The state of data breaches

The implications of data breaches can be severe for companies with potential financial losses and loss of customer trust.

One of the most well known examples was the Sony PlayStation Network hack from 2011 where an estimated 100 million online accounts were compromised. According to Sony, costs from the PlayStation Network data breach totalled US$171 million.

But Australian organisations have not been immune to data breaches with Telstra and Dell Australia investigated by the Privacy Commissioner Timothy Pilgrim in the past two years.

In 2011-12, the Commissioner received 46 data breach notifications, a decrease of 18 per cent from the number received in 2010-11.

While there is no mandatory obligation in the Privacy Act for companies to report data breaches to the OAIC, many do as good business practice.


Australia's largest telecommunications company, Telstra, has been investigated by the Privacy Commissioner twice for data breaches in the past three years.

The first investigation took place on 28 October 2010 when Telstra told the OAIC that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.

Telstra disclosed that this error may have caused the personal information including names and telephone details of some of its customers to be improperly disclosed.

Following his investigation into the matter, the Privacy Commissioner concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.

On 12 December 2011, Pilgrim was on the case again after Telstra's customer service website was openly accessible on the Internet.

The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website.

Account details including account numbers, phone numbers and credit card details of just fewer than one million Telstra customers were potentially compromised by the breach.

As a precaution, the company reset the passwords of around 60,000 customers and notified the Commissioner.

Pilgrim took the view that the incident amounted to an unauthorised disclosure of customers' personal information by Telstra, and breached NPP 2.

He also concluded that at the time of the incident, Telstra did not have adequate security measures in place to protect the personal information it held in the visibility tool from misuse and loss and from unauthorised access, modification or disclosure, resulting in a breach of NPP 4.

University of Sydney Business School PhD candidate Max Soyref told Computerworld Australia that data breaches happen regularly but some go unreported to the public or Privacy Commissioner.

"This is one of the big issues, is there a responsibility to disclose data breaches to the parties involved," he said.

"Data breach notification is voluntary at the moment so the reason we hear about cases such as Telstra is because they've communicated this to the customer or it has gone into the newspapers and they've had no other choice but to ask the Commissioner to investigate."


Dell Australia has also been investigated by the Privacy Commissioner after the hardware vendor advised Pilgrim of a data breach involving personal information of its customers.

At the time of the incident in February 2011, this information was held by Epsilon which provided Dell Australia's email marketing services.

According to the Commissioner's investigation which began on 19 April 2011, an Epsilon employee was working remotely when his computer was infected with malware. The malware provided an attacker with access to the employee's workstation. The cyber-criminal then installed additional malware that captured key strokes, screen-shots and video of the compromised computer including the employee's credentials and log on details.

Between 21 February 2011 and 30 March 2011, the attacker used the employee's credentials to log on to Epsilon's email marketing platform and gained access to personal information on Epsilon's system. The compromised information included the email addresses and names of customers including some Dell Australia customers.

As soon as Epsilon's investigators identified the compromised login credentials, the security team disabled the credentials, initiated additional virus scans, and began a forensic investigation of the relevant computer resources to identify the cause of the incident.

The Commissioner concluded that Dell Australia was not in breach of NPP 4.1 which requires an organisation to take 'reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Epsilon was also found not in breach of NPP 4 as Pilgrim said the incident occurred due to a sophisticated security cyber-attack rather than a failure of Epsilon to take reasonable steps to protect its personal information.


Data breaches like Dell Australia's can not only affect companies but their customers if personal information is leaked, warned Soyref.

"The implications for customers are that if their personal data is lost, someone else may try to create a false identity using their name," he said.

Once customers become aware of the data breach, this can also lead to what Soyref called "share price pain".

"We had a number of studies looking at America and we saw that a breach disclosure could mean a 1 per cent loss of market capitalisation," he said.

In the long run, customers may also decide to take their business to another telco or technology provider.

"The reality of the game is that the people who are mostly targeted will do more in the security space and spend more money," he said.

"With a company like Telstra, they hold so much personal data that it comes attractive to people who want to use it for criminal activity."

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Copyright © 2013 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations