Early next year, Australian companies will be subject to new laws requiring them to report to the Privacy Commissioner when they suffer a data breach resulting in unauthorised access of personal ideontfiable information. Generally, we think of this as being the result of a breach where a threat actor breaks into systems and steals data. But not all breaches are malicious.
In Scotland, a woman went to her local post office to carry out a currency exchange before going on holidays. A problem was detected with the transaction but it wasn't found until after she had left for holidays.
A post office employee, wanting to track the woman down, posted some video of the transaction with the following message.
“Do you know this woman? I was wondering if any of my Facebook friends recognise this lady who was in Cardonald post office yesterday. We know she is going on holiday and her name is Karen Allison. We need to contact her. So if anyone can provide a telephone number or address or even ask her to contact us, that would be great.”
Most people, incorrectly, jumped to the conclusion that the woman had robbed the post office and was wanted for a crime.
While the matter was eventually resolved, it highlights what can happen when staff inadvertently release PII.
Now is the time to begin education programs around what PII means, how it is every employees responsibility to protect it, the potential impacts of a breach, and the penalties for screwing it up.
Aside from the legal issues, protecting customer data makes good business sense.