Case studies: Privacy Commissioner’s response to data breaches

In two recent investigations into data breaches the Privacy Commissioner finalised its enquiries with a decision not to take further action and not impose a penalty.

Catch of the Day
Catchoftheday.com.au Pty Ltd (COTD) gave a data breach notification to the OAIC in June 2014.

The illegal cyber intrusion that revealed customer data, including passwords and credit card details, occurred in 2011.

The Commissioner expressed concern about the size of the breach, the possible compromise of financial information, and the significant delay between COTD becoming aware of the incident and notifying affected individuals.

In deciding not to take further action the Commissioner noted that COTD has taken a range of steps in response to the incident including notifying banks, credit card companies, and the police; commissioning a third party expert to investigate the issue; rebuilding the e-commerce platform that was the subject of the attack; and upgrading its infrastructure to ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS). COTD completed an internal Privacy Compliance Assessment, resulting in 20 recommendations that go to improving COTD’s privacy governance arrangements and related matters. The Commissioner also recommended that COTD improve its processes for notifying customers of data breaches in future.

COTD has been asked to provide a report about the implementation of the above recommendations within three months. The OAIC may conduct further enquiries if complaints are received from people who have been adversely affected by this incident.

Aussietravelcover
In December 2014, ATC notified the Australian Privacy Commissioner that its information systems had been hacked, potentially affecting customer and insurance agent records held by ATC.

In response to these incidents, ATC temporarily shut down its website and commissioned third party consultants to investigate the matter. ATC rolled out a new and more secure website, and permanently decommissioned its old website.

The majority of the information extracted from ATC’s systems as a result of the hack was corrupted during its extraction, and therefore was not accessible to the hacker in its original format. 133 insurance agents and four policyholders had their full ATC record extracted in an uncorrupted format as a result of the attack. ATC took steps to notify those individuals of the incident.

In deciding not to take further action the Commissioner noted the prompt action taken by ATC to respond to the breach, including notification to affected individuals, and remedial action taken to prevent future data breaches. However, further enquiries may be conducted if complaints are received from people who have been adversely affected by the incident.

Background

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.