Westfield customer details exposed in data breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.itnews.com.au/News/224320,westfield-customer-details-exposed-in-data-breach.aspx

Notifies Bondi customers in show of good faith.

The details of customers that shop at Westfield Bondi Junction have
been exposed on an internet site after a direct marketing email mishap
on Monday night.

Westfield has warned subscribers to its mailing list that customer
details were visible on the web for eight hours.

In a note sent to customers, Westfield said it experienced a
"technical problem" with a link in an email newsletter sent to
subscribers, asking them to update their contact details.

"As a consequence, the personal information of people who updated
their details between 6.18pm on Monday 9 August 2010 and 2.30am on
Tuesday 10 August 2010 may have been able to be viewed by other
subscribers clicking on the link during that time," the note stated.

Within three hours of the email newsletter being sent, the shopping
giant claims that its staff had been made aware of the problem, and it
was able resolve the issue by 2:30am on Tuesday.

Westfield was approached to reveal how many customer records were
exposed and the nature of personal information contained within them
but was unavailable for comment.

According to the company's privacy policy, Westfield would usually
only collect names and email addresses of subscribers, to be used by
Westfield and the owners of shopping centres it builds or leases.

It also collects domain information and IP addresses, and logs user's
browsing behavior whilst on the Westfield site.

Customers, however, were warned in Westfield's note about the
possibility of receiving unsolicited phone calls as a result of the
breach.

Westfield's privacy policy also states that its customer database "is
protected by a firewall as well as host-based security.

"The data is not transmitted over the Internet once it has been stored
in the database. If Westfield ever has a requirement to transmit the
data over the Internet (For example, to make an off-site backup) it
will be in encrypted form.

"The electronic environments are real-time monitored by Westfield and
a third party specialist security monitoring company."

Westfield described the matter as a "one off occurrence due to a
technical problem which has now been remedied and will not occur
again.

"However, you should be aware that any personal information you
uploaded during this period may have been viewed during this time,"
the shopping giant told customers. "If you receive any unusual emails,
telephone calls or other communications you should treat these with
caution."

There is no formal data breach notification requirement in place under
Australian law that would require Westfield to notify its customers,
but the Australian Law Reform Commission expressed a desire for the
Federal Government to introduce such a law in a report released two
years ago.

In its absence, Australia's privacy commission has sought
organisations to create a voluntary code to self-regulate.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php