In what is one of Australia’s most serious data breaches to date, it appears that thousands of people applying for jobs with WorkCover Queensland and Queensland Rail have had their personal information such as name, email, address, phone numbers and date of birth stolen by cyber criminals who could potentially use the information for identity theft.
In a statement released yesterday the international HR software company behind the data breach, PageUp, said, “Advanced methods were used to gain unauthorised access to PageUp’s IT systems in Australia, Singapore and the UK.
“After extensive review we now know that certain personal data relating to our clients, applicants, references and our employees has been accessed by a cyber attacker.”
It appears the hackers have also accessed log in details and the passwords used to create those accounts. And with many people using the same username and passwords across a number of applications the consequences of the failure to protect such private and sensitive information could have far reaching consequences.
However, in their statement Page Up believe this risk to be minimal, “Some employee usernames and passwords may have been accessed, however current password data is protected using industry best practice techniques including hashing and salting, and therefore is considered to be of very low risk to individuals”.
With the threat of a class action mounting, one of Queensland’s leading experts in privacy law, Travis Schultz Principal of Travis Schutz Law said it’s not well settled at law as to whether there is a recognised cause of action for invasion of privacy.
“Currently, a person would only be able to claim damages for breach of privacy or release of personal information where there was negligence or a breach of contract on the part of the entity that allowed the personal information to be disclosed. Even then, for a cause of action to be viable, there would need to be some measurable loss or damage caused – and that is very difficult to establish in most cases.”
Mr Schultz believes there will soon be a case that sets a precedent dealing with this issue but for now, what is required is a legislative response to a growing risk and concern.
“Specifically, the questions we need addressed include, the rights of individuals to expect that our personal information is kept confidential and, as individuals, should we have a right to recover damages against a corporation or entity that allows or permits our personal information and data to be released to someone else without our consent?” Mr Schultz said.
“I belive the issue goes much deeper than just the personal details a company holds in a database.
“The issue goes further than just personal information held in a database. Should we as citizens have a right to expect that in our own homes and in our backyards, we are entitled to privacy? Should a photographer with a telescopic lens be permitted to take photographs of us in own home and space and then sell those for their own financial gain?
“There are competing considerations but what we need to do is start a conversation so that the community can set its own expectations and standards and have our Politicians craft legislation to reflect those in appropriate laws that protect all Australians.”
Given that data and databases are now some of the most highly valued and coveted assets of a business, the protection of the information needs to be a priority of anyone who retains such information.
If an organisation discovers that its database has been hacked, then it has an obligation to take steps to assess the breach and decide if serious harm could occur to any individual affected. If so, the organisation must notify the Australian Information Commissioner and also the individual person or people involved.
These mandatory data breach reporting rules apply to Government Agencies, businesses and non-for-profit organisations who have an annual turnover of $3 million or more. The rules also apply to organisations who have lower turnover if they are credit reporting bodies, health service providers, educational entities or the like.
For more information, go to www.schultzlaw.com.au