McAfee keeps leaked details to itself

McAfee is yet to confirm with delegates to its recent Strategic Security Conference that their details were leaked in a bulk email, as reported on iTnews yesterday.

Teacher Steve Murphy, whose details were among those leaked in yesterday's incident, told iTnews he still hasn't heard from the vendor to tell him that his details were sent to an unknown list of recipients.

"When I saw what was [on the list] I was horrified," Murphy said.

Murphy said he understood mistakes happen but was unhappy with how McAfee dealt with the breach.

"I don't care about how it's happened," he said. "It's how they handled it."

Murphy said the list had details of personnel from such government departments as the New South Wales Crime Commission, the Australian Taxation Office, the Attorney General's Department and the Audit Office of New South Wales.

It also included the details of employees from companies such as Woolworths, Yahoo!7, St George Bank, IBM, Boral, Telstra, Macquarie Group, Westpac and QBE Insurance.

In  an interview on security podcast Risky Business, McAfee's Asia Pacific President, Steve Redman, didn't say if the security vendor will disclose the data breach to those whose details were leaked.

Redman at first said that McAfee has "a small legal responsibility and a high social responsibility" to let affected customers know about the breach, but later said "I don't think we would send that email".

iTnews contacted companies that attended the conference to see if McAfee had notified them of their information being leaked. All declined to comment.

The Office of the Privacy Commissioner told iTnews that data breaches were something a company had to take "reasonable steps" to act upon. It added that the law doesn't stipulate an outcome from those "reasonable steps".

The Australian Law Reform Commission has recommended that the Federal Government introduce data breach laws as part of a review of privacy legislation.

The Government is yet to set a timeline for when such laws might be introduced.

Murphy said he was concerned people could use the information from the leaked spreadsheet from a social engineering perspective.

"What concerns me is here is a security company and they haven't even recognised one of the most basic things from a social engineering point of view," he said.

"This information can be used in all sorts of ways...let alone the privacy issues or the fact it's commercial-in-confidence," Murphy said.

"There are also significant security issues here when you've got identity managers of government departments on there."