Last month it was reported that Woolworths moved to cancel over $1.3M worth of e-gift cards when confidential details were mistakenly emailed to over 1,000 of its customers.
Information attaching to almost 8,000 digital vouchers (which act like a debit or credit card at nominated stores) was apparently emailed by accident to Woolworths customers in an Excel spreadsheet.The information included personal details such as customer names, email addresses and links to redeem thousands of online gift cards.
Fairfax media reported that the “massive data breach debacle” immediately lead to instances where customers were unable to spend any of the money on their cards, as the funds had already been accessed by strangers.
While Woolworths was relatively tightlipped about the incident, it did confirm in a statement that “affected customers have been provided with new e-gift cards for use in-store” and apologized for any inconvenience.
From an insurance perspective, the event highlights that financial and reputation damage, not to mention privacy breach consequences, are not confined to deliberate or malicious cyber attack events. Negligent mistakes – such as a misdirected email or accidental coding error – can also lead to significant loss.
One of the “traps” for the inexperienced is the assumption that all cyber policies will provide cover in such instances.The truth is that not all stand-alone cyber wordings would assist Woolworths in this situation.
In some policies, coverage triggers are limited in their scope to intentional or deliberate acts.For example, cover for first party losses (such as digital asset replacement or business interruption) may be contingent upon the loss being caused by a deliberate “security” event, cyber attack or fraudulent or unauthorized behaviour.In others, cover for say crisis management expenses may be limited to circumstances where the necessary public relations services were directly connected to a deliberate event or attack.
The lesson is that cyber wordings are not one-size-fits-all. Insureds with their brokers should carefully consider their specific cyber exposures, and ensure the coverage triggers contained in the particular wording under consideration meets those specific needs.