Another email bungle, privacy breach involving names, addresses and birthdates

April 23, 2020 |

The Guardian reports on another email bungle resulting in a significant privacy breach, this time by the Australian Traffic Network.   In an email an operator at the Australian Traffic Network sent out a document containing personal information of more than a 100 current and former staff as part of an internal email to existing staff.  An email was originally sent on Monday to staff asking about eligibility for the jobkeeper payment.  A follow up the next day was the data breach as it contained a table of staff names with their addresses and dates of birth.  It provoked concern within the organisation, little wonder given staff would see that their personal information is laid out for others to see, and potentially forward on if so minded.

The article provides:

The company responsible for delivering traffic reports on radio and TV stations across Australia accidentally sent out the dates of birth, names and home addresses of more than 100 current and former staff to potentially thousands of people as the company seeks to apply for the jobkeeper payments.

Australian Traffic Network provides short traffic report updates during news bulletins to 80 radio and television stations, including the ABC, Seven, Nine, 10, 2GB and Triple M.

Like hundreds of thousands of Australian employers, ATN is seeking to take up the government’s jobkeeper scheme to keep its staff on the books during the coronavirus pandemic.

Under the scheme, employers need to establish that casual staff have been with the company for 12 months or longer to be eligible for the $1,500-a-fortnight payment.

In an email to all staff on Monday, which included a number of internal distribution lists and dozens of external email addresses, the company’s finance manager, Patrick Quinlan, asked staff to confirm whether they met the eligibility criteria for the jobkeeper payment.

In a follow-up email on Tuesday, he included a table of more than 100 current and former staff who had not responded to the original email, including their names, dates of birth, home addresses and email addresses.

Several people responded to the email using the reply-all function to ask why they were receiving it, and why their personal information was being widely distributed.

One of those on the list, who spoke to Guardian Australia on the grounds of anonymity, said it wasn’t very professional or safe.

“If I ring my bank and ask to increase a credit limit or change a password, they’re gonna ask for my address and date of birth, and that’s all in this document, and I don’t know who I don’t know the people that have worked for this company – that could be anyone,” he said.

“If I was a young female worker, and someone was harassing me at work, my address is there.

“Am I gonna lose sleep over it personally? No. However, I can look after myself, there could be vulnerable people and then that could be, who knows who’s on that distribution list and what they plan to do with that information? It probably will be fine – but probably isn’t good enough.”

Quinlan told Guardian Australia it had been an error on his part and the company was working to resolve it.

He said the email had been deleted from the company’s email server and all those it had been sent to were contacted to advise them of the privacy breach, along with an apology and a request to delete the email.

The office of the Australian Information Commissioner had also been notified of the breach, he said.

“Today we have consulted our IT department to implement data loss prevention tools to reduce the likelihood of this happening again,” he said. “We have also restricted access to our payroll portal while we consider password protocols.”

More than 800,000 companies and sole traders have expressed interest in claiming the jobkeeper payment, the federal government has said.

Of course, at times like these it is worth going to the Australian Traffic Network and see its cookie cutter generally inadequate privacy policy. It is focused on users accessing the web site, not protecting the personal information of staff.  That is understandable in a way though it highlights the pro forma quality of the privacy policy.  The security section of the policy provides:


We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.


Leave a Reply