Hungry Jacks has data breach involving personal information of thousands of staff
April 24, 2024 |
Data breaches come in a variety of forms. The theft of personal information through cyber attacks by criminal gangs are widely reported but are less frequent than other, more prosaic, data breaches. Such as the recent breach of data by Hungry Jacks of its staffs personal information. This involved someone in the chain’s training and communication section sending out a spreadsheet containing staff personal information; names, email addresses, job titles etc. The story is reported in the Sydney Morning Herald’s Personal data of ‘thousands’ of Hungry Jack’s staff exposed in internal leak. This is a depressingly familiar breach. And almost de rigeour for government agencies. It bespeaks poor privacy training and data handling by staff. For staff to attach a document containing personal information and sending it widely typically involves a poor review of the document itself and woeful processes in the use of emails.
The article provides:
The chief executive of Hungry Jack’s has confirmed that an internal data leak has accidentally exposed the names, birthdates and store locations of staff, including minors, across the country.
In the early hours of Monday, hundreds of employees received an email from the burger chain’s training and communication portal, Jedi, that included an attached spreadsheet of staff information outlining full names, job titles, personal email addresses, start dates, and employment classifications.
Hungry Jack’s says the ‘inadvertent’ message was shared with under 200 staff – but one teenage worker’s parent believes that’s an underestimate.
In an email to some workers on Monday afternoon, Hungry Jack’s chief executive, Chris Green, said the spreadsheet, sent at 2.07am, was due to an “inadvertent data disclosure incident” and not a cyberattack.
“The result of our investigation indicates that you have a current Jedi account and some of your personal identifiable information within Jedi has been unintentionally disclosed via email to 198 Hungry Jack’s employees,” Green wrote.
“This was not a result of a cyberattack, nor was it deliberate or malicious.”
The burger chain has recalled and deleted most emails and has implemented additional security measures to prevent future similar incidences, he said. No passwords were disclosed, but employees were urged to regularly change their passwords.
Hungry Jack’s is reporting the incident to the Office of the Australian Information Commissioner.
However, the parent of one minor Hungry Jack’s employee whose details were exposed in the leak believes the email may have been sent to many more than 198 workers.
“When I opened it, I was floored,” said the parent, who requested anonymity.
“Date of birth is one thing, in terms of identity fraud, but where some kids work and their date of birth …”
“There are an awful lot of sinister things one could do with the information should one be so inclined. If it ends up on the web somewhere, it will take a whole new turn, as one thing someone can’t change is their date of birth.”
The parent estimates that thousands of Hungry Jack’s employees – including chief information officer Claudio Salinas – were exposed in the email, with about half aged under 18.
They have written to the chief executive asking for clarity around the 198 figure and for their concerns to be addressed.
Despite being only half the size of McDonald’s, Hungry Jack’s is a major national employer with a store network of 440 outlets employing more than 19,000 Australians.
In an email seen by this masthead, Hungry Jack’s head of capability, Melissa Anderson, said the inadvertent message was the result of an “internal processing error”.
“Hungry Jack’s takes the protection of personal information very seriously and took immediate action to investigate the incident. We are currently notifying and providing guidance to all the involved employees,” she said in the email.
Anderson said Hungry Jack’s had implemented additional security controls to prevent a recurrence. Hungry Jack’s staff who have further questions are being directed to the employee helpline.
The burger chain has been contacted for further information.