The personal details of thousands of Dell Australia customers have fallen into the wrong hands and security professionals warn that Australian customers of other companies could unknowingly be affected following a major security breach at a global email service provider.
Dell Australia sent an email message to customers yesterday informing them that Epsilon, the company Dell uses to manage its email communications with customers, had been broken into, exposing customers' personal information including full names and email addresses.
This exposes customers to scams as the hackers could contact Dell's customers while pretending to represent the company.
In addition to Dell, Epsilon has 2500 customers worldwide and those affected include Barclays Bank, BestBuy, CitiBank, Chase, Kroger, JP Morgan Chase, Marks & Spencer, Ritz Carlton, Target, TiVo and Verizon.
Epsilon sends out about 40 billion emails a year on behalf of clients and CBS News reported that the breach was so serious that the US Secret Service is investigating.
In Australia, the Privacy Commissioner, Timothy Pilgrim, said he was opening an "own motion investigation" into the incident. Pilgrim said only Dell Australia had contacted his office to own up about the breach at this point, however, security professionals warn that the issue almost certainly affects Australian customers of other companies that use Epsilon.
"Whilst no credit card, banking or other personally identifiable information was involved, we felt it was important to let you know that your email address may have been accessed," Dell told customers.
"While we hope that you will not be affected, we recommend that you be alert to suspicious emails requesting your personal information."
Security professionals say that many other companies with Australian customers are likely to have been affected but we may never know which ones because there is no law forcing the companies to disclose security breaches such as this.
"How many other companies are affected in this part of the world but aren't saying so because we don't have any mandatory disclosure regulations?" asked Paul Ducklin, head of technology at security firm Sophos.
"I read somewhere that Epsilon has about 2500 customers for whom they send out emails. So who knows how many people were affected in total, simply because they're [unknowingly] customers of those Epsilon customers who don't intend to announce the fact?"
The former team leader of investigations at the Australian High Tech Crime Centre, Nigel Phair, who is now working as a private consultant, said Australia "desperately needed" data breach legislation that would compel companies to report these sorts of privacy breaches.
Sign up for CIO Asia eNewsletters.