Debt collector's data breach exposes telco customer information
A debt collector committed a data breach when it loaded information about client accounts onto the freelancer.com website with the intention of engaging a data analyst to work on the information.Debt collector Australian Recoveries and Collections was acting as a debt recovery mercantile agent for Optus last year, when it loaded personal details from Optus accounts onto freelancer.com and exposed the data to as many as 50 contractors using the site.Optus notified the Office of the Australian Information Commissioner of the privacy breach last November.Optus also applied to the Supreme Court of New South Wales, which ordered freelancer.com to disclose the identity of any individuals who may have accessed the personal information posted by ARC. Freelancer.com confirmed that the information was "potentially downloaded" by 51 users. Optus contacted the users whose contact details it could obtain in an attempt to ensure the information was destroyed.Optus notified the customers that they had been the victims of a privacy incident. ARC also contacted the OAIC, lodging a data breach notification. Since then ARC has given an undertaking not to repeat the conduct that led to the privacy incident. The company must implement improved information security procedures and privacy training for staff.It must reimburse the costs of credit monitoring alert services for any individuals whose personal information was disclosed in the incident.It must engage a consultant to review its handling of personal information and undertake to act on any recommendations.The Australian Privacy Principles involved in the breach were APP 6.1, which says an APP entity must not use personal information collected for a particular purpose for another purpose, and APP 11.1, which says an APP entity must take reasonable steps to protect the personal information it holds from misuse, interference or loss and from unauthorised access.