Professional Documents
Culture Documents
s 22
s 22
Dear Annan
Thank you very much for your time on the telephone this morning, much appreciated. As I mentioned, I just wanted to give the
Commission a heads up on a low risk privacy incident which has occurred in our CommInsure business. We do not consider the
incident raises any risk of serious harm, and so does not necessitate a breach notification, but as I mentioned, in the interests of
transparency we wanted to make you aware of this incident in case it were to attract any media attention.
An outline of the incident:
In mid‐August we responded to a customer’s request for access to personal information. In the course of providing him
with access to his files, our CommInsure Customer Relations team inadvertently provided him with a copy of a Financial
Ombudsman Service invoice listing 48 individual customer names (including his)
1
FOIREQ18/00027 009
Part one is the 'statement' about a data breach required by section 26WK of the Privacy Act. If you are required to
notify individuals of the breach, in your notification to those individuals you must provide them with the information
you have entered into part one of the form.
The OAIC encourages entities to voluntarily provide additional information about the eligible data breach in part two of
this form. Part two of the form is optional, but the OAIC may need to contact you to seek further information if you do
not complete this part of the form.
Before completing this form, we recommend that you read our resource What to include in an eligible data breach
statement.
If you are unsure whether your entity has experienced an eligible data breach, you may wish to review the Identifying
eligible data breaches resource.
The OAIC will send an acknowledgement of your statement about an eligible data breach on receipt with a reference
number.
You can save this form at any point and return to complete it within 3 days. To save your form, click on the Save For
Later button on the top right-hand corner of this form. If you do not submit your saved form within 3 days, your saved
information will be permanently erased.
Refreshing your browser will clear any information that you have not saved. If you need to refresh your browser while
completing this form and wish to keep your changes, please save the form first.
We collect this information to consider and respond to your breach notification. We may use it to contact you.
More information about how the OAIC handles personal information is available in our privacy policy.
s 22
s 22
It has come to my attention today that a package of NAB documents were delivered to the Westpac
Branch in Albury. The circumstances follow:
Employee of Westpac Albury attended our NAB branch yesterday afternoon (Monday 17
December 12) to deliver documents which they had received in their courier bag that morning.
It is believed that TOLL are the couriers for both NAB and Westpac
The documents were loose report pages (computer generated) and a plastic sealed courier
FOIREQ18/00027 018
envelope bound with an elastic band (i.e. not in an envelope). The reports contained customer
names, account numbers, lending information(eg interest rates, review dates etc).
Westpac advised that this is exactly how they found the materials in their courier bag.
NAB is investigating with Toll, how this incorrect delivery could have occurred and to ensure it is not
repeated.
NAB do not believe there is a real risk of serious harm to the impacted customers as the information
has been returned in total, along with confirmation from Westpac that they have not used the
information in anyway. However in these circumstances, it is in line with NAB's notification protocols
to update your Office in case of any media or other enquiries. We do not anticipate this being the
case, however it is prudent to advise you as staff from both NAB and the Westpac branches will be
aware of this incident.
It is appreciated if you would advise me if your Office are approached in relation to this incident.
The information contained in this email communication may be confidential. If you have received this email in
error, please notify the sender by return email, delete this email and destroy any copy.
Any advice contained in this email has been prepared without taking into account your objectives, financial
situation or needs. Before acting on any advice in this email, National Australia Bank Limited ABN 12 004 044 937
AFSL and Australian Credit Licence 230686 (NAB) recommends that you consider whether it is appropriate for your
circumstances. If this email contains reference to any financial products, NAB recommends you consider the
Product Disclosure Statement (PDS) or other disclosure document available from NAB, before making any decisions
regarding any products.
If this email contains any promotional content that you do not wish to receive, please reply to the original sender
and write "Don't email promotional material" in the subject.
FOIREQ18/00027 019
To: Enquiries
Cc: Section 47F - personal privacy
Subject: Notification of incident - publication of customer address
Date: Wednesday, 9 January 2013 2:31:19 PM
In the absence of our Chief Privacy Commissioner, Section 47F - personal privacy (currently on leave) please
accept the following informal notification.
