The first data breach of 2019 was reported less than 24 hours into the New Year.
The details of an estimated 30,000 Australian civil servants were stolen when a directory was downloaded by an unauthorised third party – believed to have phished the email address of a government employee in the state of Victoria.
The Victoria Premier’s Department said it had referred the breach to police, the Australian Cyber Security Centre and the Office of the Victorian Information Commissioner, Australia’s ABC network reported.
2019’s First Data Breach
The data set held details including work emails, phone numbers and job titles. Staff were told no banking or financial information was held in the directory.
“The Government will ensure any learnings from the investigation are put in place to better protect against breaches like this in the future,” the department said.
The incident comes two days after Australia’s national radio station operator Nova Entertainment also warned that a “legacy dataset” of information collected from listeners has been breached and “publicly disclosed”.
CEO Cathy O’Connor said in a statement that the data was collected between May 2009 and October 2011 and included personal information including name, gender and date of birth, contact information and user account details.
These include Facebook (up to two billion accounts scraped), the Marriott Hotel chain (over 500 million guests’ details), and Under Armour (150 million users’ details) to name just three. The equivalent to 291 records were stolen or exposed every single second in the first half of 2018, security company Gemalto’s Breach Level Index shows.
The haveibeenpwned.com website, which tracks compromised email accounts, now recognises 5.6 billion accounts as “pwned”.
(The website’s “pwned passwords” section meanwhile hosts 517,238,891 real world passwords previously exposed in data breaches.)
UK enterprises unsure how robust their databases are would be wise to start 2019 with a security audit: a late October ruling by the High Court means businesses have a greater duty of care than ever to protect employee’s data. The ruling held supermarket Morrisons “vicariously liable” for a former employee leaking personal information of some 100,000 members of staff. The supermarket lost its appeal on October 23 in what was the UK’s first data protection class action, made by 5,518 claimants.