By now you’re probably bored to tears over the endless damning Royal Commission revelations about how little the banks work in the interests of their customers, but even so the news that the Commonwealth Bank misplaced banking data for 12 million customers should give you pause to exclaim “…the hell?”
Short version of a long, stupid story: Fuji Xerox were subcontracted to decommission one of the bank’s data centres but subsequently couldn’t confirm that several tape drives with decades of data thereon were actually destroyed.
An internal investigation was launched, and the Office of the Australian Information Commissioner was informed, but nothing appears to have happened as a consequence and the bank themselves didn’t think it would be prudent to let customers know or anything.
And, since the Office of the Australian Information Commissioner has been steadily stripped of operational funding since then-PM Tony Abbott vowed to shut the department down altogether in 2013, including failing to appoint new commissioners after the existing ones ended their terms, it’s no surprise that they didn’t sort this all out two years ago.
Say, it’s almost like if you weaken regulators, bad things happen without consequence! Heck, who’d have guessed!
As Buzzfeed puts it, “One possibility that was canvassed by [the internal investigators] is that the drives weren’t secured properly and fell from a truck in transit that was carrying the data for destruction. Forensic investigators hired to assess the breach retraced the route of the truck to determine whether they could locate the drives along this route, but were unable to find any trace of them.”
Seriously? Fell off the back of a truck? Did they also investigate whether one of the subcontractor’s dogs mistook the drives for delicious homework?
And all joking aside, this is the main reason why the matter of data retention – such as those that the government have already implemented and are seeking to expand – should have you very, very concerned: because people are idiots and data that’s collected can easily be lost.
And for all of the “if you have nothing to hide, you have nothing to fear” rhetoric, we all have stuff we don’t want to see made public. Like our banking details, for example.
No matter what TV and movies tell you, hackers are generally not l33t cyber criminals running self-written code to bypass your mainframe security: they’re people going “Hey, I bet this large company can’t be arsed changing their security settings for hundreds of employees every week” and seeing if username: admin password: password123 gets them into the system, and discovering that it works shockingly often.
But often they don’t need to even do that, because people leave work laptops on trains or don’t log out of public computers, or accidentally misplace harddrives containing millions of bank records. And when you combine that with a government ensuring that regulators don’t have the resources to operate, much less investigate, you get situations like these.
Anyway, we’re confident that Peter Dutton’s national facial recognition database will operate with complete transparency and accountability without any risk of being misused. Right?