Data breach at CBA's Beem compromises customer privacy
A Commonwealth Bank payments arm last night swung into damage control after confirming that a data breach compromised the personal email addresses of its customers, which included staff employed at the Reserve Bank.The bungle is set to be the first privacy breach in the banking industry to be reported to the Office of the Information and Privacy Commissioner under a mandatory disclosure regime introduced in February.The Beem instant payments platform inadvertently revealed the email addresses of thousands of customers on Tuesday at the same time as the Australian Prudential Regulation Authority released damaging findings from an independent inquiry into operational risk failures across the CBA's operations.Beem sent customers an email to announce that its mobile app was now downloadable from Apple's app store.However, the message opened a window into the company's customer base because the email addresses of all subscribers to the service were viewable to all recipients.Beem's chief executive, Mark Wood, issued an apology to customers for the stuff-up on Tuesday and promised that it would not happen again.Here's what Wood told customers in his email:Hi There, I am writing to apologise to you.You have received an email from us earlier today that included email addresses of others.We know this is unacceptable and we do apologise for the email being sent with this information.We ask that you please delete the email and we are asking the other recipients to do the same.This has occurred due to a manual error and we are automating the process to avoid this from happening in the future.We do take your privacy seriously and no other details have been disclosed.We hope you will continue to trust us.Sincerely, Mark WoodBanking Day was alerted to the bungle by Beem customers, who reported they saw email addresses belonging to the following email domains in the message: rba.gov.au; nab.com.au; westpac.com.au; and ing.com.au.The timing of the data breach is embarrassing for the Beem subsidiary and the CBA group, given that the bank and its prudential regulator are now trying to paint an image of a company mending its errant ways. CBA is a part-owner of Beem, along with NAB and Westpac, through a company known as Digital Wallet Pty Ltd.The CBA associate last night declined to respond to a written request from Banking Day for its views on what the regulatory fallout might be.A spokesperson did not comment on whether the data breach was reportable to the banking regulator and the federal privacy commissioner."We take our responsibility to keep customer information secure very seriously and we are disappointed this has occurred," the spokesperson said. "We have contacted all customers and are working to ensure controls are in place so that this doesn't happen in the future."Earlier this week CBA entered into an enforceable undertaking to APRA, which included the adoption of special measures to improve its operational risk record.