The Australian Privacy Commissioner Timothy Pilgrim has published his report which found First State Super Trustee Corporation (FSS) in breach of the Privacy Act after a hacking incident in October 2011.

An investigation was opened after it was reported that an unauthorised person had accessed the secure member section of the FSS website and downloaded personal information belonging to 568 FSS members.

FSS advised the OAIC in the course of this investigation that the personal information downloaded included member names and addresses, details of superannuation account transactions and balances and the member’s current age. This information did not include dates of birth, tax file numbers or bank account details.

FSS has implemented measures since the incident, to address the breach. FSS has advised that it engaged the services of a specialist IT consultant to conduct web penetration tests to determine the security of all its sites.

The Privacy Commissioner’s investigation focused on whether FSS’s handling of the personal information held in its computer systems was consistent with the National Privacy Principles contained in Schedule 3 of the Privacy Act 1988 (Privacy Act). Those principles include requirements about when personal information may be disclosed (NPP 2), and that security measures must be in place to protect the personal information (NPP 4).

In light of the information gathered from FSS, the Commissioner took the view that the above incident did not amount to an improper disclosure of customer information on the part of FSS.

However, the Commissioner concluded that at the time of the incident, FSS did not have adequate security measures in place to protect the information held from misuse and from unauthorised access and disclosure. While it is acknowledged that upon becoming aware of the matter, FSS took immediate steps to remedy the situation, this still resulted in a breach of the National Privacy Principles (NPPs) in the Privacy Act.