Nova Entertainment has data breach involving personal information of up to 250,000 listeners..Novas’ approach more evasive than transparent

December 28, 2018 |

Nova Entertainment has announced that it has “publicly disclosed” a “legacy dataset” involving personal information (of listeners presumably) collected in the period May 2009 – October 2011.  It does not say when the breach occurred or how the breach occurred.

The statement provides:

Nova Entertainment has recently become aware that a legacy dataset containing information collected from our listeners during the period from May 2009 to October 2011 has been publicly disclosed.

We are in the process of notifying individuals affected by this incident of the steps they can take to prevent any potential misuse of their information.

The types of information disclosed in this incident varies from person to person, but generally includes biographical information (such as name, gender and date of birth), contact information (such as residential address, email address, and telephone number), and user account details (such as user names and passwords, which were protected by ‘hashing’). We can confirm that no other information, including copies of identity documentation or financial information is contained in the dataset disclosed in this incident.

Upon confirming the validity of this incident, we immediately engaged leading Privacy, IT and Cyber Security consultants to understand the circumstances of the disclosure. Our investigation is substantial and ongoing. We are taking all necessary measures to ensure the strength and effectiveness of our cyber security, and there is currently no evidence of any suspicious activity or threats on Nova Entertainment‘s systems.

We have notified the Office of the Australian Information Commissioner of this incident, and we are in the process of contacting law enforcement bodies. We will fully and transparently engage with these entities in relation to this incident.

We have set up a dedicated webpage (https://www.novaentertainment.com.au/dataincident) which contains advice and a dedicated email mailbox (privacy@novaentertainment.com.au) for further queries.

We have also engaged IDCARE, Australia and New Zealand’s national identity and cyber support service, to provide individuals affected by this incident with assistance and support. We encourage anyone affected by this incident concerned about the potential misuse of their personal information to contact IDCARE on 1300 432 273 (Australia) or +61 7 5373 0400 (International), or visit IDCARE’s website: https://www.idcare.org/contact/contact-us.

During the Christmas period, IDCARE will be available to assist individuals affected by this incident on the following dates between 10 am and 3 pm AEST:

• Thursday, 27 December 2018
• Friday, 28 December 2018
• Wednesday, 2 January 2019
• Thursday, 3 January 2019
• Friday, 4 January 2019.

From Monday 7 January 2019 onwards, IDCARE will be available Monday – Friday from 8 am until 5 pm AEST. You can also access IDCARE’s Learning Centre for further information at: https://www.idcare.org/learning-centre/learning-centre.

We take privacy, and the security of the information we collect from our listeners very seriously, and on behalf of Nova Entertainment I deeply and sincerely regret that this incident has occurred. We are fully committed to achieving the best possible outcome for anyone affected by this incident.

We will update this page as more information becomes available.

The statement is unsatisfactory if the intent is to inform.  Its claim that it will update the pageas more information becomes available is little more than following a template.  There is little expectation that that will happen when it currently knows much more that could be told and which it won’t disclose.  Clearly Nova has an idea of when it became aware of the breach.  Interestingly it uses weasel words “upon confirming the validity of the incident” for a reason, such as to mask a period of inactivity or a delay in bringing in experts and/or the Privacy Commissioner.  It is hardly unusual to describe how the breach occurred even if the description doesn’t descend into technical detail.  That is de rigueur involving breaches in America and the United Kingdom.

Given the incredible vagueness of the announcement a legitimate suspicion is that the breach occurred pre Christmas, when people were at least partly interested in news and advertisers are sensitive to negative stories, and the announcement was held over until the break between Christmas and New Years, where listeners are not focused and media coverage is spotty,.  Referencing an investigation as being substantial and ongoing is little more than puffery.

Nova’s initial vague, evasive and generally content free response is cynical and glib.  Unfortunately based on the past history with the Australian Information Commissioner, it is likely to work.

This announcement would not be a good example on how to deal with a data breach in the UK and the USA.  However with a weak regulator like the Australian Information Commissioner such pap is more the norm because the concern is not the regulator but the general audience.  There is little fear of the regulator in Australia because of its poor enforcement culture.

If the regulator was to undertake a thorough investigation it would go beyond the data breach and ask questions of why it was necessary to retain data going back as far as May 2009, 9 1/2 years ago.  Many organisations take the view that once data is collected it can be retained for as long as the organisation wants.  Wrong.  It would be interesting to see what protocols have been developed by Nova on the storage of “legacy datasets” and what review processes are in place to purge the files where appropriate.

Even with the holiday season in full swing the media coverage has still been significant, with the Australian’s article Nova Entertainment admits to publicly disclosing listener information, the Guardian’s Nova says listeners’ personal data has been leaked and Fairfax’s Nova warns listeners of data breach affecting 250,000 Australians.

The Australian article provides:

Australian media company Nova Entertainment says information it collected from listeners over a two-year period has been “publicly disclosed”. The company says it recently became aware listener information from May 2009 to October 2011 has been leaked and it is in the process of contacting those affected.

“We have notified the Office of the Australian Information Commissioner of this incident, and we are in the process of contacting law enforcement bodies,” CEO Cathy O’Connor said in a statement.

“We will fully and transparently engage with these entities in relation to this incident.” The information disclosed may include names, gender, dates of birth, addresses, emails and phone numbers and user account details such as user names and passwords, which are protected by a security technique, known as ‘hashing’. While passwords are not visible in plain text, there is a risk they can be decrypted, potentially allowing others to gain unauthorised access to online accounts.

Nova is encouraging those affected to change their passwords for their email account and all other online accounts using the same email address, username or password, including email, social media and online bank accounts. “We take privacy, and the security of the information we collect from our listeners very seriously, and on behalf of Nova Entertainment I deeply and sincerely regret that this incident has occurred. We are fully committed to achieving the best possible outcome for anyone affected by this incident,” Ms O’Connor said.

The company says no other information, including copies of identity documentation or financial information, was disclosed.

Ms O’Connor says Nova’s investigation is “substantial and ongoing”. “Upon confirming the validity of this incident, we immediately engaged leading privacy, IT and cyber security consultants to understand the circumstances of the disclosure,” she said.

“We are taking all necessary measures to ensure the strength and effectiveness of our cyber security, and there is currently no evidence of any suspicious activity or threats on Nova Entertainment’s systems.” The company is notifying those affected of the steps it has taken in its investigation and how they should prevent any potential misuse of personal information.

Ms O’Connor said further information will be provided when available. Nova operates commercial radio networks in metropolitan and regional areas of Australia, a pay television station and mobile brands.

Leave a Reply





Verified by MonsterInsights