There are plenty of ways to unintentionally mishandle customer data. Storing information on an unsecured server, for instance, or being targeted by state-sponsored actors. But perhaps the most egregiously idiotic way to release confidential information is to send emails to the wrong domain name. That’s exactly what the largest bank in Australia did—more than 600 times.
Commonwealth Bank of Australia has admitted that staff mistakenly sent 651 emails containing the data of 10,000 customers to “cba.com,” a domain name that belonged to a US-based cybersecurity company, rather than the bank’s “cba.com.au” domain name.
“Our investigation confirmed that no customer data has been compromised as a result of this issue,” CBA’s acting group executive for retail banking services, Angus Sullivan, said in a statement. “We acknowledge, however, that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”
To solve the issue, the company reportedly started blocking internal emails sent to the .com domain in January of last year and bought the domain outright in April of last year. And while no customer information was allegedly compromised, this is a screwup of baffling proportions that could have certainly gone much worse. And it’s also not the bank’s first jaw-droppingly embarrassing fuck up.
In what can best be characterized as the grimace emoji personified, CBA lost 12 million customers’ data after losing the magnetic backup tapes containing customers’ financial history. The news was revealed in early May, but reportedly happened in 2016. According to BuzzFeed, the bank hired a subcontractor to destroy the tapes but never got confirmation that it happened and were unable to find them. Possible scenario? According to an accounting firm investigating the incident, they might’ve fallen off a truck. Get it together, my dudes.