Dr Jodie Siganto of Ringrose Siganto was interviewed by the ABC concerning the recent revelation that the CBA doesn't know what happened to the records of 19.8 million customers.

The issue arose in 2016, before the mandatory data breach notification provisions of the Privacy Act 1988 came into force.

The bank says it has no evidence that customer information was compromised. But, as the saying goes, the absence of evidence is not evidence of absence. It also says that, working with the Privacy Commissioner, it was decided that customers need not be notified.

The simple fact is that the news got out (as it always does) and the CBA has been compelled by circumstance to write to all customers, record a video and issue press releases. Now it looks like it had something to hide.

The CBA's response to the incident was otherwise exemplary and, though it's sticking by the decision not to tell customers, in the light of recent revelations about bank behaviour and a marked change in public attitude about how trustworthy corporations are when it comes to personal data, at least a few executives must be regretting they weren't more open at the time.

Ted Ringrose, Director, Ringrose Siganto


IT Security Training Australia is a subsidiary of Ringrose Siganto Consulting, a privacy and security consulting firm.

How can we help?

Download one of our free guides:

The new data breach notification laws

Check your understanding with one of our Case Studies:

Red Cross Data Breach

Join one of our webinars:

Overview of data breach notification obligations in Australia

Attend a workshop:

Security incident response workshop

Have us review your data breach response preparedness:

Third party supply contract review
Security incident response plan review
Cyber incident preparedness exercise
Cyber insurance review
Privacy impact assessment or compliance audit

Contact us here