Peter A Clarke

Here is a case that can be served up to the Privacy Commissioner without the need for garnish.  The Age reports in More than a million Menulog customers’ private data at risk of theft that someone logging into the Menulog website can access and view names and email addresses of 1.1 customers when the permitted access was only to the customers of that person (or the company).  The defensive and inadequate response of Menulog when this problem was brought to its attention highlights both the poor privacy culture in the private sector and the general feeling of impunity.  Inadequate laws, primarily the Privacy Act 1988,  and the consistently poor enforcement of those laws by the Privacy Commissioner has resulted in a belief and expectation of no consequences flowing from data breaches and interferences with privacy.

It will be interesting to see if the Privacy Commissioner uses any of the significant powers available to him since 12 March 2014, some 2 years ago, in this case.  In those two years there has been no noticeable increase in enforcement.   Here there is little doubt that Menulog is covered by the Privacy Act and that there is likely non compliance with Australian Privacy Principle 11, at minimum.

The Menulog privacy policy is not particularly good but it is interesting to see at 6.4 it states:

6.4 Menulog will take reasonable steps to protect the personal information it holds from misuse, interference and loss and from unauthorised access, modification or disclosure.

Really?

Given the reported off hand response to the clear weakness in its data security Menu’s policy at 6.5 is more show than substance, as it provides:

6.5 to make a complaint about a breach of the Australian Privacy principles, which include how we handle your personal information, you may contact us  with the details provided in clause 6.4 above. We will endeavour to respond to your complaint within a reasonable time after it is received. If you require further information regarding privacy it can be found at the Office of the Australian Information Commissioner

The article provides:

The private information of more than a million customers of online takeaway giant Menulog is at risk of being stolen, with experts deeming the website as “vulnerable” and “not secure”.

Nicola Holden, from Victorian chain Pizza Fellas, said when she logged in to the Menulog website, she stumbled upon the names and email addresses of more than 1.1 million customers. She should only have been able to see her company’s own.

“It’s a pretty intensive lists – names of police, celebrities, people in government in there. If I saw it through the client portal, it means it’s probably also been shared with thousands of other people who are not monitored or controlled,” she said.
Menulog customers can order takeaway food from more than 6500 restaurants.

Ms Holden alerted Menulog to the potential security flaw, but she said its response was inadequate.
Advertisement

“I was really concerned they didn’t notify their customers of the breach and instead sent out an email just reminding customer to use strong passwords,” she said.

In a letter to Ms Holden, a Menulog representative wrote it “immediately investigated the matter but was unable to identify the problem”. It shutdown the e-newsletter feature – Ms Holden’s entry point to the data last year – and said its analysis showed there were no anomalies.

Fairfax Media has contacted Menulog for comment. Menulog and Pizza Fellas are locked in a legal battle in the Victorian Civil and Administrative Tribunal concerning online advertisements.

Ms Holden is a former employee of Menulog. Pizza Fellas is no longer listed on the Menulog website.

Andrew Mcleish, computer forensics expert and managing director STOPline, engaged by Ms Holden to examine the potential security problem, said the names, telephone numbers and addresses of Menulog customers were exposed.
A former business client of Menulog has discovered a security flaw in the website.

He said it was highly likely the Menulog data is at risk because the client database was viewable.

“My concern was the Menulog site or client data base for their entire business was not secure. Pizza Fellas clients could be viewed by other competing business and vise versa. So the Pizza Fellas IP was being shared and/or viewable by others,” he said.

“It is more of a security issue because private details of client information was able to be accessed by others … I would imagine the client data could be compromised by downloading the data base or by simply cutting and pasting the client data into a spreadsheet.”

Menulog customers can order takeaway food from more than 6500 restaurants. The business was snapped up by the UK-based Just Eat for a cash price of $855 million in June last year, stunning industry players and observers.

Computer security expert Ty Miller, of Threat Intelligence, said the exposure of the client database was most likely caused by an “access control flaw”, which can allow a hacker to extract unauthorised data.

“It sounds like – because [Ms Holden] accidently came across the data – there’s an information disclosure vulnerability, where you don’t have to be hacking the site to extract the data, it’s more, ‘Oops we’ve accidently dumped everything on your screen’,” he said.

He said the flaw could not be fixed simply with the removal of the e-newsletter feature and required the development team to review the access control.

“The vulnerability can have a large impact because a hacker doesn’t necessarily need to be attacking the information to inadvertently expose 1.1 million clients’ data and that can have a massive privacy impact on the end users, but also a financial impact on Menulog.”

At present, there is no legal requirement for Menulog to inform customers their private information may be at risk.

The federal government is considering an amendment to the Privacy Act that would require companies with a turnover of more than $3 million a year to notify customers of a serious data breach within 30 days if there is a “real risk of serious harm” to whom the information relates.

Ms Holden believes Menulog should have notified customers of the vulnerability so that anyone who has suffered financial loss or identity theft could take action.

Mr Miller said names, emails, phone numbers and addresses were classed as personal, identifiable information in the data breach notification bill.

“It’s sensitive data and it’s the sort of information that can be used and sold on the underground market as a starting point to performing things like identity theft,” he said.