Someone looked up the Prime Minister’s bank account. Not a hacker in another country. A graduate sitting inside Australia’s biggest bank.
Two men have been charged after confidential Commonwealth Bank records were allegedly accessed without permission. One of them, a 21-year-old, had joined Ernst & Young in March and was placed at the bank through EY’s graduate consulting program.
The records he allegedly opened included those of Anthony Albanese. A 25-year-old has also been charged. Both were due at Newtown Local Court on Tuesday.
EY has sacked the staff involved. The firm declined to comment further.
That is the news. The part worth sitting with is what it tells the rest of us.
Why the EY Australia data leak case is bigger than one bank
Here is the detail most coverage skipped past. There are two charges against him, not just one.
The first charge is unauthorised access to restricted data. Standard enough.
The second is heavier. He has been charged with using a carriage service to transmit personal information in such a way that it will be menacing or harassing to a reasonable person.
Read that twice. That second charge is the doxxing law in action.
Doxxing became a crime in Australia in 2024. Publishing the personal information of another individual for the purpose of intimidating or harassing him/her is now punishable by imprisonment. This looks like one of the first times that exact framing has been pinned to a financial data case.
Accessing the records is one crime. Pushing them out into the world is treated as another, and a nastier one.
For anyone who banks in Australia, that shift is the whole story. The law has stopped treating a leak as just a privacy slip. It now treats the spread of your data as something closer to a threat against you.
Financial data protection in Australia changed in June 2025
The timing here is sharp.
On 10 June 2025, Australia introduced a statutory tort for serious invasion of privacy. Meaning in layman terms that you may now bring action against the perpetrator of abuse of your personal information.
You do not have to wait for a regulator to act first. You do not even have to prove you lost money. Emotional distress counts, with damages capped near $478,550.
For most of Australia’s history, privacy law shrugged. A 1937 High Court case basically said there was no right to privacy at all. That door stayed shut for almost ninety years. It opened last June.
So picture the EY situation under the old rules versus the new ones. Before, a person whose account was snooped on had thin options. Now they have a clear path to court.
The bank, the firm, the individual, any of them could be on the receiving end of a claim where systems were obviously weak.
The Office of the Australian Information Commissioner also has more teeth. Serious breaches can run to $50 million for big companies.
There is a mid tier of penalties for sloppier failures, like not having a proper privacy policy. The OAIC ran its first ever privacy compliance sweep in January 2026, checking policies sector by sector.
The rules got harder right before a graduate allegedly tested them.
Australia’s privacy law tightened in stages before the EY case surfaced.
Internal monitoring caught it, and that is the quiet lesson
One fact in this case cuts against the panic.
Commonwealth Bank’s own systems flagged the access. The bank tracks who opens sensitive customer files. Staff get an on screen warning before they open a record, asking them to confirm they have a reason.
Commonwealth Bank’s internal monitoring flagged the alleged unauthorised access. [Commbank]
The alleged activity tripped that monitoring, the bank told EY, and the matter ended up with the AFP.
The breach happened. But the net worked. The watchdog inside the building barked.
That is cold comfort if it was your account. Still, it shows the difference between a bank that logs everything and one that finds out months later from a journalist. CBA found out fast. The control held.
The harder question sits one layer down. The bank caught it after the fact. Nothing stopped a junior contractor from opening the file in the first place. Detection is not prevention.
Detection system which detects the problem after its occurrence still leaves the customer vulnerable at that particular moment.
The consulting sector was already on fire
EY’s problem did not land in a calm market.
KPMG Australia spent June getting torn apart. Its chief executive Andrew Yates resigned in late May over how the firm handled a whistleblower. By 23 June its chairman Martin Sheppard and several senior partners were on the way out.
The core allegation: confidential client information was used to chase audit work. KPMG even admitted in a parliamentary hearing that Optus data had been shared with a team bidding for Telstra’s audit.
Go back further and the pattern holds. PwC’s tax leak three years ago, where partners misused confidential government briefings, primed the whole system to react hard.
The cost shows up in the numbers. New federal government contracts with the Big Four firms fell to A$348 million in 2025, down from A$637 million the year before. Close to half the work, gone.
So when an EY graduate allegedly opens the PM’s bank records, it does not read as a one off. It reads as another crack in a sector that keeps promising better controls and keeps finding new ways to break them.
Trust is the actual product these firms sell. Each of these cases chips at it.
What this means if you bank in Australia
Strip away the politics, and a simple takeaway sits underneath.
Your bank data is handled by more hands than you think. Graduates, contractors, secondees, consultants. Each one is a point where something can go wrong. The PM’s account got opened, allegedly, by a kid three months into his first real job.
The law has finally caught up to that reality. Doxxing is a crime. You can sue for misuse. Regulators can fine in the tens of millions. Whether any of it deters the next bored graduate is the open question.
Also Read: Forget Rio Tinto: One ASX Copper Stock Worth a Look
FAQs
Q: Who accessed Anthony Albanese’s bank account?
A: Two men, aged 21 and 25, were charged. The 21-year-old was a former EY graduate on secondment to Commonwealth Bank.
Q: Was EY hacked?
A: No. The access allegedly came from inside, through a staff member who had legitimate system entry but no business reason to open those records.
Q: What is the new privacy tort?
A: Since 10 June 2025, Australians can sue directly for a serious misuse of their personal information, without proving financial loss.
Q: Did Commonwealth Bank’s security fail?
A: The bank’s monitoring detected the access and alerted EY, which led to the charges. The breach still happened, but it was caught.
Q: Is accessing someone’s data a crime in Australia?
A: Yes. Unauthorised access to restricted data is an offence, and sharing personal details to menace or harass someone is now a separate doxxing crime.
Disclaimer:
This article is general information only and not financial, legal, or investment advice. It does not account for your personal situation. Figures and claims are based on reporting available at the time of writing and may change. Speak to a licensed professional before making any decision. COLITCO LLP accepts no responsibility for any loss arising from reliance on this content.
Source:
Luke Carlino is a seasoned Copywriter, Content Strategist, and Social Media Manager specialising in Mining, Finance, and Business journalism. With more than a decade of industry experience, he brings rigorous editorial standards and commercial acuity to every project.
