The Commonwealth Bank is in hot water after it failed to tell 20 million customers their personal data had been subject to a security breach.

CBA says it sent customer information to Fuji Xerox to be destroyed in 2016 but some of that information went missing.

CBA’s acting group executive of retail banking services Angus Sullivan tells Ross Greenwood the bank should’ve told customers but didn’t at the time on the basis it may cause “undue concern”.

“At the time it was a judgment decision.

“We made the decision not to share the information on the basis that we thought it might cause undue concern.”

Despite the data debacle, Mr Sullivan says the bank is still in business with the supplier Fuji Xerox.

“We’ve got ongoing discussions with the supplier,” he says.

When asked whether the worst of the Royal Commission is behind them, Mr Sullivan admits he doesn’t know.

“I don’t know.

“We’re obviously going to take on board the recommendations of the commission.”

Click PLAY below for the full interview