Recent high profile data breaches involving companies with a presence in Australia demonstrate the reputational risks associated with a failure to adequately protect customers’ personal information. With companies holding more data about their customers and utilising new ways of interacting with those customers, the risks of a data breach are increasing and becoming more varied.
Ashley Madison data breach
In mid July 2015 an orchestrated hacking effort was launched at online dating website AshleyMadison. The hackers subsequently posted user information on the dark web, which included names and email addresses as well as credit card details.
The hackers, who call themselves ‘The Impact Team’, have described the hack as an act of ‘cyber vigilantism’. The messages displayed on the hacked site exhibited the hacking group’s apparent disdain for cheating men and the organisation facilitating their infidelity. The Impact Team also took issue with the promise by AshleyMadison to permanently remove its users’ usage history and personally identifiable information from the site for a premium of $19 per user. According to the hackers this feature netted the site $1.7 million in 2014 and was ineffectual as the users’ purchase details, which contain their real names and addresses, could not be removed.
Avid Life Media (ALM), AshleyMadison’s parent company, believes that one of the culprits may have been someone who at some point had access to the company’s networks, such as an employee or contractor. Oddly enough ALM says that its website is actually growing since the hack, with a reported 87,596 women joining in the site in August 2015.
The release of sensitive personal information has had disastrous consequences for some, with reports of two suicides related to the release. ALM is offering $527,000 for information leading to the arrest of the hackers.
The losses suffered by ALM would be very difficult to quantify, but would include crisis management, forensic assistance and business interruption costs, although there seems to have been an increase in business! It is understood that the Australian Information Commissioner (OAIC) is also considering the impact of the data breach, which would result in costs to ALM in dealing with the OAIC, and responding to any requests.
Woolworths data breach
In late May 2015, an administrative error at grocery giant Woolworths was responsible for a substantial leak of its customers’ data when it mistakenly emailed to more than 1,000 people a spreadsheet containing the names and email addresses of thousands of customers as well as the redeemable codes of around 8,000 gift vouchers.
The customers had purchased the electronic gift vouchers through the online deal marketplace, Groupon. In order to redeem the vouchers, the customers were advised that they would be sent an email from Woolworths with a PDF attachment containing the electronic voucher. However, some of the emails contained the excel spreadsheet containing links to over $1 million worth of vouchers (which were immediately redeemable) and the email addresses and names of the customers who had purchased the vouchers.
Once alerted to the breach, Woolworths acted swiftly to cancel the vouchers, however some damage had already been done with some customers reporting their vouchers had been spent by third parties and the breach gained widespread attention across national news media. While the Office of the OAIC is aware of the event and has approached Woolworths for further information, it is not presently clear what action (if any) will be taken against Woolworths in relation to the breach.
Woolworths may have suffered losses associated with the crisis management, administrative and PR costs of managing the incident.
iiNet data breach
On 26 June 2015, the OAIC announced that it had opened an investigation into a data breach involving Westnet, a subsidiary of the Australian internet service provider iiNet.
A hacker allegedly accessed old customer information stored on a Westnet system and offered the information for sale. Because the data was unencrypted, customer details including usernames, addresses, telephone numbers and password information were easily exposed.
In a statement, iiNet advised that it had responded by:
- Reporting the breach to the relevant law enforcement agencies;
- Taking the hacked system offline;
- Contacting the 30,827 Westnet customers potentially impacted by the hack with a recommendation that they change their passwords; and
- Taking additional steps to increase the monitoring of accounts potentially impacted by the hack.
The hacking attack gained the attention of national news media and the OAIC. With the investigation in its infancy, it is not presently clear if any action will be taken against iiNet in relation to the data breach. In any event, iiNet would have arguably suffered reputational losses as well as the costs of dealing with the breach, including crisis management and forensic experts’ costs, and most likely some business interruption losses.
Aussietravelcover data breach
The OAIC recently concluded its investigations into the hacking of Aussietravelcover (ATC), one of Australia’s largest travel insurance companies. On around 18 December 2014, ATC’s information systems were hacked by a Queensland-based hacker (a ‘bored’ teenager) who accessed information including policyholders’ names, phone numbers, email addresses and travel dates, and released some of this information online.
When news of the data breach first broke in January 2015, media coverage criticised ATC’s decision not to immediately inform customers of the ‘hacking that saw potentially hundreds of thousands of Australians’ personal information stolen and parts of its customer database posted online’.1
However, following its investigation and the consideration of a third party consultant’s investigation report, the OAIC formed the view ‘that the personal information of far fewer individuals was compromised in the attack than had initially appeared to be the case’.2
The OAIC determined that it would not take any action against ATC in relation to the breach and praised the prompt action taken by ATC to respond to the breach, which included:
- Notifying the OAIC in the days following the hack;
- Temporarily shutting down its website;
- Engaging third party consultants to investigate the hack;
- Rolling out a new, more secure website;
- Permanently decommissioning its old website; and
- Notifying individuals affected by the hack.
The outcome for ATC was relatively positive, but we would expect that significant administrative and forensic costs would have been incurred by ATC, as well as the costs of taking its website offline during the Christmas Holiday period.
OAIC’s data breach response guide
The OAIC has published a guide to handling personal information security breaches on its website. The guide provides four key steps to responding to a data breach, namely:
- Containing the breach and undertaking a preliminary assessment;
- Evaluating the risks associated with the breach (e.g. risks to the individuals affected and the risk to your organisation);
- Notifying the breach (e.g. to customers, law enforcement agencies and the OAIC); and
- Taking steps to prevent future breaches.
While businesses should evaluate and respond to data breaches on a case-by-case basis, in many respects, the ATC example is a good demonstration of how to effectively limit the consequences of a data breach. By shutting down its website, engaging third party experts to investigate, rolling out a more secure website and notifying affected individuals, ATC appears to have mitigated the fallout as best as possible.
The losses suffered by an entity can be substantial and widespread as numerous experts are required to assist in handling the fallout of a breach. With the foreshadowed introduction of mandatory reporting of data breaches in Australia before year’s end we expect that these losses are only going to increase.