First data breach publicised under Australian notice scheme

Shipping company Svizter Australia has revealed a data breach that saw the personal information of half of its employees leaked outside the company.

Yesterday it revealed that up to 60,000 emails from three accounts in finance, payroll and operations were secretly auto-forwarded to two external accounts between May 27 2017 and March 1 this year.

The forwarding rule was detected after the emails began to bounce back. 

The emails contained information on employees including tax file numbers, next of kin details, and superannuation account information, as first reported by the ABC.

It impacted more than 400 employees at the shipping company, which has a workforce of around 1000. Svitzer notified affected workers yesterday.

The company said it stopped the auto-forwarding after becoming aware of the issue on March 1.

It is undertaking a review to determine the extent of the theft and the identity of the perpetrator.

“This is a reminder of the constant threat individuals and businesses alike face,’’ Svizter Australia managing director Steffen Risager said in a statement.

“The nature of cybercrime means while we can get it right a thousand times, the perpetrator only needs to get it right once. We will learn from this experience.”

It notified the Office of the Australian Information Commissioner of the breach as per the country's new notifications scheme, which came into effect on February 22.

The breach is the first to be made public since the scheme came into force last month.

However, the OAIC said it has received 31 notifications in the first three weeks of the scheme being in operation.

It will release information on the notices it receives each quarter. The first publication of breach notices is expected in early April.

An OAIC spokesperson said the office would assess the information provided by Svizter and decide whether any further action was required.

It noted that the primary point of the new mandatory breach notification scheme was to ensure affected individuals were notified of a breach of their personal information.