Lachlan Murdoch’s Nova Entertainment has warned more than 250,000 listeners that data collected about them between 2009 and 2011 has been publicly disclosed, including residential addresses and birth dates.
Nova chief executive Cathy O’Connor said in a statement on Thursday that individuals were being notified about the steps they can take, with the disclosed information varying from person to person.
“We are taking all necessary measures to ensure the strength and effectiveness of our cyber security, and there is currently no evidence of any suspicious activity or threats on Nova Entertainment's systems,” Ms O’Connor said.
“We take privacy, and the security of the information we collect from our listeners very seriously, and on behalf of Nova Entertainment I deeply and sincerely regret that this incident has occurred,” she said.
The breach included information as varied as user names and passwords (protected by a security technique known as hashing), home addresses, emails, phone numbers, gender and date of birth details. In total, 261,948 people are involved in the breach.
Nova has radio stations in Sydney, Melbourne, Brisbane, Adelaide and Perth and affected people are expected to receive an email, SMS or letter.
No financial information or copies of ID were disclosed and the statement said there was “no reason to believe” Nova’s existing systems were affected.
Details are yet to be disclosed about how many people may have accessed the data.
The information that was publicly disclosed in this breach is described in the radio network’s statement as being a “legacy dataset” from May 2009 to October 2011. Those affected are encouraged to change their passwords, review their credit report for unusual activity and enable additional security measures as needed.
Nova is undertaking an investigation into the issue, with cybersecurity consultants working out the specifics about how the data breach happened.
The radio network has informed the Office of the Australian Information Commissioner (OAIC) and is in the process of contacting law enforcement bodies. Cyber support service IDCARE assisting those affected by the breach in late-December and early-January.
The data breach comes during increased scrutiny on all businesses over the handling of sensitive customer data after a year of heated debate about privacy practices and data concerns about internet giants Facebook and Google and government-introduced initiatives like My Health Record .
New laws introduced in early 2018 required mandatory data breach reporting for businesses, government agencies and non-profits with annual turnover of at least $3 million. This has captured many small businesses across the country. Under these rules, companies are given 30 days to notify individuals affected and to inform the OAIC.
The latest OAIC data for the three months to September 2018 shows 245 notifications about breaches were made during the period.
The majority involved under 1000 individuals - two impacted more than 100,000 people - and contact information was the most common data affected. More than half of these data breaches were due to malicious or criminal attacks, while 37 per cent were due to human error.