It said an "extensive and detailed investigation" had found that the system used by cba.com had automatically deleted all of the content of the emails sent in error, except for the recipient email address and the subject of the email.

Loading

The bank said that in 2016-17, cba.com was owned by a United States cyber security company, and before that, it was owed by a US financial services company called Cheslock Bakker & Associates.

“We want our customers to know that we are committed to being more transparent about data security and privacy matters," CBA's acting group executive for retail banking services, Angus Sullivan, said in a statement.

“Our investigation confirmed that no customer data has been compromised as a result of this issue. We acknowledge, however, that customers want to be informed about data security and privacy issues and we have begun contacting affected customers.”