OAIC accepts undertaking from ARC on Optus customer data breach

The Australian Privacy Commissioner has accepted an enforceable undertaking from ARC Mercantile following a breach of personal customer data at the end of last year, which occurred when an ARC employee posted a spreadsheet of customers owing money to Optus on Freelancer.com.

"This incident emphasises the importance of not only establishing and implementing privacy processes, but also maintaining these processes to ensure a culture of privacy within the organisation," the Office of the Australian Information Commissioner (OAIC) said.

"This includes providing appropriate training to all staff across the organisation on their obligations under the Privacy Act, and ensuring they understand these obligations."

The undertaking, which is legally enforceable between the commissioner and ARC, will see the company implement improved information security within three months, including establish a secure Digital Rights Management Server; implement privacy training for its staff members within three months; pledge to not repeat the conduct that led to the incident; and offer to reimburse the cost of a 12-month credit-monitoring alert service within 14 days for those whose personal information was breached during the incident.

ARC must also appoint a third party, in consultation with the OAIC, within 14 days to review its handling and security of personal information, and implement any recommendations made as a result of this review.

Optus in December confirmed that the breach occurred when an ARC staff member had been attempting to hire a freelance worker on Freelancer.com to analyse the data, which included names, addresses, dates of birth, emails, phone numbers, and their history of debt collection, with 51 people accessing the data.

"Optus takes the protection of customer data and privacy seriously," an Optus spokeswoman told ZDNet in a statement at the time.

"Optus has become aware that an employee of a third-party supplier posted a document containing customer data to a public website. This action was unauthorised by Optus and its supplier, ARC."

Both Optus and ARC voluntarily reported the breach to the OAIC, with Optus also notifying affected customers.

"We are pleased to see that Optus has notified affected individuals about this incident," the OAIC said.

"Notification can be an important mitigation strategy that has the potential to benefit both the organisation and the individuals affected by a data breach. The OAIC strongly encourages notification in appropriate circumstances as part of good privacy practice."

While Crikey reported the number of customers whose data was breached as being 31,150, the telco did not comment on this.

"As soon as Optus became aware of ARC's action, we acted swiftly to remove the data and conduct a full investigation into the incident," the Optus spokeswoman added.

Australian Privacy Commissioner Timothy Pilgrim, who was reappointed yet again in July, has historically taken a hard line against companies that cover up data breaches, saying that the concealment of a data breach "will not be looked well on by our office".