The Commonwealth Bank has confirmed it lost the financial statements of almost 20 million accounts, but insists its customers' account security has not been compromised.

Key points: Statements from 2000–2016 included customers' names, addresses, account numbers and transaction details

Statements from 2000–2016 included customers' names, addresses, account numbers and transaction details Bank ordered investigation to figure out how the statements, stored on two magnetic tapes, were lost

Bank ordered investigation to figure out how the statements, stored on two magnetic tapes, were lost It never told customers, only went public with information when BuzzFeed broke the story

The statements, containing customers' names, addresses, account numbers and transaction details from 2000 to 2016, were stored on two magnetic tapes which were supposed to be destroyed by sub-contractor Fuji-Xerox last year after the decommissioning of a data centre.

However, the bank said it did not receive documentation providing evidence the tapes had actually been destroyed.

The bank ordered an independent "forensic" investigation by KPMG to figure out what had happened and informed the Office of the Australian Information Commissioner (OAIC) and bank regulator APRA.

The Commonwealth Bank's acting head of retail banking, Angus Sullivan, described the incident as "unacceptable", but said the investigation determined the tapes had most likely been disposed of.

"We've been unable to assure ourselves that the drives have been destroyed, but the investigation that we undertook indicates that the most likely outcome was that they were," he told the ABC's AM program.

Loading...

Mr Sullivan apologised for "the inconvenience and worry" the incident cause some customers, but insisted the tapes did not contain any passwords or PINs that could compromise customers' accounts.

"The information on the tapes has partial information used to generate statements, in and of itself not entirely sufficient for fraudulent activity," he said.

"We've obviously got very comprehensive monitoring of customer accounts in place, and there's nothing to indicate from that monitoring, from that date to now, that data connected with those tapes has made its way into a malicious party's hand and converted itself into fraud or bad behaviour on customer accounts," he said.

Bank defends 'good decision' not to tell customers

Mr Sullivan said the relevant regulators were notified in 2016 and the bank undertook a thorough forensic investigation, providing further updates to regulators after its completion.

But the bank never alerted its customers to the potentially-massive privacy breach and has only gone public after BuzzFeed News broke the story.

Mr Sullivan has defended the bank's decision, saying it had discussed the matter with the OAIC, which told the bank it did not intend to take any further action.

"When incidents like these are shared more broadly, they create risks in and of themselves," he told AM.

"When we look back now, the decision that was made at the time has probably been borne out to be a good decision in as much that the data hasn't turned into fraudulent activity."

However, Mr Sullivan said the OAIC contacted the bank this week seeking more information about the possible breach.

The OAIC said this week's scathing APRA report into the Commonwealth Bank's poor governance and risk management culture prompted it to seek further assurances from CBA.

"Having regard to the findings in the report by the Australian Prudential Regulation Authority into the CBA released on Tuesday, the OAIC has made further inquiries in relation to this matter and has sought information from the CBA to satisfy the OAIC that the CBA has taken on board lessons learned from this incident, to ensure the privacy of customers' personal information is adequately protected," it noted in a short statement.

ABC News understands the breach happened when Fuji-Xerox was decommissioning a data storage centre where the customer records were being held.

The two magnetic drives were scheduled to be destroyed, but when the company failed to produce the "destruction certificate", the Commonwealth Bank launched an investigation.

'Why has it taken years, and a media report, for people to find out?'

Shadow treasurer Chris Bowen demanded the Federal Government and Privacy Commission provide full accounts of what was known about the loss of data, and described the reports as "extremely concerning".

"It's only natural that CBA customers would be worried about the breach — our financial information is one of the most important things to protect," he said.

"What did the Turnbull Government and Information Commissioner know about the breach?

"Why has it taken years, and a media report, for people to find out?"

Prime Minister Malcolm Turnbull described the incident as an "extraordinary blunder".

"It's hard to imagine how so much data could be lost in this way," he told reporters.

"I have to say that, if that had happened today, the bank would have to advise each of their customers about the loss of data under new laws we have brought in and have been operating since the beginning of this year."

Attorney-General Christian Porter, who was briefed on the issue last night, released a statement saying the acting privacy commissioner told his office she was making further inquiries to ensure CBA took appropriate action subsequent to the incident to ensure customer privacy.

"This incident occurred before the Coalition's mandatory reporting requirements for data breaches took effect in February this year," Mr Porter noted.

"The Notifiable Data Breaches Scheme requires entities subject to the Privacy Act 1988 — including most Australian Government agencies, businesses with an annual turnover of more than $3 million, and specific categories of smaller businesses, such as health providers — to notify individuals if their personal data has been involved in a serious breach."

Data breach revelation caps off bad week for CBA

News of the data breach caps off a bad week for the bank, which was slammed by regulator APRA for "widespread sense of complacency" and "lack of accountability" that has led to multiple regulatory breaches.

The commission heard advisers at a CBA financial planning business continued to charge fees to customers they knew had died. This included one instance in which fees were charged for more than 10 years.

A 2012 Deloitte report revealed at least $700,000 in ongoing service fees were being charged to more than 1,050 clients allocated to more than 50 inactive financial planners who had left the business before 2012.

It also noted that CBA may have undercharged or overcharged 5,000 clients up to $4.3 million.

The bank has also accepted ASIC's enforceable undertaking for fees charged to more than 31,000 financial advice customers who did not receive an annual review.