The Office of the Australian Information Commissioner (OAIC) is deciding whether to investigate travel insurance company, Aussietravelcover (ATC) after reports that personal information including names, phone numbers, email addresses, travel dates and policy costs were hacked on 18 December, 2014.
The OAIC was notified about the data breach on 22 December.
“We have discussed the matter with ATC, including raising some initial issues and providing recommendations about follow-up action. We are now waiting on further information from them before deciding whether to open a formal investigation,” said an OAIC spokeswoman in a statement.
An ATC spokesperson confirmed that the company is analysing 10,000 hacked records to determine whether they contain customer data.
"ATC believes a total of some 10,000 policy holder records were stolen in the attack on the company's website. An analysis of the records reveals that they are partial records and are likely to have been corrupted in the attacker's method of theft," said the spokesperson.
According to the spokesperson, over 95 per cent of the records relate to travel completed before 2007.
"Given the partial, corrupted and aged nature of the records, the company is determining on a case-by-case basis the need to advise affected customers."
Aussietravelcover has been in contact with CERT Australia, the AFP and OAIC.
“As this matter is the subject of an ongoing law enforcement investigation, the company is unable to provide any further details at this time," said the spokesperson.
The <i>ABC</i> reported that Aussietravelcover opted not to tell insurance policy holders or customers about the data breach.
The ABC quoted an email allegedly sent by Aussietravelcover to its agents which said that because it engaged consultants to help investigate the breach, there was “no reason to advise policyholders.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.