It has come to our attention that a NAB customer's address has been disclosed via a public online
forum by a NAB employee acting outside their authorisation of their employment. NAB was informed
directly by the affected customer and the act has been confirmed by the staff member in question.
Recently, a NAB customer posted remarks on an online public forum about the children who
died in the recent Sandy Hook shooting in the US.
A NAB staff member responded to the comments online in personal capacity.
Section 47F - personal privacy
In breach of NAB policy, the staff member obtained the Customer's address using NAB
systems for an unauthorised use.
The staff member (in personal capacity) set up a Facebook page using a fictitious identity
Section 47F - personal privacy
1.
As this act by the employee conflicts with NAB's Code of Conduct and Social Media Guidelines, NAB
commenced its disciplinary and investigative process. During this time the employee in question
provided their resignation and is no longer with NAB.
NAB takes the privacy of its customers very seriously and has been liaising with the customer to
address their concerns with this use of their personal information. We have advised the individual that
appropriate action with the employee has been taken in accordance with company policy. In addition,
we are aware that the information has been removed from the website.
Given the social media context, we believe it is prudent to advise you of this incident and update your
Office in case of any media or other enquiries. Accordingly, NAB will continue to try to conciliate this
matter with the affected individual, including making a goodwill offer of financial compensation.
It is appreciated if you would advise me or Section 47F - personal privacy (Section 47F - personal privacy ) if
your Office are approached in relation to this incident.
The information contained in this email communication may be confidential. If you have received this email in
error, please notify the sender by return email, delete this email and destroy any copy.
Any advice contained in this email has been prepared without taking into account your objectives, financial
situation or needs. Before acting on any advice in this email, National Australia Bank Limited ABN 12 004 044 937
AFSL and Australian Credit Licence 230686 (NAB) recommends that you consider whether it is appropriate for your
circumstances. If this email contains reference to any financial products, NAB recommends you consider the
Product Disclosure Statement (PDS) or other disclosure document available from NAB, before making any decisions
regarding any products.
If this email contains any promotional content that you do not wish to receive, please reply to the original sender
and write "Don't email promotional material" in the subject.
FOIREQ18/00027 021
To: Enquiries
Subject: DBN14/00032 - Notification
Date: Friday, 30 May 2014 4:13:48 PM
S 47F - personal privacy
The information contained in this email communication may be confidential. If you have received this email in error, please notify the
sender by return email, delete this email and destroy any copy.
Any advice contained in this email has been prepared without taking into account your objectives, financial situation or needs.
Before acting on any advice in this email, National Australia Bank Limited (NAB) recommends that you consider whether it is
appropriate for your circumstances. If this email contains reference to any financial products, NAB recommends you consider the
FOIREQ18/00027 022
Product Disclosure Statement (PDS) or other disclosure document available from NAB, before making any decisions regarding any
products.
If this email contains any promotional content that you do not wish to receive, please reply to the original sender and write "Don't
email promotional material" in the subject.
FOIREQ18/00027 024
If this email contains any promotional content that you do not wish to receive, please reply to the original sender
and write "Don't email promotional material" in the subject.
FOIREQ18/00027 025
To: Enquiries
Subject: DBN16/00056 - notification [NAB-Active.FID166308]
Date: Friday, 3 June 2016 4:57:24 PM
Attachments: image001.png
Once the list of customers impacted was established, and confirmation of the documents stolen
(including the types of information contained), NAB contacted those customers by phone to inform
them and offer actions to limit any risk of harm to those individuals. NAB has focused its attention of
the last two weeks on contacting the customers once they were identified. NAB has also placed
alerts on the customer accounts in the event that this would assist if suspicious actions are
attempted. NAB’s Financial Crimes team is accordingly across this matter. NAB has offered to change
account numbers for those impacted which has been accepted by customers. Customers have also
been referred to their branch manager for further assistance should they require.
