In May 2018, Buzzfeed broke the news that the Commonwealth Bank of Australia (CommBank) lost the personal financial histories of 12 million customers and chose not to reveal the breach to those impacted. In one of the most advanced financial services privacy breaches ever to occur in Australia, its largest bank lost control of 10 years’ worth of customers’ financial information when a subcontractor lost several tape drives containing banking statements from 2004 through 2014.

The breach occurred in 2016 when the bank’s subcontractor was decommissioning a data center where some CommBank customer data was stored.  The bank’s backup magnetic tape drives of financial statements were believed to have been sent to be destroyed, but when a destruction certificate for the data wasn't found by May 2016, CommBank launched an investigation to find out what happened to the data.

The bank hired a forensic team from the accounting firm KPMG that conducted an exhaustive search to locate the missing tape drives.  One theory KPMG investigated was that the drives weren’t secured properly and fell off the truck that was carrying the data between the data center and the facility where the data destruction was to occur. KPMG’s forensic investigators retraced the route of the truck to determine whether they could locate and recover the drives but were unable to find any sign of them.

CommBank notified the appropriate Australian government agency of the breach shortly after becoming aware of it and considered alerting customers but decided not to after it determined that there was a low risk of the data being misused.  However, the magnetic tape drives were not encrypted, and the customer data was never recovered. 

This breach should make companies cautious when selecting IT asset disposition (ITAD) vendors to decommission their data centers, refresh their IT infrastructures, or retire excess assets after a merger or acquisition.  Because companies lose control of their data when they retire end-of-life devices, it’s critical that they partner with a trusted, experienced, and certified asset disposition vendor.

Choosing a dedicated ITAD partner that specializes in data security and destruction can save an organization from costly data breaches, which have an average cost per incident of almost $4 million globally and over $8 million in the U.S., according to Ponemon Institute's 2019 Cost of a Data Breach Report.

How to Avoid Losing Control of Data on Retired IT Assets

To avoid losing data during the ITAD process, companies should strive to find a vendor that has digital data destruction certifications from the National Association for Information Destruction (NAID).  This best practice ensures that all IT assets undergo robust processes to guarantee data security and destruction before the asset is resold or recycled. Further, clients of NAID AAA-certified vendors receive detailed reports that include any discrepancies between what is on asset lists and what is actually found on the data-storing devices. Certified ITAD providers are also held to a higher standard through mandatory annual audits and the constant possibility of unannounced inspections — both at their facilities and client sites — all under NAID’s oversight.

Raise the bar on your ITAD vendor selection, and go with a certified vendor that specializes in data security and data destruction to keep corporate data from falling into the wrong hands.