Following a two-year investigation, Regional Australia Bank (RAB) has been found liable for a significant privacy breach that saw the personal financial data of up to 197 customers mixed up and potentially disclosed to the wrong people, according to a determination released by Privacy Commissioner Carly Kind.

The breach, which occurred between March and June 2023, involved customer transaction data being "co-mingled" due to a software fault in RAB's Consumer Data Right (CDR) system. In at least one confirmed case, a customer received transaction data belonging to another customer, containing their personal information.

The incident was caused by RAB's contracted service provider, Biza Pty Ltd, which manages the bank's CDR technology platform. Biza had identified and fixed the same software fault for other clients in February 2023 but failed to apply the patch to RAB's system when it was upgraded to production on March 29, 2023.

The Privacy Commissioner found that despite the fault being RAB's contractor's responsibility, the bank remained liable under section 84(2) of the Competition and Consumer Act, which makes companies responsible for their agents' conduct.

"The respondent is liable for any failings by Biza even if it had no knowledge or awareness of those matters and was not in a position to take steps to prevent or address them," Commissioner Kind stated in her determination.

Significant Risk to Customers

The Commissioner emphasised the serious potential consequences of inaccurate financial data, noting it "may cause significant risk for customers" including being wrongly refused credit or given inappropriate credit that could lead to financial hardship.

"Decisions based on inaccurate data could result in individuals being wrongly refused credit, which may affect their immediate access to funds, but also their longer-term credit history," the determination stated.

The breach only came to light when a customer reported receiving wrong transaction data through the CDR Service Management Portal on June 29, 2023. Coincidentally, Biza implemented a broader software update on the same day that included the necessary patch, resolving the issue.

Commissioner Kind found RAB breached Privacy Safeguard 11 by failing to ensure CDR data accuracy, and Privacy Safeguard 1 by not implementing adequate systems to ensure compliance with consumer data right rules.

The bank was ordered to review its contractual agreements with Biza and implement better monitoring processes for third-party CDR services. However, no financial penalties were imposed.

RAB notified 181 affected customers of the incident in accordance with CDR rules, and the Commissioner noted there was currently no evidence that any customers experienced actual loss or damage.

The determination highlighted broader concerns about accountability when financial institutions outsource critical data handling functions to third parties, particularly as the CDR system expands across Australia's banking sector.

Industry Implications

The case represents one of the first major privacy breach determinations involving the Consumer Data Right system, which was introduced to increase competition in banking by allowing customers to safely share their data with other providers.

Commissioner Kind noted the finding "may cause some discomfort for regulated entities" who have sought to shift liability to contracted service providers, and hoped the determination would "clarify the position for outsourcing and outsourced entities."

RAB and Biza did not contest the factual findings in the investigation. The incident was resolved when Biza implemented the software update in June 2023, and stronger processes have since been put in place to prevent similar occurrences.

(The Consumer Data Right framework is co-regulated by the Office of the Australian Information Commissioner (OAIC) and the Australian Competition and Consumer Commission (ACCC).)

Read the full judgement here