Supermarket chain Ritchies Supa IGA is the latest Australian business to notify its customers that its website had been hacked, following the introduction of the mandatory data breach notification laws earlier this year.
According to Fairfax, the details of more than 6000 Ritchies customers who used an online ‘Contact Us’ form to contact the supermarket chain may have been accessed as a result of the breach.
The business emailed customers on Monday to notify them of the breach, which occurred at the start of May.
Customers’ names, email addresses and phone numbers may have been accessed, but financial details and internal databases were not affected.
Get daily business news.
The latest stories, funding information, and expert advice. Free to sign up.
Ritchies Supa IGA chief executive Fred Harrison told Fairfax the company was alerted to the issue by its service provider after the website crashed.
“Basically there was an attack by an unidentified entity on our external-facing website, which was hosted on third-party servers,” he said.
“For about 12 hours from 10pm on May 11 and 1am on May 12, a malicious code was embedded into the website, which caused users to be redirected to another website.”
Following the breach, the company has reviewed and changed its processes for capturing customers’ details, and notified the Office of the Australian Information Commissioner.
Harrison said the breach was a ‘wake-up call’ for his team to ensure the correct security measures are now in place.
“This is the first time this has happened to us,” he said.
Mandatory data breach notification system now in play
The federal government’s Notifiable Data Breaches regime has now been in effect for three months, after its introduction at the end of February.
The legislation means Australian companies that are turning over more than $3 million a year are now obliged to report data breaches to both the Privacy Commissioner and their customers, and they face the prospect of steep fines if they fail to do so.
There’s the reputational effects to consider too; as crisis communications expert Gerry McCusker wrote for SmartCompany last year, “the impact to customer confidence, gossip and loyalty due to a data or privacy breach must not be underestimated”.
In the first six weeks of the system being in place, there were 63 data breach notifications recorded, with health service providers accounting for the most breaches (24% of notifications). The sector was followed by legal, accounting and management services (16%), finance (13%), private education (10%) and charities (6%).
Close to half of the breaches were caused by malicious or criminal attacks, such as the one that hit Richies Supa IGA, while 51% were found to have been caused by human error. Another 3% were caused by system faults.
However, the vast majority of breaches involved the personal information of fewer than 1000 people (90%), and 59% involved cases where the personal information of fewer than 10 people was affected.
Do you want to learn more about cyber security for your business? Check out SmartCompany’s latest ebook.