AU: Did Stay Smart Online’s contractor lose your data?
Oops. A follower on Twitter DM’d me a link to this breach notification from Stay Smart Online, an initiative of the AU government:
Notification of Subscriber Data Loss
We are writing to notify you that the Department has been advised by a former external contractor that a DVD which included information provided by Stay Smart Online Alert Service subscribers was lost in Australia Posts’ system, after being posted on 11 April 2012.
The external contractor provided the Alert Service on behalf of the Department of Broadband, Communications and the Digital Economy (‘the Department’) from 2008 until 29 April 2012, when its contract with the Department expired. As you may be aware, the Stay Smart Online Alert Service is currently being re-developed by the Department in collaboration with two new contractors.
As part of the expiry of contract handover process, the original contractor advised that it copied its SSO Alert Service subscriber database onto a DVD and, on 11 April 2012, posted this DVD to the Department using Australia Post’s express post service. Unfortunately, this DVD was never received by the Department. The original contractor has informed the Department that information on the missing DVD included subscribers’: usernames; email addresses; memorable phrases; and passwords which are unreadable (as cryptographic hash).
The Department has no reason to believe that this information has been found and misused by any third party and we do not believe that there is a privacy risk. We are informing subscribers consistent with a ‘best practice’ approach for privacy matters.
However, if you have used the same username, memorable phrase and/or password for other websites or services you may wish to consider whether these need to be changed.
For information on password security and other tips and advice on how to be safe and secure online, visit Stay Smart Online website (www.staysmartonline.gov.au).
Stay Smart Online Team
The irony of the breach was not lost on GeordieGuy. And the timing of the notification (late Friday afternoon, AU time) was commented on by a recipient of the notification, who suggested that the timing was intended to avoid media coverage.