I heard on the grapevine today that the Australian Institute of Company Directors (AICD) has reported the theft of a computer that contained the personal details of 66,000 of its members. As one of those members, I was concerned about the theft, and downright annoyed that I heard it first from a staff member who read it in the newspaper. I did later receive an e-mail from them advising me of the incident, and a company spokesman explained that due to the volume of e-mails it had taken some time for all of them to be delivered.
The PC was apparently stolen during a power outage and it was considered to be an opportunistic rather than targeted crime. AICD CEO, John Colvin, said that the company has “strong data security precautions in place”. Given the ease with which a thief could walk in and take a computer with the entire database of the organisation on board, the facts would suggest otherwise. But what lengths should an organisation reasonably need to go to protect customer data? The AICD runs courses on risk management and should theoretically be able to answer that better than I can. Perhaps their management team also needs a refresher on Physical Security 101.
In fairness, like Sony’s recent multiple hackings, the AICD is a victim of crime, not a perpetrator. I might be more sympathetic if I’d heard about it from them, and even more so if I could understand why they felt it necessary to store my date of birth. As a consumer it’s often difficult to opt out of providing information that is clearly unnecessary to perform the transaction in question. Does my hairdresser need my date of birth? Does every Web 2.0 service need to know where my father was born or my mother’s maiden name. When they store that, on their dinky little networks, or worse on forms left lying around reception, how secure is that data?
Colvin suggests that much of the AICD member data was publicly available but that doesn’t excuse it being left on a PC rather than on a network. For many years I’ve put in a fake date of birth where I felt the question was irrelevant and the organisation was unlikely to have effective data protection procedures in place. I had assumed better from the AICD. My mistake.
Davy Adams is the Managing Director of IDG Australia, publisher of ARN