On 19 April 2011 the Australian Privacy Commissioner (the Commissioner) commenced two own motion investigations under the Privacy Act 1988 (Cth) after Dell Australia Pty Limited (Dell Australia) advised the Office of the Australian Information Commissioner (OAIC) of an incident involving the personal information of its customers. At the time of the incident, the information was held by Epsilon which provides Dell Australia’s email marketing services.
The investigation focused on whether the overall security safeguards in place within Epsilon and Dell Australia were consistent with the National Privacy Principles contained in Schedule 3 of the Privacy Act.
While working remotely, an Epsilon employee was using the internet when his computer was infected with malware. The malware provided an unauthorised person (attacker) with access to the employee’s workstation. The attacker then installed additional malware that captured key strokes, screen-shots and video of the compromised workstation including the employee’s credentials and log on details.
Between 21 February 2011 and 30 March 2011, the attacker used the employee’s credentials to log on to Epsilon’s email marketing platform and gained access to personal information on Epsilon’s system. The compromised information included the email addresses and first and last names of customers of many companies including some Dell Australia customers. On 30 March 2011, an Epsilon employee contacted Epsilon’s security Hotline to report unusual download activity that appeared suspicious.
Epsilon immediately investigated the incident and discovered the source of the unauthorised access. As soon as Epsilon’s investigators identified the compromised login credentials, the security team disabled the credentials, initiated additional virus scans, and began a forensic investigation of the relevant computer resources to identify the cause of the incident.
Dell Australia informed the OAIC that data relating to Dell Australia’s consumer, small and medium business customers had been compromised by unauthorised access to Epsilon’s email system and that this involved customers’ email addresses as well as first and last names.
Upon becoming aware of the incident Epsilon immediately assisted its customers. These actions included:
- contacting potentially affected customers and cooperating with them on an ongoing basis
- providing public notice of the incident on the Epsilon website via press releases on 1 April and 6 April 2011, and setting up an incident-response centre to answer questions from customers who contacted Epsilon
- notifying law enforcement bodies including the Federal Bureau of Investigation (FBI) and United States Secret Service (Secret Service) to seek their assistance. The Secret Service began its own investigation on 1 April 2011
- Epsilon also added information to its website to provide educational materials for consumers on guarding against phishing attacks, accessible from the company’s front page.
The forensic investigation
On 1 April 2011, Epsilon engaged an IT security firm to conduct an investigation of the incident. The IT security firm provided a number of recommendations to assist Epsilon in the immediate and ongoing containment of the incident, as well as provide a short term remediation strategy. The recommendations included steps to block and prevent access to bad IP addresses, improvements to virus and malware scanning, changes to procedures for setting and using passwords, and changes to user access to Epsilon’s email marketing platform application.
Relevant provisions of the Privacy Act
The Privacy Act contains 10 National Privacy Principles (NPPs) that regulate the way that organisations handle ‘personal information’ about individuals. The Privacy Commissioner’s investigation focused on whether the operations of Dell Australia and Epsilon were consistent with NPP 4.1, which requires an organisation to take ‘reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure’.
The investigation looked at the overall security safeguards in place by the organisations to assess whether they had taken reasonable steps to comply with NPP 4.1. Generally, organisations will need to have a range of security safeguards in place to protect the information they hold. Such safeguards could include:
- physical security measures that, for example, only allow authorised persons to enter the premises
- secure storage and destruction facilities in place for personal information
- computer and network security measures
- security protocols that include policies and procedures that regulate how staff and others with access to personal information will access and handle that information.
What are considered to be reasonable steps to secure personal information will depend on the organisation’s particular circumstances.
From the information provided by Epsilon and Dell Australia, it was evident that the security data breach related to Epsilon’s email system and not Dell Australia’s and the incident could not have been avoided by any action taken by Dell Australia. Therefore the investigation concentrated on the actions of Epsilon.
Findings in relation to Dell Australia
In the Commissioner’s view, by entering into the contractual agreement with Epsilon, Dell Australia had reasonable steps in place to protect the personal information it holds from misuse and loss and had met its obligations under NPP 4.1.
Findings in relation to Epsilon
For its part, Epsilon had a range of security safeguards in place to protect the personal information it held at the time of the incident. In particular Epsilon applied recognised industry standards including:
- conducting annual SAS 70, Type II audits (an auditing standard developed by the American Institute of Certified Public Accountants and utilised by auditors for examining internal controls in service organisations)
- for the past five years it has implemented and maintained an information-security program conforming to data security standards set forth by the International Organization for Standardization (ISO), specifically, standards ISO 27001 and ISO 27002.
In addition, Epsilon conducts security training for its employees every year and has a comprehensive security policy that is reviewed and updated annually. Once approved by the Board of Epsilon, all employees must sign a statement acknowledging they have read and agree to the security policy. Further all employees and contractors are required to sign non-disclosure agreements.
Despite these measures, an employee inadvertently caused malware to be installed on Epsilon’s system which subsequently allowed an attacker to gain access to personal information stored on Epsilon’s database. This was a sophisticated and malicious attack which required expert knowledge to execute.
Such an attack on an organisation does not necessarily mean that the organisation has failed to take ‘reasonable steps’ as required by NPP 4.1. On the basis of information received from Epsilon, the Privacy Commissioner considers that at the time of the incident Epsilon had reasonable steps in place to protect the personal information it held and in his view Epsilon has met its obligations under NPP 4.1 of the Privacy Act.
As the incident occurred outside of Australia, the Privacy Act will only apply where the requirements of the extraterritorial application provisions in section 5B of the Act are met.
Section 5B of the Privacy Act prescribes that an act or practice engaged in outside Australia will be covered by the Act if that act or practice relates to personal information about an Australian citizen and the organisation responsible for that act or practice has an organisational or other link to Australia. Where an entity does not have an organisational link with Australia, the Privacy Act will only apply to the handling of personal information about Australian citizens where the organisation carries on a business in Australia, and the personal information was collected by, or held by the entity in Australia.
During the course of the investigation information provided suggested that Epsilon may not have met the requirements of section 5B. However, as the Commissioner was satisfied that Epsilon had met its obligations under the NPPs he was not required to come to a formal view on this matter.
Following his investigation into the matter, the Commissioner concluded that:
- Dell Australia was not in breach of NPP 4 as he was satisfied that the incident could not have been avoided by any action taken by Dell Australia.
- Epsilon was not in breach of NPP 4 as he was satisfied that this incident occurred due to a sophisticated security cyber-attack rather than a failure of Epsilon to take reasonable steps to protect its personal information.
The Commissioner decided to cease the OAIC’s own motion investigation into the incident following information provided by Dell Australia and Epsilon.
The Commissioner noted that once Epsilon was aware of this incident it acted swiftly to identify and contain the security risks to the personal information it holds and took appropriate steps to investigate the incident, improve its security systems further and work with law enforcement agencies regarding this matter. These steps helped to ensure that the breach was contained and no further unauthorised access occurred.
Should the OAIC receive individual complaint/s concerning this matter, it will deal with each complaint on its merits.
Acronyms and abbreviations
Commissioner — Privacy Commissioner
Cth — Commonwealth
FBI — Federal Bureau of Investigation
ISO — International Organization for Standardization
NPPs — National Privacy Principles (contained in Schedule 3 of the Privacy Act 1988)
OAIC — Office of the Australian Information Commissioner
Privacy Act — Privacy Act 1988
Secret Service — United States Secret Service