Commbank data loss: Non-disclosure was pretty reasonable

Life is not like the movies - you can’t plug in a tape and expect to see data


ANALYSIS “Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers” screams the headline at Buzzfeed. It’s a great story: the Commonwealth Bank (CBA) can’t say with 100 per cent certainty that two tapes containing data used to prepare bank statements were securely destroyed. And those tapes were not encrypted. The Bank told the relevant authorities about the leak in 2016, and they were okay for it to remain secret.

Popular understanding of the incident has quickly come to suggest that The Tapes Might Be Out There And You Are Therefore At Risk.

But the resulting outrage needs to be tempered with a little storage reality, because even if these tapes still exist, it would take a lot of equipment, money and knowledge to even have a chance of seeing any useful data.

The Register asked both CBA and Fuji Xerox Australia (which lost the tapes) what format of tape was used, as that would give us clues about security features. Both declined to specify what tapes were used. But CBA told us “The tapes were in a format that is highly compressed requiring the necessary specialist technology to access the tapes”.

Compression can be applied to tapes by hardware, or software, or sometimes both. The words “requiring the necessary specialist technology to access the tapes” therefore tells us it will be hard to read the tapes without access to whatever products were used to write them and to compress the data they contain.

It's not hard to figure which products were used because tapes include metadata that reveal how they were written.

But we also know that these tapes came from a large archive maintained by Fuji Xerox. Such operations use dedicated archiving software that tracks what data has been sent to which tape and keeps a catalogue and index of those tapes. That kind of software is alive to the possibility that tapes could fall into the wrong hands, so doesn’t automatically ingest tapes it doesn’t recognise or permit other instances of the same software to read tapes.

The kinds of hardware that manages lots of tapes also expects to see some tapes and not others. Tapes are barcoded and if a barcode isn’t in a library’s database of known tapes, it won’t be automatically ingested.

A big tape library can also cost serious money.

Long story short: the stuff that manages lots of tape is designed to make it hard for outsiders to read the tapes.

There's one little wrinkle to consider here. The tape market is dominated by a standard called Linear Tape-Open (LTO), which offers native compression. LTO drives can also include the LTFS filesystem, which promises plug-and-play access to LTO tapes as just another drive you can mount.

LTO drives can also sell for just a few hundred dollars, making it tempting to imagine the tapes could be easily read.

But even if you had the tape and a compatible drive, forget about just opening “Commonwealth_Bank_Customer_Details.xls” because for starters the tapes and the files they contain could also be password-protected. Or they could contain only differential backups - new additions to old records - that don't make much sense without the complete dataset. Data could be written in an obscure format from an ancient banking application, or deliberately made hard to read in numerous other ways that are just the sort of thing banks to do make it hard to read sensitive records.

It's also likely that the files are in a format ready for parsing by the statement-processing application, but not safe to assume that format will be easily understood by humans.

So even if someone has the tape, the knowledge to figure out what tools wrote to it, the cash to acquire the hardware and software needed to read the tape, ingesting the tapes to view their content will still be a non-trivial task.

Panicking executive

Commonwealth Bank: Buggy software made us miss money laundering

READ MORE

But let's not have CBA and Fuji Xerox wriggle off the hook here, because for these tapes to have been left without encryption is incompetent. Encryption is a must-have feature in archiving software, has been native to LTO since the year 2007 and should be a tick-box option that's always ticked. And of course archiving and secure destruction services like Fuji Xerox’s are explicitly designed to provide verifiable chains of custody and not lose data. So someone’s stuffed up badly.

CBA has to wear that error - no corporation can blindly trust suppliers.

But, tellingly, CBA’s statement on the breach says neither Australia’s Information Commissioner nor The Australian Prudential Regulation Authority (APRA) called for customers to be notified of the breach. A CBA-commissioned KPMG report that suggested the tapes probably were destroyed helped the regulators to reach that conclusion. The Register suggests consideration of the real-world storage issues we’ve outlined above helped the regulators to make their non-disclosure decision, too.

Complicating matters is the fact that Australia is currently conducting a Royal Commission into financial institutions' bad behaviour that has revealed CBA to have done cynical and horrible things like charging fees to dead people. The bank was also this week labelled complacent, blasé about risk and more concerned with its bottom line than customers by a report from the Australian Prudential Regulation Authority (APRA).

Burying news of the leak has quickly been interpreted as yet more evidence CBA is an uncaring institution at which staff are more concerned about their bonuses than customers's privacy and financial wellbeing.

But I don't think this incident shows the bank as villain. Indeed, even if the breach happened once Australia’s mandatory data breach disclosure laws came into effect, in February 2018, CBA may well have been entitled to kept silent on the breach because that law’s test for disclosure is a likelihood of “serious harm”. The considerable difficulty required to access this data, plus the absence of credentials, suggests the likelihood of harm is small.

So let’s all go back to hating banks for other reasons, shall we? They've given us plenty of those, so it's not as if we particularly need this incident to whip them with anyway. ®

Similar topics

Broader topics


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022