NSW Transport hack: to cry wolf or fear being eaten?

The attack on the systems of Transport for NSW poses some interesting questions about the management of security incidents, especially concerning data breach reporting.

Did the department mismanage public relations in announcing early that some customer credit card and personal data had probably been stolen during the incident, given it later changed its story? What are the rules for reporting this kind of breach to customers? 

Transport for NSW first reported the incident on May 27 when it warned customers about a security breach. It said the affected database "does not contain sufficient credit card information for it to be used in any transaction".

The following day the agency urged customers to be "extra vigilant" to any unsolicited requests for personal information, and to notify their bank of unusual activity on their card.

A few days later the NSW Privacy Commissioner advised the agency's customers that personal and financial details were likely accessed in the attack. By this point, customers would have resigned themselves to the fact that their personal details were in the hands of the attackers.

This is when the majority of us would start putting measures in place to deal with the fallout: closely watching bank account transactions, signing up to Scamwatch, and generally being irritated to be the victim of yet another data breach.

Six days later, the investigation is wrapped up, and NSW TrainLink publishes another statement, this time saying there “no evidence of a compromise to any customer information, including credit card details.”

This announcement would have been pleasing news for all concerned. However, will the fact that they’ve cried wolf once already put people off listening to their warnings should this happen again?

The Office of the Australian Information Commissioner (OAIC) has some excellent guidance on dealing with personal information security breaches. It offers four steps to work through an incident: contain the breach and do a preliminary assessment; evaluate the risks; notify; and prevent future breaches.

Step one is interesting. Within the OAIC’s guidance, there is a clause stating "in some cases it may be appropriate to notify the affected individuals immediately" - especially when there is no doubt about what occurred and it poses a significant risk of serious harm to individuals.

However, if there is less risk (and this is somewhat subjective), then organisations should proceed to step two, where the risks are further evaluated and refined. Only when the extent of the breach and the risks associated with the loss of the personally identifiable data are determined would you progress to step three, notification.

Taking these guidelines on face value, I’d suggest that the preliminary assessment by Transport for NSW was this posed a high level of risk of serious harm to affected individuals. However, if what was stolen is in doubt and they know the data would not have contained usable credit card information, what data was included in the theft?

Customers should have been informed as to whether it was personal details, such as name, email address, date of birth, phone number, or home address.

It could be that this was simply a knee-jerk reaction from an organisation that is inexperienced in dealing with security incidents (which is not uncommon). 

They certainly want to do the right thing by their customers, but overreacting because of inexperience can sometimes be as dangerous as not reacting fast enough.

This time the public reaction indicates Transport for NSW did the right thing in notifying early. Nevertheless, this is all very new to Australian organisations and we’re learning together how to deal with breach notifications.

There may come a time in the not too distant future when victims becomes desensitised to over reporting, especially if it’s a regular occurrence. Crying wolf is a dangerous game.