COIT20274 - Information Systems for Business: CBA Data Breach

Verified

Added on 2023/06/10

AI Summary

This annotated bibliography examines the Commonwealth Bank of Australia (CBA) data breach incident, focusing on the bank's failure to address Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) breaches related to its Intelligent Deposit Machines (IDMs). The bibliography includes sources that explain the rollout and benefits of IDMs, the AML/CTF breaches, the application of COBIT components, the 2016 data breach, and agile practices implemented within the bank. Key articles discuss the bank's lack of risk management, failure to report suspicious transactions, and the subsequent investigation and response. The bibliography also highlights the importance of compliance requirements, risk management, asset classification, and information system security policies in mitigating data breaches, referencing frameworks like COBIT to emphasize the need for robust IT governance and control within financial institutions.

Running head: INFORMATION SYSTEMS FOR BUSINESS PROFESSIONAL
Information Systems for Business Professional: Annotated
Bibliography
Name of Student-
Name of University-
Author’s Note-

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
Assignment 1
Annotated Bibliography
Introduction
The Commonwealth Bank failed to take actions on suspicions that the Intelligent Deposit
Machines (IDMs) network was facing data breach. The network of IDMs were used by the drug
syndicates to take millions and millions of dollars. Austrac (Australian Transaction Reports and
Analysis Center) is a financial agency of intelligence said that it is suing money laundering act
and counter-terrorism-financing laws for the Commonwealth bank for all the 53,700 data
breaches that has taken place.
This case study deals with using of IDM (Intelligent Deposit Machines), which is a type
of Automated Teller Machine that was launched in the year 2012. These IDM machines allows
the customers to deposit as well as transfer cash anonymously at any time even the banks are
closed. The Commonwealth Bank was not able to provide detailed report to Austrac about the
loss of about suspicious transaction $77 million that took place in the data breach. Even when the
bank came to know about the money laundering in their IDM machines, Commonwealth bank
failed to take the necessary steps for mitigating and managing the risk that was associated.
Commonwealth bank came to know about the suspicious account hack in May 2015
itself. But the organization was failed to take proper actions by which they can alert the
authorities about the big transactions that are taking place. All such risk management issues are
explained in this report that the Commonwealth bank failed to take. Even after identifying the
unusual pattern transactions taking place in some accounts, the officials still did not inform the
authorities and allowed all transactions. All such details about what could have been done during
the data breach is explained in this report.
Knaus, C. (2017). Commonwealth Bank accused of money laundering and
terrorism-financing breaches. [online] the Guardian. Available at:
https://www.theguardian.com/australia-news/2017/aug/03/commonwealth-
bank-accused-of-money-laundering-and-terrorism-financing-breaches
[Accessed 25 Jul. 2018].
The Commonwealth Bank has started using Intelligent Deposit Machines (IDMs) was
launched in the year 2012, which are similar to Automated Teller Machines (ATMs). IDM is
actually high speed machine with large capacity of cash deposit. According to Knaus 2017, IDM
has extra features like banknote validation as well as can sort cash or can track by serial number.
There are many advantages that Intelligent Deposit Machines offers.
Provides self-service reinvention for all financial institutions.
Reduces the cost compared to ATMs and also has more efficiency than ATMs.
The IDM machines usually uses new technology that helps to drive the value-added
services as well as improves the experience of the customer of using the IDM machine.
The channel of IDM is central to the banks and so the banks are opting for IDM
machines. This is done because so that the work is made self- service and all the works
can be one automatically.
The Intelligent Deposit Machines generates streams of new revenue.
In the month of April 25, Commonwealth bank came to know about the suspicious
money transfers and repeated connected patterns of all cash that were deposited. But the bank

2
Assignment 1
Annotated Bibliography
took no such initiative for preventive measures (Question 1). Commonwealth Bank, after
suspecting also continued all the transactions of the individuals on the accounts. But the suspects
were arrested on January 19, 2015 (Question 2). The commonwealth bank failed to show the
details of the reports which are commonly known as Threshold Transaction Report. Almost 95%
of threshold transaction mostly occurred in the bank in the duration of November 2012 and
September 2015.
In this article, Austrac stated that the Commonwealth bank failed to address the risk
management factors for the IDM machines for the money laundering that took place or for the
terror financing before the year 2012. CBA (Commonwealth Bank of Australia) took no such
steps to stop the terror financing or money laundering risk until 2015. After three years they took
preventive measures for mitigating the risks.
Isaca.org. (2015). [online] Available at: https://www.isaca.org/Knowledge-
Center/cobit/Documents/COBIT4.pdf [Accessed 25 Jul. 2018].
COBIT stands for Control Objectives for Information and Technology. The Cobit
provides good practice in all domain of an organization and the process all the frameworks
included in the Commonwealth bank are involved in Cobit. Cobit also provides activities in
some manageable structure as well as logical structure. The Cobit involved in Commonwealth
bank involves good practice that represents expert consensus (Question 3). Cobit strongly
focuses on the control of the process rather than execution. As stated by Isaca.org, the practices
involved in Cobit helps to optimize the investments of the IT enabled practices that ensures the
service delivery and also provides measure about the things that goes wrong in the bank.
For the Information technology to be successful in the Commonwealth bank for
successful delivering of all the business requirements, the bank should provide framework in the
organization or provide internal control system. There are many reasons for the CBA bank to
have a control COBIT framework in the organization. The needs are stated below:
Making link to business requirements.
Organizing the IT activities in process model.
Identify the major resources of IT that is to be leveraged.
Define management for control objectives that is to be considered.
The CBA business orientation included in COBIT includes linking the business goals
with maturity models for measuring the achievement as well as identifying all responsibilities of
the business and the owners of the IT process.
The main aim of using the AML/CTF guide is helping the bookmakers to meet
requirements of AML/CTF Act (Anti-Money Laundering and Counter-Terrorism Financing Act
2006) and AML/CTF Rules (Anti-Money Laundering and Counter-Terrorism Rules Instrument
2007) (Question 2). Money laundering is a process where the criminals tries to hide the origin or
the true ownership of proceedings of criminal activities so that they can avoid prosecution,
confiscation, as well as avoid conviction. So, these acts and rules were needed by CBA.

