Companies have to make a decision when to advise customers of a security breach
One of Australia’s largest travel insurers decided not to tell customers when their personal information was hacked and stolen late last year, according to the ABC, again raising questions about the obligations companies have to their customers in the event of a hacking.
Aussie Travel Cover did not inform potentially hundreds of thousands of Australians that their personal information may have been stolen and that parts of the company’s customer database had been posted online.
The company’s move to stay quiet on the hacking follows revelations last year that Catch of the Day took three years to inform customers of a hack, which saw passwords and credit card details stolen from its database.
According to the ABC, on December 18, 2014, hackers stole a large amount of personal information about Aussie Travel Cover’s clients, including names, phone numbers, email addresses, travel dates and the cost of their policies.
Computer security expert Troy Hunt told the ABC he estimated “about three quarters of a million” records were stolen, including partial credit card details.
The report alleges Aussie Travel Cover sent an email to its agents stating that it would not advice policyholders because it had engaged consultants to investigate the breach.
AVG security advisor Michael McKinnon told SmartCompany companies will often decide not to disclose a hack if there is an ongoing investigation into the matter.
“Many lawyers and security consultants will advise a company not to disclose a hack, particularly in the event of an ongoing investigation,” McKinnon says.
McKinnon says in some cases, a company will know they’ve lost information to a hacker because there is evidence the hacker is still inside the system, and not alerting customers and the media to the hack will allow them to monitor the activity.
“This remains one of the most challenging internal conflicts of interest for a company,” says McKinnon.
But he says while there is no legal obligation for a company to disclose a hack, if there was activity deemed to be a privacy breach, the company would be required to inform the Privacy Commission.
According to McKinnon, one of the best reasons to disclose a hack early to customers is to mitigate any potential phishing scams or identity fraud.
“The other side of it is social media. People are going to talk if [the company] likes it or not. We are arguably living in an age where much higher transparency is required,” he says.
“Those businesses that choose to withhold information, they will pay a incredibly high cost when that disclosure does happen,” he adds.
SmartCompany contacted Aussie Travel Cover but did not receive a response prior to publication.