Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How security chief's bank details leaked

Ben Grubb (SMH) | May 16, 2011
Security firm Symantec’s Australian chief has revealed how his personal credit card details were leaked by a Melbourne restaurant, which he said highlighted the need for mandatory privacy breach notification laws.

Managing director of Symantec Australia Craig Scroogie.

Managing director of Symantec Australia Craig Scroggie. Photo: Rob Homer

Security firm Symantec’s Australian chief has revealed how his personal credit card details were leaked by a Melbourne restaurant, which he said highlighted the need for mandatory privacy breach notification laws.

The security chief, Craig Scroggie, told of his experience at a Symantec roundtable discussion in Sydney last week which revealed the average cost of a data breach to Australian companies was $2 million.

He said the government should implement Australian Law Reform Commissioner (ALRC) recommendations requiring companies to notify customers when a data breach has occured, but raised questions over how it could be enforced.

Such laws would require an organisation to notify individuals if, for example, their username, password or credit card details had been breached by a hacker. The government has been criticised for failing to implement these laws despite sitting on recommendations for them since 2008.

In a phone interview the Home Affairs Minister, Brendan O'Connor, said the government had responded to 197 of the 295 recommendations stemming from the ALRC's privacy law review, which he said was "War and Peace in size".

He said the government would decide soon whether to implement mandatory data breach notification laws and other provisions that would, for instance, give the Australian Privacy Commissioner powers to fine companies for breaches.

"I accept that there is a public expectation that the government is responding to concerns about privacy breaches," O'Connor said, adding the recent Sony PlayStation Network hack showed there was a need for new rules forcing companies to notify customers of breaches in a "timely fashion".

"We are dealing with some very sigificant issues but I have sought advice to see whether we can engage more quickly on this issue, but even if we were to try to bring forward this matter, it will need significant consultation because this has to be done in partnership with industry," O'Connor said.

‘Spiky’ issue

Enforcing such laws was a “spiky” issue for the federal government, Scroggie said, as it would likely reveal embarrassing data breaches occurring within the government itself.

“Their own capacity to comply will be tested,” he said. “They’ll need to think about their own personal level of preparedness.”

His view on the Australian Law Reform Commission's recommendations to enforce a mandatory data breach scheme remained “the same and have not changed”, he said.

“... Organisations [which] breach the personal or confidential trust of information of a customer should be required to notify the individual and should be required to take remedial action and notify the government and the individual of the action taken.”

Restaurant leak

Scroggie’s credit card data was leaked via email when a Melbourne restaurant he was a member of attempted to have its summer menu sent out to clients. But instead of attaching the menu, it sent out the client database (unencrypted) to members.

Scroggie said he only found out about the breach after a follow-up email was sent informing him of the incident. In Australia, many organisations aren't required to reveal a data breach has occurred. In many US states, however, organisations do need to disclose such breaches.

He said he deleted the initial email received - which included his and other members’ unencrypted credit card details, emails and names - because he didn't want to read the menu. He then later recovered it to see what details were leaked after being informed.

Once verifying the breach, Scroggie telephoned the restaurant (who he wouldn't name) to inquire about the incident. He said they were "very, very embarrassed" by the fiasco and blamed a third-party who managed their menu subscriber email database.

He told them that they should contact the Office of the federal Privacy Commissioner and offered one of Symantec's staff to help recover from the breach. It was a "catalytic" event for the restaurant, he said.

One of many breaches

His data breach experience with a Melbourne restaurant was just one of the many that other organisations had albeit sometimes at a lower level of confidential information being leaked.

Symantec’s study of data breaches, conducted by the Ponemon Institute, claims the average cost of significant data breaches to Australian organisations during 2010 was $2 million per breach.

The study was based on monitoring 19 Australian organisations which weren’t named.

The $2m figure included direct and indirect costs. An example of a direct cost is, for example, a bank reissuing credit cards. The indirect cost could be the damage to the organisation's brand.

‘Sceptical’ results

Without having read the study in detail, IBRS security analyst James Turner, who is at the AusCERT security conference on the Gold Coast this week, said he was skeptical of the results.

“The problem with these [studies] ... is that they're talking to organisations which have been breached and have notified or have been notified about this,” he said.

That made them “instantly a self-selected sample size”.

“It's not organisations which have been breached and don't know it; It's not organisations which have been breached and haven't talked to anybody.”

He said he was also skeptical of vendor claims that more senior people in organisations were talking about data breaches because it was “just [a vendor’s] way of trying to sell up the food chain”.

“But at the same time I am talking to more senior people in an organisation and it's becoming an area where there are increasing levels of conversation [on data breaches],” Turner said.

- with Asher Moses


Sign up for Computerworld eNewsletters.

CIO upfront: The compliance conundrum of digital transformation

Project management: 5 tips for managing your project budget

How to create a company culture that can weather failure

Is your workplace as smart as your workforce?

Will AI kill jobs?

Why eSIM is crucial for managing IoT

Macao Water builds enterprise asset management system to improve productivity

HKU and Cyberport commit to building a digital tech ecosystem in Hong Kong

University of the City of Manila inaugurates technology and innovation centre

Sompo Insurance Singapore's chatbot help consumers make informed buying decisions

Digital Malaysia: Penang teacher centre transforms into Digital Maker hub

Malaysia's Mesiniaga enterprise cloud mandated by PCI DSS certification

Malaysia's Open Data journey ramps up to Asean scale with new accelerator

With an eye on WCIT 2020 in Malaysia, PIKOM delegation supports global ICT gathering in Taiwan

'Let this be a warning,' says Malaysia enforcement director, seizes pirated Microsoft products