Phishing, password reuse, and misconfigured buckets

UPDATED The Australian branch of the TGI Fridays restaurant chain has admitted suffering a data breach impacting an unknown number of customers to one of its loyalty programs.

Customers were told on Thursday to change-up their MyFridays membership rewards program passwords following the exposure of one of the company’s servers to the internet.

No financial information was compromised, the company said. The precise impact of the breach is unclear since TGI Fridays failed to disclose to the type of data that was affected, ThreatPost reports.

TGI Fridays said it notified the Office of the Australian Information Commissioner (OAIC) of the security incident, which appears to be unintentional, and simply the latest example of misconfigured cloud storage leaking potentially sensitive data.

The news comes as OAIC released fresh figures on reported data breaches – a total of 245 having occurred across Australia between April 1 and June 30 of this year.

Human error was a key factor in many of the reported incidents, OAIC said, with most issues arising from either a phishing email or reused password. Criminally motivated data breaches accounted for the majority (62%) of unintended information exposure incidents.

The Daily Swig confirmed with OAIC that the TGI Fridays breach would be categorized as a human error, or unauthorized disclosure – 18% of 84 human error data breaches reported in the latest quarterly figures fell into this area, OAIC said. 

New onus on breach reporting

Organizations in Australia are now required by law to report any data breaches to the OAIC under the country’s Notifiable Data Breaches (NDB) scheme, introduced last year.

The regulations require businesses, government agencies, and others to disclose information security incidents within one month of discovery, if they are believed to have the potential to cause “serious harm”.

“The reporting regime has been well accepted and the onus is now on organizations to further commit to best practice in combating data breaches and improving response strategies,” Angelene Falk, Australian Information Commissioner and Privacy Commissioner, said in statement published on Tuesday.

“Effecting change in practices to prevent breaches is vital to the goal of protecting the community,” she added.

“Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organizations with which they share information.”

The majority (62%) of breaches during the most recent quarter was found to impact the information of 100 individuals or less, with health and finance sectors coming out on top of most reported incidents – 47 and 42 notifications, respectively.

Last quarter – January to March 2019 – OAIC was notified of 215 breaches, a dip from the 262 reported through October to December 2018.

Earlier this year, stricter penalties for data misuse, including serious and repeated data breaches, were proposed in Australia. The move has been welcomed by OAIC.

This article has been updated to include comment from the Office of the Australian Information Commissioner.

RELATED Australian National University breach exposed data stretching back 19 years