CBA customers caught in email address confusion
The Commonwealth Bank of Australia (CBA) has revealed it discovered an issue with emails going to incorrect addresses – but says no customer data was compromised.
The bank conducted an information security investigation, which it says confirmed that customer data was unaffected by incorrectly addressed internal emails to the cba.com domain name.
CBA acting group executive retail banking services Angus Sullivan says: “We acknowledge however that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”
As you’d expect, CBA is not a unique acronym. The bank investigated the entire ownership of the cba.com domain name from the time it was first used by a US-based financial services firm Cheslock Bakker & Associates to the 2016-17 period where it was used by a specialist US cybersecurity company.
CBA found that 651 internal emails sent during 2016-17, which contained data relating to approximately 10,000 customers, were received by the then user of the cba.com domain.
It says all those emails were automatically deleted by the cba.com domain owner’s system, which only collected information on CBA sender and recipient email addresses and the subject of the email.
CBA’s investigation “confirmed that the emails and any associated data had not been used and were deleted permanently from the cba.com domain owner’s servers”.
From January 2017, CBA says it has been blocking internal emails addressed to the cba.com domain name. And in April 2017, CBA acquired ownership of the cba.com domain name and since that time any emails inadvertently addressed to cba.com have been returned as “undeliverable”.
Calamity bites Australia
It’s not been a great time for CBA of late.
On 11 May, CBA charged the dead. At the Australian Royal Commission into banking misconduct, the bank admitted its planning arms breached the Corporations Act when they charged clients – including some who had died – fees for services they did not receive.
Before that, on 2 May, CBA admitted to losing track of data tapes containing customer information for 19.8 million customer accounts in a security breach… way back in 2016.
It says the 2016 incident was not cyber-related and “there has been no compromise of CBA’s technology platforms, systems, services, apps or websites”.
While last month, CBA was hit by online banking systems issues.