Two brothers, Paul Issa and Phillip Issa, faced court in Sydney this week on criminal charges for allegedly accessing the personal banking details of Prime Minister Anthony Albanese. Paul Issa, 21, was a graduate employee at consulting firm EY and on secondment to the Commonwealth Bank of Australia at the time. He has since been sacked. Neither the brothers nor EY have commented publicly.
Prime Minister Albanese told ABC News Breakfast on Wednesday it was “appropriate that charges have been laid” and that “accessing anyone’s privacy, any Australian’s privacy, is alarming.”
Who Can See My Bank Details?
Within a bank or other financial institution, access to personal information is not unrestricted. Authorised access is determined by a staff member’s role and responsibilities, limited to what is necessary for legitimate business purposes—a principle called “least privilege” access control.
Customer service staff may access your information to manage accounts or answer queries. Fraud, risk, compliance, and audit teams may also have access to investigate suspicious transactions, monitor risk, and ensure legal and regulatory compliance.
Third-Party Access
Banks work with third-party providers such as technology companies, cloud service providers, data analytics firms, cybersecurity specialists, and consultants. These groups may be given access to customer information where necessary to deliver services, such as improving core operating systems or detecting cyber threats.
Access is governed by strict contractual arrangements, security standards, and relevant laws. Third parties do not have independent rights to use customer data for their own purposes and must handle it with care.
Bank Monitoring and Audits
Banks typically apply role-based access controls and maintain detailed monitoring and audit systems. They record when customer information is accessed, who accessed it, and why. These systems are designed to detect unusual or inappropriate access and support internal investigations.
Legal Protections
Banks must comply with the Australian Privacy Principles under the Commonwealth Privacy Act, enforced by the Office of the Australian Information Commissioner. Broader financial services regulation is overseen by ASIC, APRA, and AUSTRAC. Most major Australian banks are voluntary members of the Australian Banking Association and subscribe to the Banking Code of Practice.
Improper or unauthorised access may result in disciplinary action or criminal penalties in serious cases.
How to Protect Yourself
Individuals can protect their privacy by using strong, unique passwords, enabling multi-factor authentication, regularly monitoring account activity, and being cautious about phishing attempts. Some banks offer “open banking” (consumer data right), allowing customers to give permission for accredited third parties to access their banking data for specific purposes. This access is consent-based, time-limited, and revocable.
While alarming, incidents of alleged unauthorised access do not necessarily mean governance systems have failed; they may highlight that monitoring and control systems are functioning as intended.