West Footscray
In regards to the second incident, NAB was notified on 1 June that another Melbourne branch was
targeted by thieves (West Footscray). Mailbags from St Albans, Brimbank, Watergardens and
Sunshine branches were taken from a locked courier vehicle which was broken into while the courier
driver was inside the branch picking up the mail.
NAB security teams continue to work with branches to identify what information is contained in
those bags and which customers may be impacted as a result. At this stage NAB anticipates a larger
number of customers being potentially impacted given the content of the mail bags for this incident
included transaction vouchers. Communications to impacted customers has begun to those
customers identified already (those with loan documents) but a broader strategy is required for this
incident given potential size of impact. To date, 2000 transactions have been identified (total
FOIREQ18/00027 026
customer numbers are still being determined), with referenced accounts having alerts placed against
them. Work continues to identify what information is attached to each transaction (for example,
where account numbers are impacted customers will be offered new ones to be set up; where
identification details are referred to, additional assistance will be offered on how to change
government issued identification numbers, likely driver’s licence number or passport number if
identification was required for withdrawals). NAB will be offering similar assistance and advice to
those impacted by the second robbery (replacement of account numbers etc) but also wishes to
explore what it can do in terms of assisting customers seek new government-issued identifiers if
appropriate. To this end, NAB is grateful to the OAIC should it have any resources on the process
associated with changing government-issue identifiers as we have been made aware that VIC Roads
does not re-issue driver licence numbers, only the licence card itself.
NAB continues to work with Police and the courier company on this matter. NAB understands that
Mets is also considering its own separate internal investigation. Immediate actions taken by the
courier company include introducing cable locks to mail bags which will be secured to the inside of
the vehicle or using cages inside the vehicle to secure mail, as well as adjusting scheduled runs to
attempt to minimise patterns being established by thieves in the even these incidents are
connected. Events have been logged in NAB’s internal risk event system. NAB has committed to
notifying those impacted should it be assessed that there be a real risk of serious harm. NAB
confirms that in discussions with industry groups, there is a heightened awareness of incidents
occurring on branches where mail bags are being targeted. NAB will be accordingly reviewing its
processes more broadly to try to minimise risk in this area for its customers for the future.
Should the OAIC wish for NAB to provide any updates (especially on the second incident
communications to impacted customers) or have any queries please do not hesitate to contact me.
Kind regards
S 47F - personal privacy
Passion for customers| Will to win| Be Bold| Respect for People| Do the Right Thing
To find out more about NAB’s commitment to Indigenous Australia check out our RAP.
Description: Description: cid:image001.png@01D1AB9D.C47C9850
The information contained in this email communication may be confidential. If you have received this email in error,
please notify the sender by return email, delete this email and destroy any copy.
Any advice contained in this email has been prepared without taking into account your objectives, financial situation or
FOIREQ18/00027 027
needs. Before acting on any advice in this email, National Australia Bank Limited (NAB) recommends that you consider
whether it is appropriate for your circumstances. If this email contains reference to any financial products, NAB
recommends you consider the Product Disclosure Statement (PDS) or other disclosure document available from NAB,
before making any decisions regarding any products.
If this email contains any promotional content that you do not wish to receive, please reply to the original sender and
write "Don't email promotional material" in the subject.
FOIREQ18/00027 028
To: Enquiries
Subject: DBN16/00080 notification [NAB-Active.FID480354]
Date: Wednesday, 27 July 2016 5:56:02 PM
Information Type
As outlined above, the personal information includes:
· Email address
· Name
FOIREQ18/00027 029
· Address
· Bank Account Number
· Account Name
· Customer Number
At this stage the number of emails is high (NAB estimates almost 60, 000 customers
may be impacted) so analysis on how they are potentially impacted and where these
individuals are today in 2016 is being worked through carefully.
Steps taken
This incident was discovered by a Migrant Banking team member in London, after receiving an
email from a client who had “replied all” to their Welcome Letter email. The third party email
address was immediately removed from the back end system, to prevent any further letters
being copied to the third party. A valid nab.com.au email address has since been substituted.
