CBA: Anthony Albanese banking details allegedly accessed by EY graduate at Commonwealth Bank

If the Prime Minister’s banking details can allegedly be accessed without authorisation, what does that mean for millions of other Australians?

That question is likely to be asked after a former Ernst & Young graduate employee, and another, were charged over the alleged unauthorised access of confidential Commonwealth Bank customer records, including those belonging to Prime Minister Anthony Albanese.

A man who had been seconded to Commonwealth Bank as part of EY’s graduate consulting program has since been dismissed and is facing criminal charges over the alleged privacy breach, along with another person.

According to The Australian Financial Review, the former employee used internal banking systems to access the personal banking details of Mr Albanese and at least one senior EY partner despite having no legitimate work reason to do so.

The alleged breach was detected through Commonwealth Bank’s internal monitoring systems, which track access to sensitive customer information and alerted EY to the activity.

“It is not appropriate for us to comment on individual contractor matters,” a Commonwealth Bank spokesman said.

The Australian Federal Police confirmed it had charged two men following an investigation into the alleged misuse of restricted banking data.

A 21-year-old man has been charged with unauthorised access to, or modification of, restricted data, the Australian Financial Review reported.

He also faces a charge of “using a carriage service to make available, publish or otherwise distribute information that is personal data, of one or more individuals, and engaged in that conduct in a way that reasonable persons would regard, in all the circumstances, as menacing or harassing towards those individuals,” an AFP spokeswoman said.

A 25-year-old man has also been charged with one count of unauthorised access to restricted data.

Both are due to appear before Newtown Local Court on Tuesday.

Before being granted access to Commonwealth Bank’s systems, EY staff undergo mandatory privacy and confidentiality training and are instructed that customer records must only be accessed for genuine business purposes.

Those seconded to the bank also complete additional training specific to Commonwealth Bank’s security and privacy obligations before being granted access to sensitive internal systems.

People familiar with the incident said staff are presented with an on-screen warning before opening confidential customer files, requiring them to confirm they are authorised to access the information.

Following the alleged breach, EY reminded staff of its confidentiality obligations and reinforced its internal compliance policies. The firm declined to comment.

The alleged incident comes as Australia’s consulting sector remains under intense scrutiny following the crisis engulfing EY rival KPMG.

The firm has been rocked by allegations that confidential client information was improperly used to pursue audit work, prompting the departures of former chief executive Andrew Yates, chairman Martin Sheppard and several senior partners.

The alleged unauthorised access also comes amid broader concerns about the security of sensitive financial information held by Australia’s major banks, with regulators increasingly warning that rapidly advancing artificial intelligence could expose new cyber vulnerabilities across the financial system.

For Commonwealth Bank, however, the incident may also demonstrate that its internal monitoring systems worked as intended, detecting the alleged unauthorised access and triggering an investigation that ultimately led to criminal charges.