Commonwealth Bank

Summary

Commonwealth Bank, Australia's largest bank, disclosed in December 2018 that it was urgently investigating a potential privacy breach that may have given its staff unauthorised access to customers' sensitive medical information. The incident involved an unusual scenario where banking staff could potentially view health data, raising questions about data segregation and access controls within the bank's systems.

What Happened

Commonwealth Bank discovered that certain staff members may have had inappropriate access to customers' medical information held within the bank's systems. The breach appeared to involve a misconfiguration or access control failure that allowed banking staff to view health-related data that should have been restricted.

The mechanism by which a bank came to hold medical information and how staff gained access was not fully explained in public disclosures, but it likely involved one of several scenarios:

• Medical information provided as part of insurance products sold by the bank
• Health data submitted for loan applications or income protection claims
• Information from the bank's insurance or superannuation arms
• Data from health insurance products or services offered through CBA subsidiaries

The key concern was that standard banking staff—not those specifically authorised to handle medical information—may have been able to view this highly sensitive data due to inadequate access controls or system segregation.

Impact on Individuals

Customers whose medical information was potentially accessible faced serious privacy concerns:

• Medical privacy violation: Unauthorised access to health conditions, treatments, or diagnoses
• Highly sensitive data: Medical information is among the most private personal data
• Discrimination risk: Health information could potentially influence banking or employment decisions
• Psychological impact: Distress from knowing intimate health details were viewable by unauthorised staff
• Trust violation: Expectation that financial institution would protect medical data

The breach was particularly concerning because:

• Customers may not have expected their bank to hold medical information
• Access by banking staff seemed inappropriate given the nature of the data
• Medical information cannot be changed or replaced if compromised
• Potential for information to be used improperly or shared

Organisational Response

Commonwealth Bank responded urgently to the privacy breach:

• Launched immediate investigation into the access control failure
• Worked to identify which staff had access and whether data was viewed
• Reviewed systems to determine the scope of inappropriately accessible information
• Implemented corrective measures to restrict access appropriately
• Began process of notifying potentially affected customers
• Engaged privacy and security experts to assess the breach
• Reported the incident to the Office of the Australian Information Commissioner

The bank described the situation as being under "urgent investigation," indicating the seriousness with which it was being treated.

Access Control and Data Governance Issues

The breach highlighted several important issues in data governance:

• Least privilege principle: Staff should only access data necessary for their roles
• Data segregation: Medical information should be isolated from general banking systems
• Access logging: Need for monitoring who accesses sensitive information
• Role-based access: Importance of carefully defined access permissions
• Cross-subsidiary data: Challenges when corporate groups handle different types of data

The incident raised questions about how financial institutions that offer diverse products (banking, insurance, superannuation, health products) manage and segregate different types of customer data.

Financial Sector Privacy Implications

The breach had broader implications for the financial services sector:

• Product diversity risks: Banks offering insurance and health products face complex data protection challenges
• Regulatory expectations: Privacy obligations extend beyond traditional banking data
• Staff training: Need for education about handling different types of sensitive information
• System design: Importance of building privacy and access controls into systems from the ground up
• Corporate group management: Challenges in managing data across subsidiaries with different functions

Regulatory Context

The breach occurred during a period of intense scrutiny of Commonwealth Bank:

• The bank was under investigation by multiple regulators for various compliance failures
• Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry was ongoing
• Heightened public and regulatory expectations for the bank's conduct
• Recent enactment of Notifiable Data Breaches scheme increased disclosure obligations

The medical data breach added to a series of compliance and conduct issues affecting CBA's reputation and relationship with regulators.

Privacy Commissioner Oversight

The Office of the Australian Information Commissioner (OAIC) took interest in the breach given:

• Involvement of health information, which has special protections under privacy law
• Australia's largest bank being involved
• Questions about systematic access control failures
• Importance of setting precedent for financial sector data handling

Long-term Impact

The Commonwealth Bank medical data breach resulted in:

• Enhanced access controls and data segregation at the bank
• Review of privacy practices across CBA's diverse product lines
• Increased awareness in financial sector of privacy risks beyond traditional banking data
• Greater scrutiny of how banks offering insurance and health products manage data
• Industry-wide recognition of the need for sophisticated access controls when handling diverse data types

The incident remains a notable example of the complex privacy challenges facing modern financial institutions that offer services well beyond traditional banking, and the critical importance of appropriate access controls and data segregation.