The state of data breaches

Security breaches can mean loss of custom and affect share prices, warns expert

The implications of data breaches can be severe for companies with potential financial losses and loss of customer trust.

One of the most well known examples was the Sony PlayStation Network hack from 2011 where an estimated 100 million online accounts were compromised. According to Sony, costs from the PlayStation Network data breach totalled US$171 million.

But Australian organisations have not been immune to data breaches with Telstra and Dell Australia investigated by the Privacy Commissioner Timothy Pilgrim in the past two years.

In 2011-12, the Commissioner received 46 data breach notifications, a decrease of 18 per cent from the number received in 2010-11.

While there is no mandatory obligation in the Privacy Act for companies to report data breaches to the OAIC, many do as good business practice.

Get ready for Privacy Act changes

ABC hack a lesson for other companies: security experts

Security incidents going unreported: CERT Australia


Australia’s largest telecommunications company, Telstra, has been investigated by the Privacy Commissioner twice for data breaches in the past three years.

The first investigation took place on 28 October 2010 when Telstra told the OAIC that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.

Telstra disclosed that this error may have caused the personal information including names and telephone details of some of its customers to be improperly disclosed.

Following his investigation into the matter, the Privacy Commissioner concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.

On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet.

The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website.

Account details including account numbers, phone numbers and credit card details of just fewer than one million Telstra customers were potentially compromised by the breach.

As a precaution, the company reset the passwords of around 60,000 customers and notified the Commissioner.

Pilgrim took the view that the incident amounted to an unauthorised disclosure of customers' personal information by Telstra, and breached NPP 2.

He also concluded that at the time of the incident, Telstra did not have adequate security measures in place to protect the personal information it held in the visibility tool from misuse and loss and from unauthorised access, modification or disclosure, resulting in a breach of NPP 4.

University of Sydney Business School PhD candidate Max Soyref told Computerworld Australia that data breaches happen regularly but some go unreported to the public or Privacy Commissioner.

“This is one of the big issues, is there a responsibility to disclose data breaches to the parties involved,” he said.

“Data breach notification is voluntary at the moment so the reason we hear about cases such as Telstra is because they’ve communicated this to the customer or it has gone into the newspapers and they’ve had no other choice but to ask the Commissioner to investigate.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Timothy Pilgrimuniversity of sydneysecuritySony PlayStation Network (PSN)data breachprivacy commissionerTelstradell australia

More about ABC NetworksABC NetworksCERT AustraliaDellSonyTelstra CorporationUniversity of SydneyUniversity of Sydney

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place