NAB is exploring how best to contact the website nab.com regarding secure deletion of the
emails sent to them, if they are held.
Customer Assistance
NAB considers the information disclosed has minimal ability to contribute to transaction fraud.
NAB has also found nothing yet to indicate that any customers have been impacted by fraud as a
result of this event. At this stage NAB does not want to unduly upset customers especially given
the majority may be based abroad (with now dormant accounts). Until NAB has a diligent plan
and we understand the risk for such impacted customers, we do not consider communications
appropriate at this time (as noted above NAB is reviewing to see what accounts are closed or
were never opened).
Due to the nature of migrant banking some of these accounts may be closed (having moved back
to their original country of residence – typically accounts are opened largely by individuals on
short-term visas). Some of the accounts may also have never had the AML/CTF requirements
fulfilled. Investigation is underway by NAB’s Migrant Banking team to understand who may have
been impacted by this incident.
Once customers have been identified as requiring notification, NAB will be providing them a
dedicated contact so that their matter can be handled by bank officers who are specifically
across this issue.
Other Notifications
NAB has informally updated its other regulators, ASIC and APRA this evening. Given the nature of
Migrant Banking, NAB is working thorough what other regulators globally may require
notification.
NAB is happy to provide further updates on this event as our investigation continues, should the
OAIC require it.
Kind regards
Section 47F - personal privacy
FOIREQ18/00027 031
To: Enquiries
Subject: DBN16/00089 - notification [NAB-Active.FID486943]
Date: Monday, 8 August 2016 5:28:38 PM
The information contained in this email communication may be confidential. If you have received this email in
error, please notify the sender by return email, delete this email and destroy any copy.
Any advice contained in this email has been prepared without taking into account your objectives, financial
situation or needs. Before acting on any advice in this email, National Australia Bank Limited (NAB) recommends
that you consider whether it is appropriate for your circumstances. If this email contains reference to any financial
products, NAB recommends you consider the Product Disclosure Statement (PDS) or other disclosure document
available from NAB, before making any decisions regarding any products.
If this email contains any promotional content that you do not wish to receive, please reply to the original sender
and write "Don't email promotional material" in the subject.
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
FOIREQ18/00027 033
Part one is the 'statement' about a data breach required by section 26WK of the Privacy Act. If you are required to
notify individuals of the breach, in your notification to those individuals you must provide them with the information
you have entered into part one of the form.
The OAIC encourages entities to voluntarily provide additional information about the eligible data breach in part two of
this form. Part two of the form is optional, but the OAIC may need to contact you to seek further information if you do
not complete this part of the form.
Before completing this form, we recommend that you read our resource What to include in an eligible data breach
statement.
If you are unsure whether your entity has experienced an eligible data breach, you may wish to review the Identifying
eligible data breaches resource.
The OAIC will send an acknowledgement of your statement about an eligible data breach on receipt with a reference
number.
You can save this form at any point and return to complete it within 3 days. To save your form, click on the Save For
Later button on the top right-hand corner of this form. If you do not submit your saved form within 3 days, your saved
information will be permanently erased.
Refreshing your browser will clear any information that you have not saved. If you need to refresh your browser while
completing this form and wish to keep your changes, please save the form first.
We collect this information to consider and respond to your breach notification. We may use it to contact you.
More information about how the OAIC handles personal information is available in our privacy policy.
To discuss
From: S 47F - personal privacy
Sent: Tuesday, 24 May 2016 4:43 PM
To: Karen Toohey <Karen.Toohey@oaic.gov.au>
Cc: S 47F - personal privacy
Subject: CBA matter
Dear Karen
I write further to your conversation with on Friday. We are expecting to receive the
S 47F - personal privacy
preliminary independent investigation report from KPMG shortly and would now like to arrange
to meet with you to brief you further on this matter. We intend to conduct some initial analysis
of the report once it is received so it would be our preference to meet early next week. Please
let me know if this is suitable and we can exchange some possible times.
If you have any queries please let me know.
Kind regards
Cassandra
_________________________________________________
Commonwealth Bank