AICD data theft leaves members cold

Davy Adams
Davy Adams is the Managing Director of IDG Australia, publisher of Computerworld.

I heard on the grapevine today that the Australian Institute of Company Directors (AICD) has reported the theft of a computer that contained the personal details of 27,000 of its members. As one of those members, I was concerned about the theft, and downright annoyed that I heard it first from a staff member who read it in the newspaper. I did later receive an e-mail from them advising me of the incident, and a company spokesman explained that due to the volume of e-mails it had taken some time for all of them to be delivered.

The PC was apparently stolen during a power outage and it was considered to be an opportunistic rather than targeted crime. AICD CEO John Colvin said that the company has “strong data security precautions in place”. Given the ease with which a thief could walk in and take a computer with the entire database of the organisation on board, the facts would suggest otherwise. But what lengths should an organisation reasonably need to go to protect customer data? The AICD runs courses on risk management and should theoretically be able to answer that better than I can. Perhaps their management team also needs a refresher on Physical Security 101.

In fairness, like Sony’s recent multiple hackings, the AICD is a victim of crime, not a perpetrator. I might be more sympathetic if I’d heard about it from them, and even more so if I could understand why they felt it necessary to store my date of birth. As a consumer it’s often difficult to opt out of providing information that is clearly unnecessary to perform the transaction in question. Does my hairdresser need my date of birth? Does every Web 2.0 service need to know where my father was born or my mother’s maiden name. When they store that, on their dinky little networks, or worse on forms left lying around reception, how secure is that data?

Colvin suggests that much of the AICD member data was publicly available but that doesn’t excuse it being left on a PC rather than on a network. For many years I’ve put in a fake date of birth where I felt the question was irrelevant and the organisation was unlikely to have effective data protection procedures in place. I had assumed better from the AICD. My mistake.

Tags: AICD, data theft, physical security

Comments (1)

1

Mark Winter

Fri 10/06/2011 - 21:54

Why does this continue to happen? Even our school students PC's are protected should they be lost or stolen. Come on corporate Australia, wake up! http://tiny.cc/itjh2

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/160/ultraiso/

UltraISO

UltraISO is an ISO CD/DVD image file tool that creates, edits and converts. It is also a bootable CD/DVD maker that has the ability to ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia