The details of customers that shop at Westfield Bondi Junction have been exposed on an internet site after a direct marketing email mishap on Monday night.
Westfield has warned subscribers to its mailing list that customer details were visible on the web for eight hours.
In a note sent to customers, Westfield said it experienced a "technical problem" with a link in an email newsletter sent to subscribers, asking them to update their contact details.
"As a consequence, the personal information of people who updated their details between 6.18pm on Monday 9 August 2010 and 2.30am on Tuesday 10 August 2010 may have been able to be viewed by other subscribers clicking on the link during that time," the note stated.
Within three hours of the email newsletter being sent, the shopping giant claims that its staff had been made aware of the problem, and it was able resolve the issue by 2:30am on Tuesday.
Westfield was approached to reveal how many customer records were exposed and the nature of personal information contained within them but was unavailable for comment.
It also collects domain information and IP addresses, and logs user's browsing behavior whilst on the Westfield site.
Customers, however, were warned in Westfield's note about the possibility of receiving unsolicited phone calls as a result of the breach.
"The data is not transmitted over the Internet once it has been stored in the database. If Westfield ever has a requirement to transmit the data over the Internet (For example, to make an off-site backup) it will be in encrypted form.
"The electronic environments are real-time monitored by Westfield and a third party specialist security monitoring company."
Westfield described the matter as a "one off occurrence due to a technical problem which has now been remedied and will not occur again.
"However, you should be aware that any personal information you uploaded during this period may have been viewed during this time," the shopping giant told customers. "If you receive any unusual emails, telephone calls or other communications you should treat these with caution."
There is no formal data breach notification requirement in place under Australian law that would require Westfield to notify its customers, but the Australian Law Reform Commission expressed a desire for the Federal Government to introduce such a law in a report released two years ago.
In its absence, Australia's privacy commission has sought organisations to create a voluntary code to self-regulate.