The implications of data breaches can be severe for companies with potential financial losses and loss of customer trust.
One of the most well known examples was the Sony PlayStation Network hack from 2011 where an estimated 100 million online accounts were compromised. According to Sony, costs from the PlayStation Network data breach totalled US$171 million.
But Australian organisations have not been immune to data breaches with Telstra and Dell Australia investigated by the Privacy Commissioner Timothy Pilgrim in the past two years.
In 2011-12, the Commissioner received 46 data breach notifications, a decrease of 18 per cent from the number received in 2010-11.
While there is no mandatory obligation in the Privacy Act for companies to report data breaches to the OAIC, many do as good business practice.
Get ready for Privacy Act changes
ABC hack a lesson for other companies: security experts
Security incidents going unreported: CERT Australia
Telstra
Australia’s largest telecommunications company, Telstra, has been investigated by the Privacy Commissioner twice for data breaches in the past three years.
The first investigation took place on 28 October 2010 when Telstra told the OAIC that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.
Telstra disclosed that this error may have caused the personal information including names and telephone details of some of its customers to be improperly disclosed.
Following his investigation into the matter, the Privacy Commissioner concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.
On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet.
The telecommunications company said it was made aware of the privacy breach and disabled its online billing, BigPond self-care and My Account functions on its website.
Account details including account numbers, phone numbers and credit card details of just fewer than one million Telstra customers were potentially compromised by the breach.
As a precaution, the company reset the passwords of around 60,000 customers and notified the Commissioner.
Pilgrim took the view that the incident amounted to an unauthorised disclosure of customers' personal information by Telstra, and breached NPP 2.
He also concluded that at the time of the incident, Telstra did not have adequate security measures in place to protect the personal information it held in the visibility tool from misuse and loss and from unauthorised access, modification or disclosure, resulting in a breach of NPP 4.
University of Sydney Business School PhD candidate Max Soyref told Computerworld Australia that data breaches happen regularly but some go unreported to the public or Privacy Commissioner.
“This is one of the big issues, is there a responsibility to disclose data breaches to the parties involved,” he said.
“Data breach notification is voluntary at the moment so the reason we hear about cases such as Telstra is because they’ve communicated this to the customer or it has gone into the newspapers and they’ve had no other choice but to ask the Commissioner to investigate.”