Two former EY graduates allegedly accessed confidential Commonwealth Bank records, including the prime minister's, raising insider-risk concerns
A former Ernst & Young (EY) graduate employee has been charged with allegedly accessing confidential Commonwealth Bank customer records, including those of prime minister Anthony Albanese, exposing gaps in how consulting firms govern access for junior staff seconded into client systems.
Two men, aged 21 and 25, were placed inside Commonwealth Bank through EY's graduate consulting program when the alleged unauthorised access occurred. The Australian Federal Police charged the pair after the bank identified that they had allegedly accessed restricted information belonging to a federal politician.
Both face a charge of accessing restricted data without authorisation. The younger man faces an additional charge tied to distributing personal information in a manner regarded as menacing or harassing. Both were granted bail and were due to appear at Newtown Local Court on Tuesday.
Training and access protocols
Before being granted access to Commonwealth Bank's systems, EY staff are required to complete mandatory privacy and confidentiality training. Those seconded to the bank undergo additional training specific to its security and privacy obligations, The Nightly reported. Staff are also presented with an on-screen warning before opening confidential customer files, requiring them to confirm they are authorised to view the information, according to people familiar with the matter.
The alleged unauthorised access was detected through the bank's internal monitoring systems, which track access to sensitive customer information. A Commonwealth Bank spokesperson told The Nightly that it was not appropriate to comment on individual contractor matters.
In December, AUSTRAC, in guidance on managing insider risk, recommended organisations maintain strong upfront screening for potential employees and contractors, apply periodic re-screening for high-risk roles, and enforce consequence management consistently once concerns are identified. The agency states that most individuals do not join an organisation intending to cause harm, but that personal circumstances or workplace stressors can shift an employee's risk profile after they are already in place.
Mounting costs for Big Four oversight failures
The case adds to a string of conduct lapses among Australia's largest professional services firms, with measurable consequences for their government work. KPMG agreed to a three-month freeze on new federal contracts amid a scandal over its treatment of a whistleblower, after Labor senator Deborah O'Neill raised in federal parliament in March that the firm had misused confidential information belonging to client Lendlease, ABC News reported. That matter led to the resignation of chair Martin Sheppard.
A review of government tender data found new federal contracts awarded to KPMG, PwC, Deloitte and EY fell to $348 million in 2025, down from $637 million the previous year, reflecting growing government caution toward the sector. Brendan Lyon, a former KPMG partner, said the loss of government contracts could significantly affect the financial position of major consulting firms.
Richard Colbeck, the senator who chaired an inquiry into the use of external consultants, said the sector was approaching "a bit of a shake-up," noting that government departments were reviewing their contracts with the firms.
EY has faced its own prior conduct exposure: the firm paid US$100 million in 2022 to settle US allegations that staff had cheated on professional exams. PwC remains barred from federal government contracts under a non-compete clause stemming from its 2022 misuse of confidential tax policy information.
Treasurer Jim Chalmers said the latest case was concerning regardless of whose data was involved. "I think on the face of it, any developments of that kind are incredibly concerning, not just in relation to the PM's details, but any Australian's details," Chalmers said.
