National Australia Bank has come under fire from privacy advocates for failing to provide full disclosure about a data breach last week that resulted in the personal information of 13,000 customers being leaked to two unnamed companies.
The bank on Friday afternoon officially notified the Office of the Australian Information Commissioner of the breach and later issued a press release in which it elected not to name the companies that received private information about its customers.
The leaked data included names, birth dates, addresses, phone numbers and other identifying information such as car licence and passport numbers.
Banking Day yesterday sought clarification from NAB on when it intended to identify the companies that received the customer information but the bank refused to say, citing security concerns.
In its announcement on Friday, the bank said the sensitive customer data was uploaded without authorisation to the "servers of two data service companies".
NAB's refusal to identify the companies has riled the Australian Privacy Foundation (APF) which insists customers should be told the erroneous destinations of their bank files.
"By not telling consumers who it gave their data to, the bank is putting its commercial interest ahead of customers," said the foundation's chairman, David Vaile.
"The ability of consumers to make their own risk assessments is being diminished by the bank.
"They say its two data service companies - but that could be anyone from Facebook to any offshore digital company."
Banking Day also sought information from NAB on what steps it had taken to ensure that the external companies no longer held the leaked data.
The bank merely reiterated that it had been told by each of the companies that they delete such information within two hours.
It is understood that NAB has named the companies to the Office of the Australian Information Commissioner, which in recent times has demonstrated an inclination to support requests from banks to withhold disclosure on data leaks.
In 2016 the OAIC allowed Commonwealth Bank to withhold public disclosure of a data leak affecting 20 million account holders. The breach was not revealed to customers for two years.
Vaile, who is also the co-convenor of the University of NSW's cyberspace law and policy community, believes NAB also failed its customers by delaying the public announcement for several days.
"The NAB case highlights everything that is wrong with the breach notification regime as it currently operates in Australia," he said.
"When data breaches occur at banks, customers have important decisions to make to mitigate the potential effects of losing control of their private information.
"It is critical that banks notify customers at the moment a breach is established because in the digital age damage can happen in only milliseconds or minutes."
Vaile said if NAB intended to act in customers' interests before its commercial interests then it should have ensured that public disclosure of the data leak preceded its efforts to establish whether irregular activity had occurred on any of the 13,000 accounts.
Confirmation of the NAB data leak was particularly embarrassing for the bank because it coincided with the release last week of an ACCC report into digital commerce that highlighted weaknesses in Australian privacy laws.
The regulator recommended the Morrison Government should tighten customer notification requirements on banks and other companies.
"The lack of both consumer protection and effective deterrence under laws governing data collection have enabled problematic data practices and a lack of transparency and control which undermine consumers' ability to select a product that best meets their privacy preferences," the regulator found.
"The lack of deterrence under current laws is compounded by individual consumers' inability to bring direct actions for breaches of their privacy under the Privacy Act or for serious invasions of their privacy that cause financial or emotional harm."
While the NAB data breach might have come as a shock to affected customers, it was probably anticipated by the bank's board after it articulated concerns about compliance capabilities across the company in November last year.
In its self-assessment on governance, accountability and culture, the NAB board concluded the bank's executives and staff needed to focus more on customer impacts when managing risks in the business.
"Weaknesses in compliance practices at NAB have manifested in too many breaches, and in the slow identification and reporting of breaches," the bank's directors stated in the self-assessment.
"Risk's resourcing is observed to be low in compliance, where a significant increase in staffing is underway.
"It will also likely need to increase in conduct, technology risk, cyber, data and privacy."