World

EY sacks two employees after Albanese banking data accessed

Commonwealth Bank detected irregular activity before two EY staff were sacked over Anthony Albanese’s alleged banking-data breach. One dismissed employee was charged, while the other was not.

Sarah Chen··2 min read
Published
Listen to this article0:00 min
EY sacks two employees after Albanese banking data accessed
Photo illustration

Two Ernst and Young employees were sacked after Anthony Albanese’s personal banking information was allegedly accessed while the pair were on secondment at Commonwealth Bank. The case moved into the criminal courts after the bank detected irregular activity and identified restricted information belonging to a federal politician, putting a high-profile account at the center of a wider security failure.

Paul Issa, 21, and Phillip Issa, 25, were charged in May with one count each of accessing restricted data without authorisation. The younger man also faced an additional charge tied to using a communications device to distribute personal information in a way that could be seen as menacing or harassing. One of the men dismissed by EY was also charged, while the other was not, underscoring that the internal employment action and the criminal case did not map neatly onto each other.

Treasurer Jim Chalmers called the matter “incredibly concerning,” saying the issue mattered not only because it touched the prime minister’s banking details but because every Australian’s financial information should be protected. Albanese’s office declined to comment, and EY also declined comment. The two men were due to face court on June 30.

AI-generated illustration
AI-generated illustration

The episode has sharpened scrutiny of how consulting firms embed staff inside sensitive client environments. EY is one of the Big Four firms, and the case landed as KPMG was already under pressure over a whistleblower scandal and a three-month freeze on new federal government contracts. That overlap has intensified questions about how much access junior consultants are given, and how closely banks watch for unusual activity in accounts that can carry political or reputational risk.

The privacy rules governing Australian institutions are explicit. The Office of the Australian Information Commissioner says entities must take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, and that those steps can include technical and organisational measures. Its updated APP 11 guidance reflects changes from the Privacy and Other Legislation Amendment Act 2024 and applies to information held after 11 December 2024. The issue now extends beyond one prime ministerial account to whether the same controls are strong enough across the systems ordinary customers rely on every day.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More in World