Australia’s Commonwealth Bank leaks data of 10,000 customers over domain misspelling

Just last month, Australia’s Commonwealth Bank admitted losing the financial history of some 20 million customers. Now, the financial institution drops the ball again, this time mistakenly sending the data of some 10,000 customers to the wrong email address, the bank confirmed on Friday.

During the last financial year, the simple misspelling of the domain, forgetting to include “.au” after the domain name “cba.com,” sent 651 internal emails to the wrong domain. After an internal investigation of the domain ownership, it was revealed it belonged to a US-based cybersecurity company and, prior to that, it was owned by a US financial services company.

CBA purchased the domain in April 2017 and, as of January 2017, emails sent to cba.com were blocked.

CBA assures its customers their data has not been compromised, and anyone involved in the error will be contacted immediately.

“We want our customers to know that we are committed to being more transparent about data security and privacy matters,” said Angus Sullivan, CBA’s acting group executive for retail banking services.

“Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge, however, that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”

The emails were deleted by the domain owner’s system and permanently discarded from the servers. The investigation confirmed the data in the emails was not used in any way.



*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Luana Pascu. Read the original post at: https://hotforsecurity.bitdefender.com/blog/australias-commonwealth-bank-leaks-data-of-10000-customers-over-domain-misspelling-19980.html