Commbank data loss: Non-disclosure was pretty reasonable
Life is not like the movies - you can’t plug in a tape and expect to see data
ANALYSIS “Australia's Largest Bank Lost The Personal Financial Histories Of 12 Million Customers” screams the headline at Buzzfeed. It’s a great story: the Commonwealth Bank (CBA) can’t say with 100 per cent certainty that two tapes containing data used to prepare bank statements were securely destroyed. And those tapes were not encrypted. The Bank told the relevant authorities about the leak in 2016, and they were okay for it to remain secret.
Popular understanding of the incident has quickly come to suggest that The Tapes Might Be Out There And You Are Therefore At Risk.
But the resulting outrage needs to be tempered with a little storage reality, because even if these tapes still exist, it would take a lot of equipment, money and knowledge to even have a chance of seeing any useful data.
The Register asked both CBA and Fuji Xerox Australia (which lost the tapes) what format of tape was used, as that would give us clues about security features. Both declined to specify what tapes were used. But CBA told us “The tapes were in a format that is highly compressed requiring the necessary specialist technology to access the tapes”.
Compression can be applied to tapes by hardware, or software, or sometimes both. The words “requiring the necessary specialist technology to access the tapes” therefore tells us it will be hard to read the tapes without access to whatever products were used to write them and to compress the data they contain.
It's not hard to figure which products were used because tapes include metadata that reveal how they were written.
But we also know that these tapes came from a large archive maintained by Fuji Xerox. Such operations use dedicated archiving software that tracks what data has been sent to which tape and keeps a catalogue and index of those tapes. That kind of software is alive to the possibility that tapes could fall into the wrong hands, so doesn’t automatically ingest tapes it doesn’t recognise or permit other instances of the same software to read tapes.
The kinds of hardware that manages lots of tapes also expects to see some tapes and not others. Tapes are barcoded and if a barcode isn’t in a library’s database of known tapes, it won’t be automatically ingested.
A big tape library can also cost serious money.
Long story short: the stuff that manages lots of tape is designed to make it hard for outsiders to read the tapes.
There's one little wrinkle to consider here. The tape market is dominated by a standard called Linear Tape-Open (LTO), which offers native compression. LTO drives can also include the LTFS filesystem, which promises plug-and-play access to LTO tapes as just another drive you can mount.
LTO drives can also sell for just a few hundred dollars, making it tempting to imagine the tapes could be easily read.
But even if you had the tape and a compatible drive, forget about just opening “Commonwealth_Bank_Customer_Details.xls” because for starters the tapes and the files they contain could also be password-protected. Or they could contain only differential backups - new additions to old records - that don't make much sense without the complete dataset. Data could be written in an obscure format from an ancient banking application, or deliberately made hard to read in numerous other ways that are just the sort of thing banks to do make it hard to read sensitive records.
It's also likely that the files are in a format ready for parsing by the statement-processing application, but not safe to assume that format will be easily understood by humans.
So even if someone has the tape, the knowledge to figure out what tools wrote to it, the cash to acquire the hardware and software needed to read the tape, ingesting the tapes to view their content will still be a non-trivial task.
Commonwealth Bank: Buggy software made us miss money launderingREAD MORE
But let's not have CBA and Fuji Xerox wriggle off the hook here, because for these tapes to have been left without encryption is incompetent. Encryption is a must-have feature in archiving software, has been native to LTO since the year 2007 and should be a tick-box option that's always ticked. And of course archiving and secure destruction services like Fuji Xerox’s are explicitly designed to provide verifiable chains of custody and not lose data. So someone’s stuffed up badly.
CBA has to wear that error - no corporation can blindly trust suppliers.
But, tellingly, CBA’s statement on the breach says neither Australia’s Information Commissioner nor The Australian Prudential Regulation Authority (APRA) called for customers to be notified of the breach. A CBA-commissioned KPMG report that suggested the tapes probably were destroyed helped the regulators to reach that conclusion. The Register suggests consideration of the real-world storage issues we’ve outlined above helped the regulators to make their non-disclosure decision, too.
Complicating matters is the fact that Australia is currently conducting a Royal Commission into financial institutions' bad behaviour that has revealed CBA to have done cynical and horrible things like charging fees to dead people. The bank was also this week labelled complacent, blasé about risk and more concerned with its bottom line than customers by a report from the Australian Prudential Regulation Authority (APRA).
Burying news of the leak has quickly been interpreted as yet more evidence CBA is an uncaring institution at which staff are more concerned about their bonuses than customers's privacy and financial wellbeing.
But I don't think this incident shows the bank as villain. Indeed, even if the breach happened once Australia’s mandatory data breach disclosure laws came into effect, in February 2018, CBA may well have been entitled to kept silent on the breach because that law’s test for disclosure is a likelihood of “serious harm”. The considerable difficulty required to access this data, plus the absence of credentials, suggests the likelihood of harm is small.
So let’s all go back to hating banks for other reasons, shall we? They've given us plenty of those, so it's not as if we particularly need this incident to whip them with anyway. ®