The Office of the Australian Information Commissioner (OAIC) has told ZDNet there has been 31 notifications provided to the office led by Timothy Pilgrim since Australia’s Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.
The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.
The figure emerged as the OAIC is investigating a notification provided by tugboat operator Svitzer Australia.
Svitzer offers towage and marine services with a fleet of over 400 tugs, line handlers, and other vessels globally. It’s part of the Maersk Group that fell prey last year to a campaign which used a modified version of the Petya ransomware, NotPetya, to bring down IT systems and operational controls across its offices spanning 130 countries and a workforce of close to 90,000.
In total, Møller-Maersk chairman Jim Hagemann Snabe said the shipping giant reinstalled 4,000 servers, 45,000 PCs, and 2,500 applications as a result of the attack.
As first reported by the ABC, the local breach the OAIC was notified of affects around 500 of the company’s 1,000 Australia-based employees and stems back to May 2017.
It is reported that since then and up until March 1, 2018 when the practice was intervened, around 50,000 emails sent to three employee email accounts were auto-forwarded to external parties.
Lost details may have included tax file numbers, superannuation account numbers, and the names of next of kin, the ABC adds.
“Svitzer have provided a notice to the OAIC about the data breach,” the OAIC told ZDNet. “In accordance with its usual procedures and the OAIC’s privacy regulatory action policy the OAIC will assess the information in the notification and decide if any further action is required.”
The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting.
In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.
Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.
An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.