Whilst most data breaches are the result of targeted hacks or negligent data security, every now and then there is something which is the result of a special kind of stupid.
In November 2015, an employee of ARC Mercantile, a debt collection agency, released the records of approximately 31,150 Optus customers on Freelancer.com, a popular website that links freelancers with paid work. The reason? He wanted some assistance in analysing the data, and appears to have made the whole set publicly available so any potential freelancer knew what they were dealing with.
The spreadsheet itself contained names, contact numbers, dates of birth, physical addresses, email addresses and debt collection histories of those included. Both Optus and ARC Mercantile have denied that they authorised this breach of Optus’ customers’ privacy, and it appears to have been the work of an innocent (if somewhat lazy) rogue agent.
Upon learning of the incident, Optus reportedly began urgent proceedings against Freelancer Technology Pty Limited, the organisation that runs Freelancer.com. Although Freelancer Technology had taken the post down soon after it was put on their site, they had refused to reveal to Optus how many individuals had viewed the information. Freelancer Technology was subsequently ordered by the Supreme Court of NSW to release that information to Optus, and it was revealed that only 51 users had accessed the data.
ARC Mercantile subsequently notified the Office of the Australian Information Commissioner (OAIC) of the breach. The OAIC, in an official statement, lauded ARC for voluntarily providing the notification, and Optus for notifying the consumers who had their information disclosed on Freelancer.com.
To date, it is unclear whether any of the users of Freelancer.com have either used the data for evil, or whether the rogue ARC Mercantile employee got the help he was after.