Commonwealth Bank of Australia accidentally sends over 650 emails containing customer data to wrong address

The Commonwealth Bank of Australia (CBA) has once come under the radar after accidentally sending emails containing data of thousands of customers to an overseas company. On Friday, the bank said it discovered that its staff accidentally sent 651 internal emails that contained the information of approximately 10,000 customers to email addresses with the domain name 'cba.com', a domain owned by a US-based cybersecurity company, rather than 'cba.com.au' address used by the bank.

The cba.com domain was initially owned by a US-based financial services firm Cherslock Bakker & Associates until 2016-2017 when it it was used by a US-based cybersecurity company. It was later bought by CBA in April 2017.

However, the emails were inadvertently sent before CBA took ownership of the domain.

The compromised information included potentially sensitive personal data that could potentially be misused by crime groups if they fall into wrong hands or exploited by commercial firms that deal with data.

"An extensive and detailed investigation by CBA confirmed the contents of all 651 internal emails were automatically deleted by the cba.com domain owner's system, which only collected information on CBA sender and recipient email addresses and the subject of the email," the bank said in a statement.

The bank has begun notifying customers whose data was affected, but stated its investigation found no evidence of customer data being compromised.

It has also confirmed that none of the emails contained passwords or PIN codes and that funds of all the customers are protected against any unauthorized transactions.

“CBA’s investigation confirmed that the emails and any associated data had not been used and were deleted permanently from the cba.com domain owner’s servers,” the bank said.

In order to prevent more emails being sent to the wrong domain, the bank said it has been blocking the internal emails addressed to the cba.com since January 2017. In April 2017, it made a permanent fix by acquiring the domain. Now, any emails inadvertently addressed to cba.com would be returned as 'undeliverable'.

"We want our customers to know that we are committed to being more transparent about data security and privacy matters," CBA acting group executive Retail Banking Services Angus Sullivan said. l"Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge however that customers want to be informed about data security and privacy issues and we have begun contacting affected customers."

This is not the first time that the bank is dealing with a data breach. In May 2016, the bank admitted it was unsure where data of of millions of customers had ended up after realizing two magnetic tapes that contained this information were not properly disposed of.