The Commonwealth Bank is trying to reassure nervous customers after it admitted losing records for almost 20 million accounts when it failed to track down tapes on which the information was stored.
Subscribe now for unlimited access.
or signup to continue reading
The tapes held customer names, addresses, account numbers and transaction details for 19.3 million accounts from 2000 to early 2016, but did not contain passwords or PINS which could be used to enable account fraud, CBA said in a statement.
"Ongoing monitoring of accounts by CBA confirms customers do not need to take any action," the lender said on Thursday.
The bank ordered an independent investigation in 2016 which found the tapes had most likely been disposed of, however customers were never told.
Prime Minister Malcolm Turnbull described the incident as an "extraordinary blunder" and said customers should have been informed.
"It's hard to imagine how so much data could be lost this way," Mr Turnbull said.
"Maintaining data security is of vital important for everybody... and if there is a serious data breach or loss, the people affected should be advised so they can take steps to protect themselves."
Mr Turnbull said if the incident had occurred today, the bank would have been required, under new laws introduced at the start of the year, to publicly advise each customer about the loss of data.
Acting group head of retail banking services Angus Sullivan said the relevant regulators were notified when CBA couldn't confirm whether the two magnetic tapes used to record customer statements were destroyed or not.
"We undertook a thorough forensic investigation, providing further updates to our regulators after its completion," Mr Sullivan said.
"We concluded, given the results of the investigation, that we would not alert customers."
CBA on Thursday reiterated to customers there was no compromise to the bank's technology platforms, systems, services, apps or websites.
"We take the protection of customer data very seriously and incidents like this are not acceptable," Mr Sullivan said.
"I want to assure our customers that we have taken the steps necessary to protect their information and we apologise for any concern this incident may cause."
The Office of the Australian Information Commissioner (OAIC) was notified of the incident in 2016 but did not take any further action.
CBA's admission has, however, sparked renewed interest from the commissioner, who is now is seeking new assurances from the lender that it has learned its lesson on data security.
The latest revelations cap a troublesome couple of weeks for CBA who on Tuesday was slammed by the Australian Prudential Regulation Authority for being complacent, dismissive of regulators, and blind to threats such as the money-laundering scandal that ended the tenure of its CEO.
Despite Thursday's revelations, CBA shares were up 40 cents, or 0.5 per cent, to $73.86 at 1327 AEST.
Australian Associated Press