Encryption Can Protect Your Brand’s Reputation

Were the data tapes lost by Commonwealth Bank encrypted

If there’s a universal truth in the world, the phrase “It goes without saying” will always be followed up by an observation that is completely obvious ... but apparently it needs to be said.

Another universal truth that you’d think “goes without saying”? When you put customer data at risk, the reputation of your business is going to suffer. Just ask Commonwealth Bank of Australia.

A tale of two tapes

Commonwealth Bank recently confirmed that it had lost the financial records of 12 million customer accounts, including names, addresses, account numbers and transaction details from 2000 to 2016. To be fair, the bank had sent the two magnetic tapes that held the customer data to be destroyed, but their vendor couldn’t prove that the tapes had been destroyed securely.

The bank insists its customers' account security has not been compromised, having commissioned a forensic investigation by KPMG that suggests the tapes were likely destroyed. Commonwealth Bank points to the fact that there’s been no fraudulent activity on those accounts, so it’s doubtful they were compromised.

But the fact is, they don’t know for certain, so as far as anyone knows, the tapes could still be floating around and that customer data could still be at risk.

Keeping secrets from customers

To add insult to injury, CommBank decided not to tell customers that their data may have been compromised until BuzzFeed News started to report on it – years after the bank discovered the potential breach.

As you might imagine, the Australian public isn’t too happy with how the data was handled or the cover-up. As a result, headlines “down under” are now filled with stories of Commonwealth Bank’s response to the breach, driving the bank into crisis communications mode.

Whether or not the bank was going to keep this data is irrelevant. The outrage from its customers and the resulting media scrutiny are excellent reminders that companies in all industries need to take extra precautions to keep customer files safe and secure.

Value of encryption

Reports about the breach suggest the lost tapes were likely used as local, physical backups. That makes sense, as magnetic tape is an inexpensive option for archiving data and keeping it in “cold storage” (for infrequently-accessed data).

Just because data is in cold storage, however, doesn’t mean it should be left unprotected. The initial BuzzFeed report about CommBank’s problems indicated that the customer data was not encrypted, which would have reduced the concerns over the lost tapes and avoided the current PR nightmare.

With enterprise-grade backup software like Acronis Backup, a company can encrypt customer data while it is at rest in local storage, being transmitted online, or stored in the cloud. Commonwealth Bank could have easily used AES-256 encryption – which is effectively impervious to cracking at the current state of commercial computing – to keep those backups safe, regardless of the type of storage media used.

Encryption of that strength often helps companies satisfy regulatory requirements. Just as important, though, is that when customers know that a business is taking the extra step of securing their personal data, it encourages a greater level of trust in that company.

Admitting your mistakes

Encrypting the data on those magnetic tapes would have ensured the security of those files: that is certain. Yet there is another way encryption can help protect your brand integrity.

Commonwealth Bank compounded the damage to its reputation by concealing the data breach for two years. As we’ve seen in countless times before, the cover-up is often worse than the initial offense.

Had the data on those magnetic tapes been protected by strong encryption, Commonwealth Bank could have admitted to the lost tapes sooner. Losing the tapes was bad, but it could have explained that, given the strength of the data encryption, there was no risk that any customer’s personal data could be extracted.

Generally, the public can be understanding of a mistake, especially when your company isn't at fault. In this case, it was the bank's vendor who failed to provide the necessary documentation. Coming clean about the lost tapes earlier – while demonstrating the proactive steps taken to ensure the security of customer data – would have helped CommBank manage and minimize the public relations impact of the incident.

Final thought

Commonwealth Bank’s current woes remind companies in every industry that they need to be vigilant in how they handle and protect their customers’ data – even when that data is put into cold storage. The good news is a quality business backup solution delivers the tools, like AES-256 encryption, that allow companies to quickly, easily and completely protect their customer data.