Svitzer makes first public NDB disclosure

Shipping company Svitzer has made the first public disclosure of a data leak since the introduction of Australia's Notifiable Data Breach (NDB) legislation, announcing the theft of data affecting nearly half of its Australian employees.

Up to 60,000 emails from three accounts associated with finance, payroll and operations had been compromised to be secretly auto-forwarded to two external accounts for nearly an 11-month period, the company disclosed.

The emails contained sensitive information including tax file numbers, next of kin details and superannuation account information, the ABC reported.

The breach began on 27 May last year and was only detected on 1 March this year after the forwarded emails started to bounce back.

According to the report, Svitzer is investigating the incident and has so far ruled out that it was an internal culprit.

Svitzer disclosed the breach to the OAIC in 15 days, well within the 30-day disclosure window stipulated by the NDB scheme. But the ABC noted that the UK's General Data Protection Regulation (GDPR), due to be implemented in May, gives companies just a 72-hour window to disclose data breaches to the supervising regulatory authority.

Svitzer is a subsidiary of Danish shipping conglomerate Maersk Group, which was itself one of the victims of the global NotPetya ransomware outbreak last June. The attack is estimated to have cost the company up to US$300 million ($389.5 million).

While this was the first public disclosure of a data leak since the NDB legislation was introduced on 22 February, the OAIC reportedly had 31 notifications in the first three weeks of the scheme being in operation.

Follow us and share on Twitter and Facebook