings to our clients, we can conduct a review of suppliers, sub-contractors and third-party processes.
The outcome of these reviews helps in a few ways:
- It reiterates to the sub-contractor that their client is serious about continuity measures and investing in maintaining a high level of checks.
- It helps encourage those sub-contractors to check their own internal procedures.
- It brings confidence to stakeholders; whether that be customers or board members.
- It helps identify gaps before they’re breached and allows positive conversations to happen before any breach of contracts occurs.
RiskLogic offers these investigations as a service which subsequently help identify potential issues with suppliers and contractors. Those that already practice this, usually wish to continue to prove their commitment across the board by implementing an investigation.
To avoid any potential media frenzy or damage to your reputation, get in touch today to discuss with us on how we run supplier reviews and audits.