Privacy Commissioner may investigate Woolworths gift card blunder

The OAIC has asked Woolworths to explain why AU$1.3 million worth of e-gift cards have now had to be cancelled as consumers' personal information and card access details were mistakenly sent out at the weekend.

The Office of the Australian Information Commissioner (OAIC) has issued a statement advising consumers that it is aware of media reports of an incident in which retail giant, Woolworths, allegedly emailed gift card details to a large number of customers.

Fairfax Media reported on Sunday that Woolworths has had to cancel over $1 million worth of shopping vouchers as a result, as consumers purchase history and digital access to redeem the cards would allow those in possession of the information to spend the balance online.

Discovered on Saturday morning, the data breach affected customers who purchased vouchers from the online saving site, Groupon. Once an e-gift card was purchased from the third party website, customers were advised that they would receive an email containing an attachment of their electronic voucher. However, upon opening the attachment, they discovered an excel spreadsheet containing the links to over AU$1 million worth of vouchers.

In response to the privacy breach, Australian Privacy Commissioner Timothy Pilgrim said today in a statement that the OAIC has approached Woolworths for further information.

"We will assess the information provided by Woolworths to determine what further action may be required," he said.

"If people affected by this incident have any concerns about their personal information, they should contact Woolworths in the first instance. If they are not satisfied with any response they receive they can contact our enquiries line to get more information about how the Privacy Act might apply and how they can make a complaint."

In November last year, the OAIC released the government's Privacy Regulatory Action Policy, which explains the powers available to the privacy commissioner and formalises the approach he will take when using these powers.

Following the policy, the commissioner issued a strong warning to companies that attempt to cover up data breaches, or have failed to take a proactive approach toward ensuring that personal data is kept secure; that attempts to conceal a data breach "will not be looked well on by our office".

It is not compulsory for businesses to alert customers when a data breach occurs, but legislation has been entered into parliament to make data breach notification mandatory.