The first data breach under the new Mandatory Data Breach Notification Law has been publicised. Shipping company Svizter Australia has the dubious honour of being the first company to report a data breach which saw the personal information on half of its employees leaked outside of the organisation.
It has been revealed that up to 60,000 emails from three accounts in finance, payroll and operations were secretly auto-forwarded to two external accounts between May 2017 and March 2018.
The auto-forwarding was setup via an email rule and was only detected after the emails began to bounce back. The company immediately stopped the auto forwarding once it became aware of the issue in March.
The email rule had been created on employee accounts and also included rules to delete the forwarded emails so the compromised email account owners couldn’t see that the emails were being forwarded.
The perpetrator has not yet been identified and forensic IT experts have been called in to investigate.
The emails themselves contacted large amounts of information on employees, including tax file numbers, next of kin details and superannuation details. The data breach affected more than 400 out of the 1000 strong workforce at Svitzter.
“This is a reminder of the constant threat individuals and businesses alike face,’’ Svizter Australia managing director Steffen Risager said in a statement.
“The nature of cybercrime means while we can get it right a thousand times, the perpetrator only needs to get it right once. We will learn from this experience.”
This is the first data breach to be made public since the new mandatory reporting laws came into effect. The OAIC have already received 31 notifications in just the first three weeks of the law being enforced. It will release information on the notices it receives every quarter, with the first expected to be released early April.