[BreachExchange] Nova warns listeners of data breach affecting 250, 000 Australians

[Destry Winant]

https://www.smh.com.au/business/companies/nova-warns-listeners-of-major-data-breach-affecting-250-000-listeners-20181228-p50omw.html

“We are taking all necessary measures to ensure the strength and
effectiveness of our cyber security, and there is currently no
evidence of any suspicious activity or threats on Nova Entertainment's
systems,” Ms O’Connor said.

“We take privacy, and the security of the information we collect from
our listeners very seriously, and on behalf of Nova Entertainment I
deeply and sincerely regret that this incident has occurred,” she
said.

The breach included information as varied as user names and passwords
(protected by a security technique known as hashing), home addresses,
emails, phone numbers, gender and date of birth details. In total,
261,948 people are involved in the breach.

Nova has radio stations in Sydney, Melbourne, Brisbane, Adelaide and
Perth and affected people are expected to receive an email, SMS or
letter.

No financial information or copies of ID were disclosed and the
statement said there was “no reason to believe” Nova’s existing
systems were affected.

Details are yet to be disclosed about how many people may have
accessed the data.

The information that was publicly disclosed in this breach is
described in the radio network’s statement as being a “legacy dataset”
from May 2009 to October 2011. Those affected are encouraged to change
their passwords, review their credit report for unusual activity and
enable additional security measures as needed.

Nova is undertaking an investigation into the issue, with
cybersecurity consultants working out the specifics about how the data
breach happened.

The radio network has informed the Office of the Australian
Information Commissioner (OAIC) and is in the process of contacting
law enforcement bodies. Cyber support service IDCARE assisting those
affected by the breach in late-December and early-January.

The data breach comes during increased scrutiny on all businesses over
the handling of sensitive customer data after a year of heated debate
about privacy practices and data concerns about internet giants
Facebook and Google and government-introduced initiatives like My
Health Record.

New laws introduced in early 2018 required mandatory data breach
reporting for businesses, government agencies and non-profits with
annual turnover of at least $3 million. This has captured many small
businesses across the country. Under these rules, companies are given
30 days to notify individuals affected and to inform the OAIC.

The latest OAIC data for the three months to September 2018 shows 245
notifications about breaches were made during the period.

The majority involved under 1000 individuals - two impacted more than
100,000 people - and contact information was the most common data
affected. More than half of these data breaches were due to malicious
or criminal attacks, while 37 per cent were due to human error.