A major data breach has exposed personal details of the staff of Spotless, a Trans-Tasman catering and cleaning company.
In an email on Thursday, Spotless confirmed it was a ransomware attack. The company said hackers may have obtained past and present staff members’ passport and IRD numbers and other personal information. This stolen data is sufficient to present a “very high risk” of identity theft.
The company alerted its employees by email. As many of the company’s staff speak English as a second language and perhaps checks email sporadically, some portion of impacted individuals would likely miss the communication.
Netsafe chief executive Martin Cocker said the stolen data suggests the hackers had got access to the company’s HR files. If so, there was a risk of criminals applying for credit and buying services using people’s identities.
“There is a high risk to the subjects of the attack of future identity theft,” Cocker said. “If they have taken that much personal data, it is pretty high risk to the individual, so we would suggest people go through a process of trying to reduce that risk.”
Internet law expert Rick Shera said it was serious a privacy breach, “and given the type of information involved and the number of people involved it would be classed a serious breach, there wouldn’t be any doubt about that.” He said a hacker could get access to the victim’s RealMe account, the online ID used with the government services.
Spotless said it had notified government cyber-security bodies in Australia and New Zealand, the Privacy Commissioner and the Australian Information Commissioner.
Spotless assured it “immediately engaged cyber-security experts to conduct a forensic investigation.” The company said, besides passport details and tax numbers, stolen data could have included names, email addresses, phone numbers, and residential addresses.
Spotless admitted that passport numbers can be used to “take out lines or credit or otherwise conduct fraudulent transactions”.
The company appolgized for the incident and oadvised its staff to change passwords and use multi-factor authentication.