“The problem with attacks of this nature is consumers have no agency or ability to protect themselves,” Consumer NZ chief executive Jon Duffy told the Herald.
“We are entirely reliant on the companies collecting and holding our data to have robust systems in place.”
He said Australia had a relevant offence under the Australian Privacy Act.
“In New Zealand, an individual who’s impacted by a privacy breach would have to complain to the Office of the Privacy Commissioner,” Duffy said.
“The Office of the Privacy Commissioner could then refer it to the Human Rights Review Tribunal, and the Human Rights Review Tribunal could assess that individual’s case and perhaps dole out a penalty ... And so it’s a much more time-consuming process.”
Duffy added: “It’s pretty backwards in many ways and compared to other jurisdictions like Europe for example, it’s a pretty outdated system.”
Duffy said New Zealand’s Privacy Act said someone should only collect information proportionate to what was needed.
“If you’re asked for your name, address and date of birth ... you should have a need for each of those data points, and the user should consent to providing that information on the basis that you’ve explained why you need it.
“And as soon as you stop needing it, you should delete that information.”
Duffy said New Zealanders who wanted to do anything about cases of over-collection of information currently had to complain and prove they had suffered harm.
“Whereas a penalty regime ... would allow the Office of the Privacy Commissioner to come in and go, hold on, you broke the rules, it shouldn’t really matter whether the harm eventuated or not.”
Qantas said it detected unusual activity on a third-party site used by a contact centre.
Customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers were stolen.
“Depending on the data compromised, consumers may need to move quickly, for example to cancel passports or credit cards,” Duffy said.
“In this instance, Qantas has stated that no financial data has been compromised, but consumers should regularly update passwords on accounts, especially if they are using the same passwords across multiple accounts.”
Duffy added: “Qantas will face much stiffer penalties under Australian privacy regulations than it would if it was a New Zealand company.”
An article from law firm Dentons said in Australia, that country’s Information Commissioner could ask the Federal Court for a civil penalty order when an organisation allegedly engaged in serious or repeated interferences with privacy.
The Dentons article, published last year, said there were no civil penalties under the New Zealand Privacy Act, and “the level of fines is minuscule compared to other jurisdictions”.
Scams and telemarketers
Patrick Sharp, Aura Information Security general manager, said the stolen information would probably be sold multiple times in different chunks.
“It will be used for scams and for people trying to do telemarketing,” he told the Herald.
“People who are affected by this breach should be looking out for unsolicited communication from someone claiming to be Qantas.”
The Australian Financial Review said the Qantas hack happened after somebody persuaded a call centre employee to let them into a database.
“The breach occurred after an employee granted access to a third-party client service – software run by Salesforce – to the criminals, according to people briefed on the matter who requested anonymity to speak freely,” the Australian Financial Review reported.
John Weekes is a business journalist mostly covering aviation and courts. He previously covered consumer affairs, crime, politics and courts.