3
Assignment 1
Annotated Bibliography
Aljazeera.com. (2016). Australia's Commonwealth Bank admits 2016 data
breach. [online] Available at:
https://www.aljazeera.com/news/2018/05/australia-commonwealth-bank-
admits-2016-data-breach-180503081105883.html [Accessed 25 Jul. 2018].
The Commonwealth Bank of Australia lost all its records that comprises of about 20
million people and the CBA bank decided not to reveal the situation of data breach to the
customers upon when they came to know about the data breach in 2016. This article shows
almost 12 million people that is half of the population of Australia were hampered by the data
breach. The Commonwealth bank is the biggest bank of Australia revealed that there are two
magnetic tapes of data in the organization that helps to store the names, addresses, phone
numbers, account numbers as well as transaction details from the year 2000 to 2016 (Question
4). The magnetic tapes were destroyed by subcontractor but the bank never confirmed that by
documentation. The bank officials assured their customers that the passwords and the pin that
were used by the customers were intact. The bank also emphasized that there is no evidence of
losing customer information. The bank officials almost denied the fact of data breach.
The executive of the CBA bank Angus Sullivan said that they take appropriate protection
for keeping the data of the bank safe and the losing the customer data were not at all accepted by
them. They assured their customers that they had taken preventive measures and all such
protective measures to keep the information of the customer safe and had apologized if such
incidents had taken place. But as such no preventive measures were not taken by the bank before
2016. Aljazeera states that the forensic team of the bank formulated that the data were almost
destroyed even without evidence. Only 150 officials in the bank that includes risk specialists or
senior executive team were only aware of data breach that took place in Australia (Question 4).
The risk of discovery of data and misuse of data was low according to the bank. So, they did not
inform the customers about the breach. This data breach had shaken the financial industry of
Australia.
Winterford, B. and Winterford, B. (2017). Winning CommBank over to agile.
[online] iTnews. Available at: https://www.itnews.com.au/news/winning-
commbank-over-to-agile-388500 [Accessed 25 Jul. 2018].
Liza Frazier is executive general manager of the digital channels in the Commonwealth
Bank. She is the only one official who has introduced the agile practices in the bank that confines
the retail bank into teams that develop small business as well as wealth clients. Without knowing
the rules of the bank, Liza Frazier decided not to risk with brand or play with regulations. She
introduced agile method in the organization by providing training courses to everyone associated
with the office. According to Winterford 2017, the teams worked with their environments and
Liza mitigated all the hurdles. In a large organization like Commonwealth Bank, it is very
difficult to manage the hurdles (Question 5). Frazier dealt with such hurdles and also allowed
digital teams to go on an agile route. The agile technology was enabled to close many projects of
the organization which were not needed in the bank but were still on progress. Those project
were only wasting the resource of the organization and decreasing the manpower of the bank.
The Commonwealth bank of Australia also had added many extra features in its services
that is Kaching, a social payment application. This application attracted almost three quarters of

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
Assignment 1
Annotated Bibliography
the million users to the bank. The application was absolutely very useful for the customers. This
app processed about billions dollars of payments per day.
Ha also stated many features of Kaching in this article. Kaching is considered to be a
disruptive innovation that was rolled out in the Commonwealth Bank’s online application
banking. Kaching makes the company to be an innovative, prove values proposition, and grows
beyond expectations in the bank. Kaching helps to make the system innovative and bought the
innovation in the main stream. Frazier also stated that during the two stints she was involved in,
she made the business of the bank an effective one by introducing the agile method in the bank.
OnRamp. (2018). How to Mitigate and Respond to Data Breaches | OnRamp.
[online] Available at: https://www.onr.com/blog/how-to-mitigate-and-
respond-to-data-breaches/ [Accessed 25 Jul. 2018].
According to the article OnRamp, there are many ways in which the data warehouse can
be used for mitigating the data breaches. Compliance requirements includes different policies
that the Commonwealth bank should follow (Question 6). But the compliance requirements are
most often uncorrelated as well as confusing. Below stated are the some mitigation processes
that the bank should have followed to prevent the data breach.
Risk management
Risk management is the main parameter of mitigating the risk in data breach and security. In
most of the organization that comes to a count of 60 %, there are less risk management done.
Due to which there is disaster in the organization and finally leads to closing down of the
organization. In an organization, from large to small, all the risks are to be identified as well
as assessed related with cost and prioritize the operational criticality accordingly.
Asset Classification
The asset classification defines the most appropriate protection level that are necessary
for the keep data set safe. Asset classification determines cost of securing the assets that are
based on the value, impact they have on organization and the reputation that it is associated with.
Asset classification includes business opportunities that might be lost if there is no asset in the
bank. Classifying means prioritize which asset is to be protected first.
Security for Information System
The security policy of the Information System mainly defines the security control that
should be executed for different information system including the physical security, accessing
the management, as well as network security. The security policy should also be updated with
the new risks that are introduced and update the technology.
Assessment and authorization of Information System
This policy is the main key for securing the operation in an organization. This policy
mainly ensures new systems that are adopted in the organization and the systems should be
properly protected. All the users should understand the standards and should follow those
standards.