cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Commonwealth Bank fined $3.55m for sending millions of emails that contravened spam laws

The Australian Communications and Media Authority (ACMA) has levied a $3.55 million fine against the Commonwealth Bank of Australia after it found the bank had sent out millions of unlawful emails to its customers.

user icon David Hollingworth
Wed, 07 Jun 2023
Commonwealth Bank fined $3.55m for sending millions of emails that contravened spam laws
expand image

The ACMA’s investigation found that the CBA sent 61 million emails to customers that required them to log in to their accounts to unsubscribe from such emails, and another 4 million that had no unsubscribe functionality at all — both in contradiction to anti-spam laws.

On top of that, the CBA had sent another 5,000-plus emails to customers that had already unsubscribed.

The $3.5 million fine is the largest such fine imposed by the ACMA. The CBA has also committed to an independent review of its email practices, which is enforceable by the courts over a three-year period if the bank does not comply. Staffing training will also be required, as well as regular reporting to the ACMA.


According to Nerida O’Loughlin, the ACMA chair, companies need to do more to make sure they are complying with Australia’s anti-spam laws.

“The scale and duration of the breaches by the CBA is alarming, especially when the ACMA gave it early warnings it might have some issues and the steps it took were ineffective,” O’Loughlin said in an announcement. “The failure to fix the issues shows a complete disregard for the spam rules and the rights of its customers.”

“Consumers are frustrated by marketing intrusions on their privacy, especially when there is no option, or it is difficult, to unsubscribe,” Ms O’Loughlin said.

“We continue to see large and well-known businesses who should know better than breaching the spam laws. This action is a further warning to all businesses that non-compliance with Australia’s spam laws will not be tolerated.”

The fine is, however, a drop in the financial ocean for the bank. The CBA posted a third-quarter profit of $2.6 billion last month, up 10 per cent from the previous year.

For its part, the bank said that breaches took place in error while the CBA was updating the terms and conditions of electronic banking in late 2021. Certain email templates featured an unsubscribe link that no longer worked, and other language was removed outright.

Monique Macleod, CBA group executive marketing and corporate affairs, said CBA takes its obligations “very seriously”.

“We acknowledge and accept the findings of ACMA’s investigation into CBA’s compliance with certain provisions of the Spam Act,” Macleod said in a statement. “We apologise to all customers impacted by these issues, which should not have occurred. We’ve fixed the problem and are making changes to ensure it doesn’t happen in the future.”

“Since reporting this matter to ACMA, we’ve fixed the issues that were the subject of ACMA’s investigation and strengthened our systems, processes and controls to support ongoing compliance.”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.