Woolworths' Self-Inflicted Breach A Clear Example Of Insider Negligence

Australian grocer sent master spreadsheet of customer information and redeemable codes for thousands of gift cards to hundreds of customers.

Dark Reading logo in a gray background | Dark Reading

This weekend, an Australian grocery chain offered a textbook case study in why insider threats—even the non-malicious kind—are so important to address. Woolworths found itself in a pickle when it had to cancel over $1 million in gift cards when someone at the firm accidentally emailed an Excel spreadsheet with customer information and redeemable codes for close to 8,000 giftcards to over 1,000 customers, according to Australian-based Fairfax Media.

It's a clear reminder of how embarrassing and costly an accidental leak can be when it causes a breach.

“Woolworth reminds us that protecting yourself from human error is just as important as protecting yourself from hackers and malware," says Gord Boyce, CEO of FinalCode.

According to reports, the self-inflicted breach occurred on the heels of a Groupon sale of $100 and $200 gift cards at a small discount. When they bought the cards, customers were told they'd get an email from Woolworths that would have a PDF attachment containing an electronic voucher. Instead of the PDF, many customers were emailed a master list with information for over $1 million in vouchers.

Not only were customers' email addresses and names exposed by the breach, but the information made it possible for unauthorized people to fraudulently use others' gift cards, which ultimately caused the retailer to cancel all of them.

It's unclear yet what the ramifications will be for the grocer, but this even comes just a little over six months after the Office of the Australian Information Commissioner (OAIC) released a formalized privacy policy. The OAIC privacy commissioner released a statement today saying it would look into the breach to see if the agency will need to look into the matter.

According to the Privacy Rights Clearinghouse reported that last year more than 113 incidents involved accidental leakages, involving more than 440,000 records. Meanwhile, the most recent Verizon Data Breach Investigation Report (DBIR), 90 percent of breach cases the firm investigated had some component of employee involvement.

This jibes with a remark made by FBI veteran Frank Abagnale in April at the SailPoint Navigate conference. The inspiration for Catch Me If You Can, Abagnale says that all of the breaches he's investigated involved an employee—typically non-malicious.

“There’s no master hacker," he said. "They’re waiting for doors to open because someone didn’t do something, or they did something they shouldn’t have.”

 

About the Author

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights