[BreachExchange] OAIC accepts undertaking from ARC on Optus customer data breach

[Audrey McNeil]

http://www.zdnet.com/article/oaic-accepts-undertaking-from-
arc-on-optus-customer-data-breach/

The Australian Privacy Commissioner has accepted an enforceable undertaking
from ARC Mercantile following a breach of personal customer data at the end
of last year, which occurred when an ARC employee posted a spreadsheet of
customers owing money to Optus on Freelancer.com.

"This incident emphasises the importance of not only establishing and
implementing privacy processes, but also maintaining these processes to
ensure a culture of privacy within the organisation," the Office of the
Australian Information Commissioner (OAIC) said.

"This includes providing appropriate training to all staff across the
organisation on their obligations under the Privacy Act, and ensuring they
understand these obligations."

The undertaking, which is legally enforceable between the commissioner and
ARC, will see the company implement improved information security within
three months, including establish a secure Digital Rights Management
Server; implement privacy training for its staff members within three
months; pledge to not repeat the conduct that led to the incident; and
offer to reimburse the cost of a 12-month credit-monitoring alert service
within 14 days for those whose personal information was breached during the
incident.

ARC must also appoint a third party, in consultation with the OAIC, within
14 days to review its handling and security of personal information, and
implement any recommendations made as a result of this review.

Optus in December confirmed that the breach occurred when an ARC staff
member had been attempting to hire a freelance worker on Freelancer.com to
analyse the data, which included names, addresses, dates of birth, emails,
phone numbers, and their history of debt collection, with 51 people
accessing the data.

"Optus takes the protection of customer data and privacy seriously," an
Optus spokeswoman told ZDNet in a statement at the time.

"Optus has become aware that an employee of a third-party supplier posted a
document containing customer data to a public website. This action was
unauthorised by Optus and its supplier, ARC."

Both Optus and ARC voluntarily reported the breach to the OAIC, with Optus
also notifying affected customers.

"We are pleased to see that Optus has notified affected individuals about
this incident," the OAIC said.

"Notification can be an important mitigation strategy that has the
potential to benefit both the organisation and the individuals affected by
a data breach. The OAIC strongly encourages notification in appropriate
circumstances as part of good privacy practice."

While Crikey reported the number of customers whose data was breached as
being 31,150, the telco did not comment on this.

"As soon as Optus became aware of ARC's action, we acted swiftly to remove
the data and conduct a full investigation into the incident," the Optus
spokeswoman added.

Australian Privacy Commissioner Timothy Pilgrim, who was reappointed yet
again in July, has historically taken a hard line against companies that
cover up data breaches, saying that the concealment of a data breach "will
not be looked well on by our office".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160901/4a7f5015/attachment.html>