[BreachExchange] Major data breach at cleaning and catering company Spotless

[Destry Winant]

https://www.stuff.co.nz/business/124859495/major-data-breach-at-cleaning-and-catering-company-spotless

Trans-Tasman catering and cleaning firm Spotless has admitted to a
huge data breach in which hackers may have obtained past and present
staff members’ passport and IRD numbers, amongst other personal
information.

Internet experts said the breach was very serious and there was enough
personal information in the potential leak that meant a “very high
risk” of identity theft.

Spotless told affected workers by email on Thursday.

One woman who received the email said she was deeply worried and had
immediately visited her bank to change her credit cards. She was
concerned her passport was compromised, and also that Spotless’
lower-waged cleaning staff, many of whom had English as a second
language and perhaps poor access to email, would not necessarily
receive the communication.

Netsafe chief executive Martin Cocker said the amount of data involved
suggested the hackers had got into the company’s HR files. He said
there was a risk of criminals using that data to apply for credit and
services using people’s identities.

“There is a high risk to the subjects of the attack of future identity
theft,” Cocker said. “If they have taken that much personal data, it
is pretty high risk to the individual, so we would suggest people go
through a process of trying to reduce that risk.”

Internet law expert Rick Shera said it definitely qualified as a
privacy breach, “and given the type of information involved and the
number of people involved it would be classed a serious breach, there
wouldn't be any doubt about that.”

Shera said it depended on if the data had been encrypted, or whether
it had been stolen, but “that level of information is clearly
information that could be used by someone to impersonate an
individual”.

He said taking passport and IRD numbers was “pretty serious” and could
even conceivably allow a hacker to secure a RealMe account, the
internet ID used to deal with government departments. He said if he
was one of the affected workers he would be cancelling his passport.

Spotless confirmed last December it had been subject to a cyber
breach, but at the time said “at this stage, we have no evidence that
any data has been impacted".

In its email on Thursday, Spotless confirmed it had been subject to a
“ransomware’ attack, where hackers infiltrate an IT system then demand
payment.

Cocker said it had become clear last year that ransomware attacks were
being routinely accompanied by data breaches, so that where once
companies could pay the ransom and return to business as usual, now
they had to assume their data had been stolen.

MONIQUE FORD/STUFF
Netsafe CEO Martin Cocker said there was a “high risk” of identity
theft from the breach.

Spotless said it “immediately engaged cyber-security experts to
conduct a forensic investigation” and that investigation had found
“your personal information may have been accessed”.

The email suggested anyone who had worked for or contracted to
Spotless or applied for a job there could be affected.

The data, Spotless said, could have included names, email addresses,
phone numbers and residential addresses as well as passport details
and tax numbers.

Spotless said it had contacted government cyber-security bodies in
Australia and New Zealand, the Privacy Commissioner and the Australian
Information Commissioner.

Shera said that by contacting the Privacy Commissioner and then
contacting the affected staff, Spotless had complied with their
obligations under privacy laws.

Shera said the commissioner could launch an inquiry and take action
against the company, and only at that stage could unhappy individuals
take action, by complaining to the Human Rights Tribunal.

Spotless gave staff an information sheet entitled “Steps you can take
to protect against potential data misuse” and offered a freephone
hotline number available during business hours.

“We would like to apologise for any concern or inconvenience the
incident may have caused,” it wrote.

The guide included basic internet security advice, such as changing
passwords and using multi-factor authentication and installing
anti-virus software. It also suggested applying for a consumer credit
report and also said “we note that passport numbers can be used to
take out lines or credit or otherwise conduct fraudulent
transactions”.

Cocker said former staff could consult the Netsafe website for
guidance, and he also recommended the services of ID Safe, who help
victims of identity theft.

Cocker said Spotless could consider contributing to the costs for
individuals, saying: “It would be good to see businesses picking up
some of these costs... especially for staff and ex-staff, that seems
quite reasonable.”

Feilidh Dwyer, spokesperson for the Privacy Commissioner, confirmed
Spotless told them of a privacy breach on October 30, 2020, and had
been in contact since. “We have asked Spotless for more information
about the number of New Zealand workers affected. Spotless has
informed us it is in the process of notifying affected individuals.”

Spotless, owned by Australian infrastructure giant Downer, says it is
New Zealand’s fourth-largest employer, providing cleaning, laundry,
catering, facility management and maintenance services across sectors
such as aviation, defence, education, government, healthcare and aged
care.

In a statement, Helene Toury, Spotless’ general manager of reputation
and business excellence, said that “through its investigation of the
incident, Spotless learned that some personal information may have
been accessed during the incident. Spotless has written to those who
may have been affected to notify them and to provide information to
assist them to protect their personal information in the future.”

Asked if Spotless would compensate those left out of pocket, and
whether it felt an email was enough to reach all staff, Toury replied:
“rest assure[d] that we have taken reasonable steps to notify all the
affected individuals. We have set up a call centre and email address
that affected individuals can contact us if they have any queries,
details of which are in the notification.”