Australia’s Commonwealth Bank has admitted losing the bank records of almost 20 million people.
Names, addresses, account numbers and statements were stored on two magnetic tapes which were meant to be destroyed by a subcontractor in 2016.
But despite not receiving evidence the tapes had actually been destroyed, the bank did not tell customers there was a potential problem.
The breach is the latest scandal involving Australia’s largest lender.
In a filing to the Australian Stock Exchange, the bank said it could not confirm that the tapes containing 15 years of data had been destroyed securely.
But it said “an independent forensic investigation” by accounting firm KPMG had “determined the most likely scenario was the tapes had been disposed of.”
It added “the tapes did not contain passwords, PINs or other data which could be used to enable account fraud”.
And it stressed there had been no evidence that customer information had been compromised, with monitoring mechanisms remaining in place.
Buzzfeed first reported news of the lost tapes, claiming they were supposed to be destroyed by Fuji Xerox after the decommissioning of a data centre.
The Commonwealth Bank’s acting head of retail banking, Angus Sullivan, described the incident as “unacceptable” and has apologised for any “inconvenience and worry” the incident may have caused customers.
The privacy breach comes at a time when Australian banks are under intense scrutiny from a landmark banking inquiry.
Last month, the inquiry heard that the Commonwealth bank collected fees from customers it knew had died. In one case, an adviser collected fees from a former client for more than a decade.
Australia’s Treasurer Scott Morrison has warned that financial executives could face strong penalties, including jail sentences, from evidence brought up at the inquiry.