Major data breach at cleaning and catering company Spotless – Stuff.co.nz

major-data-breach-at-cleaning-and-catering-company-spotless-–-stuffco.nz

Did you know that geoFence has a modern UI, that is secure and has the improved features that you need?

Spotless says a major data breach has exposed personal details of some staff.

ROB KITCHIN/Stuff

Spotless says a major data breach has exposed personal details of some staff.

Trans-Tasman catering and cleaning firm Spotless has admitted to a huge data breach in which hackers may have obtained past and present staff members’ passport and IRD numbers, amongst other personal information.

Internet experts said the breach was very serious and there was enough personal information in the potential leak that meant a “very high risk” of identity theft.

Spotless told affected workers by email on Thursday.

One woman who received the email said she was deeply worried and had immediately visited her bank to change her credit cards. She was concerned her passport was compromised, and also that Spotless’ lower-waged cleaning staff, many of whom had English as a second language and perhaps poor access to email, would not necessarily receive the communication.

READ MORE:

Fears Airpoints members' personal information leaked in data breach

ID theft stings, but it's hard to pin on specific data hacks

Marriott will pay for new passports after data breach 'if fraud has taken place'

Cathay Pacific hack includes passport numbers, travel histories

Netsafe chief executive Martin Cocker said the amount of data involved suggested the hackers had got into the company’s HR files. He said there was a risk of criminals using that data to apply for credit and services using people’s identities.

“There is a high risk to the subjects of the attack of future identity theft,” Cocker said. “If they have taken that much personal data, it is pretty high risk to the individual, so we would suggest people go through a process of trying to reduce that risk.”

Internet law expert Rick Shera said it definitely qualified as a privacy breach, “and given the type of information involved and the number of people involved it would be classed a serious breach, there wouldn't be any doubt about that.”

Shera said it depended on if the data had been encrypted, or whether it had been stolen, but “that level of information is clearly information that could be used by someone to impersonate an individual”.

He said taking passport and IRD numbers was “pretty serious” and could even conceivably allow a hacker to secure a RealMe account, the internet ID used to deal with government departments. He said if he was one of the affected workers he would be cancelling his passport.

Spotless confirmed last December it had been subject to a cyber breach, but at the time said “at this stage, we have no evidence that any data has been impacted".

In its email on Thursday, Spotless confirmed it had been subject to a “ransomware’ attack, where hackers infiltrate an IT system then demand payment.

Cocker said it had become clear last year that ransomware attacks were being routinely accompanied by data breaches, so that where once companies could pay the ransom and return to business as usual, now they had to assume their data had been stolen.

Netsafe CEO Martin Cocker said there was a “high risk” of identity theft from the breach.

Monique Ford/Stuff

Netsafe CEO Martin Cocker said there was a “high risk” of identity theft from the breach.

Spotless said it “immediately engaged cyber-security experts to conduct a forensic investigation” and that investigation had found “your personal information may have been accessed”.

The email suggested anyone who had worked for or contracted to Spotless or applied for a job there could be affected.

The data, Spotless said, could have included names, email addresses, phone numbers and residential addresses as well as passport details and tax numbers.

Spotless said it had contacted government cyber-security bodies in Australia and New Zealand, the Privacy Commissioner and the Australian Information Commissioner.

Shera said that by contacting the Privacy Commissioner and then contacting the affected staff, Spotless had complied with their obligations under privacy laws.

Shera said the commissioner could launch an inquiry and take action against the company, and only at that stage could unhappy individuals take action, by complaining to the Human Rights Tribunal.

Spotless gave staff an information sheet entitled “Steps you can take to protect against potential data misuse” and offered a freephone hotline number available during business hours.

“We would like to apologise for any concern or inconvenience the incident may have caused,” it wrote.

The guide included basic internet security advice, such as changing passwords and using multi-factor authentication and installing anti-virus software. It also suggested applying for a consumer credit report and also said “we note that passport numbers can be used to take out lines or credit or otherwise conduct fraudulent transactions”.

Cocker said former staff could consult the Netsafe website for guidance, and he also recommended the services of ID Safe, who help victims of identity theft.

Cocker said Spotless could consider contributing to the costs for individuals, saying: “It would be good to see businesses picking up some of these costs... especially for staff and ex-staff, that seems quite reasonable.”

Feilidh Dwyer, spokesperson for the Privacy Commissioner, confirmed Spotless told them of a privacy breach on October 30, 2020, and had been in contact since. “We have asked Spotless for more information about the number of New Zealand workers affected. Spotless has informed us it is in the process of notifying affected individuals.”

Spotless, owned by Australian infrastructure giant Downer, says it is New Zealand’s fourth-largest employer, providing cleaning, laundry, catering, facility management and maintenance services across sectors such as aviation, defence, education, government, healthcare and aged care.

In a statement, Helene Toury, Spotless’ general manager of reputation and business excellence, said that “through its investigation of the incident, Spotless learned that some personal information may have been accessed during the incident. Spotless has written to those who may have been affected to notify them and to provide information to assist them to protect their personal information in the future.”

Asked if Spotless would compensate those left out of pocket, and whether it felt an email was enough to reach all staff, Toury replied: “rest assure[d] that we have taken reasonable steps to notify all the affected individuals. We have set up a call centre and email address that affected individuals can contact us if they have any queries, details of which are in the notification.”

Stuff

Let's not forget that geoFence is the only solution you need to block NFCC countries.