BreachExchange mailing list archives
Westfield customer details exposed in data breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sun, 15 Aug 2010 00:09:54 -0400
http://www.itnews.com.au/News/224320,westfield-customer-details-exposed-in-data-breach.aspx Notifies Bondi customers in show of good faith. The details of customers that shop at Westfield Bondi Junction have been exposed on an internet site after a direct marketing email mishap on Monday night. Westfield has warned subscribers to its mailing list that customer details were visible on the web for eight hours. In a note sent to customers, Westfield said it experienced a "technical problem" with a link in an email newsletter sent to subscribers, asking them to update their contact details. "As a consequence, the personal information of people who updated their details between 6.18pm on Monday 9 August 2010 and 2.30am on Tuesday 10 August 2010 may have been able to be viewed by other subscribers clicking on the link during that time," the note stated. Within three hours of the email newsletter being sent, the shopping giant claims that its staff had been made aware of the problem, and it was able resolve the issue by 2:30am on Tuesday. Westfield was approached to reveal how many customer records were exposed and the nature of personal information contained within them but was unavailable for comment. According to the company's privacy policy, Westfield would usually only collect names and email addresses of subscribers, to be used by Westfield and the owners of shopping centres it builds or leases. It also collects domain information and IP addresses, and logs user's browsing behavior whilst on the Westfield site. Customers, however, were warned in Westfield's note about the possibility of receiving unsolicited phone calls as a result of the breach. Westfield's privacy policy also states that its customer database "is protected by a firewall as well as host-based security. "The data is not transmitted over the Internet once it has been stored in the database. If Westfield ever has a requirement to transmit the data over the Internet (For example, to make an off-site backup) it will be in encrypted form. "The electronic environments are real-time monitored by Westfield and a third party specialist security monitoring company." Westfield described the matter as a "one off occurrence due to a technical problem which has now been remedied and will not occur again. "However, you should be aware that any personal information you uploaded during this period may have been viewed during this time," the shopping giant told customers. "If you receive any unusual emails, telephone calls or other communications you should treat these with caution." There is no formal data breach notification requirement in place under Australian law that would require Westfield to notify its customers, but the Australian Law Reform Commission expressed a desire for the Federal Government to introduce such a law in a report released two years ago. In its absence, Australia's privacy commission has sought organisations to create a voluntary code to self-regulate. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Westfield customer details exposed in data breach Jake Kouns (Aug 15)