Australia's treasurer calls EY bank data breach incredibly concerning

Two Ernst & Young employees on temporary assignment at Commonwealth Bank of Australia were sacked after allegedly accessing Prime Minister Anthony Albanese’s banking details and the records of at least one EY partner, a breach that pushed a workplace security lapse into the center of Canberra’s trust debate.

Treasurer Jim Chalmers called the allegation “incredibly concerning” and said the issue mattered far beyond the prime minister’s own records. The episode has sharpened scrutiny of how a major professional-services firm, with deep links into government and corporate systems, could leave sensitive financial information exposed to insiders with temporary access.

The case has also highlighted the fragility of internal controls inside firms that handle highly privileged data. EY terminated the two employees, who were graduates on secondment at CBA, after the alleged access came to light. One of the two had been charged in connection with the alleged access to Albanese’s data, while the broader allegations included viewing the account of at least one EY partner.

The timing has compounded the reputational damage for the Big Four accounting and consulting firms. KPMG was already facing an audit leak scandal, and the firms have been under pressure in Australia over tax, audit and public-sector contract controversies. Their new-business revenue from the Australian federal government fell by almost half last year, a sign that commercial exposure now runs alongside the damage to institutional credibility.

Authorities have been confronting other insider-access cases as well. The Australian Federal Police charged two Sydney men on May 6 in a separate matter involving restricted banking data belonging to a federal parliamentarian. One was 21 and the other 25, and the younger man also faced an allegation that he used a communications device to distribute personal information in a way that reasonable people would regard as menacing or harassing.

Australia’s Privacy Act sets the legal backdrop for the fallout. It applies to government agencies and to many organisations with annual turnover above $3 million, and the Office of the Australian Information Commissioner oversees compliance. For firms such as EY and CBA, the case is a warning that elite access to financial records can turn on the weakest contractor controls, the narrowest monitoring gaps and the fastest failure of trust.