Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The state of data breaches

Hamish Barwick | March 28, 2013
The implications of data breaches can be severe for companies with potential financial losses and loss of customer trust.

"Data breach notification is voluntary at the moment so the reason we hear about cases such as Telstra is because they've communicated this to the customer or it has gone into the newspapers and they've had no other choice but to ask the Commissioner to investigate."

Dell

Dell Australia has also been investigated by the Privacy Commissioner after the hardware vendor advised Pilgrim of a data breach involving personal information of its customers.

At the time of the incident in February 2011, this information was held by Epsilon which provided Dell Australia's email marketing services.

According to the Commissioner's investigation which began on 19 April 2011, an Epsilon employee was working remotely when his computer was infected with malware. The malware provided an attacker with access to the employee's workstation. The cyber-criminal then installed additional malware that captured key strokes, screen-shots and video of the compromised computer including the employee's credentials and log on details.

Between 21 February 2011 and 30 March 2011, the attacker used the employee's credentials to log on to Epsilon's email marketing platform and gained access to personal information on Epsilon's system. The compromised information included the email addresses and names of customers including some Dell Australia customers.

As soon as Epsilon's investigators identified the compromised login credentials, the security team disabled the credentials, initiated additional virus scans, and began a forensic investigation of the relevant computer resources to identify the cause of the incident.

The Commissioner concluded that Dell Australia was not in breach of NPP 4.1 which requires an organisation to take 'reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Epsilon was also found not in breach of NPP 4 as Pilgrim said the incident occurred due to a sophisticated security cyber-attack rather than a failure of Epsilon to take reasonable steps to protect its personal information.

Implications

Data breaches like Dell Australia's can not only affect companies but their customers if personal information is leaked, warned Soyref.

"The implications for customers are that if their personal data is lost, someone else may try to create a false identity using their name," he said.

Once customers become aware of the data breach, this can also lead to what Soyref called "share price pain".

"We had a number of studies looking at America and we saw that a breach disclosure could mean a 1 per cent loss of market capitalisation," he said.

In the long run, customers may also decide to take their business to another telco or technology provider.

"The reality of the game is that the people who are mostly targeted will do more in the security space and spend more money," he said.

"With a company like Telstra, they hold so much personal data that it comes attractive to people who want to use it for criminal activity."

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.