Just Got an Email from One of My Employers and It Contains a Massive Data Leak File Attachment. What to Do?

pegaxs on 22/11/2022 - 11:29
Last edited 22/11/2022 - 16:28 by 1 other user

Got home this morning and had an email from a casual employer about some new SOPs they are initiating.

2 mins later, I get an email that says "Recall: *reference to original email*…" in the title and an automated system that seems to be trying to use some sort of remote delete function (body of email contains garbage, automated response nonsense).

10 mins later I get another message "URGENT: DELETE… *reference to first email*".

Curious, I went back to have a look at the first email thinking that it was just an SOP bulletin, just not for my department (get them all the time) and I found two attachments. Upon opening the files (MS Office type) it was revealed why the massive panic emails following. They contain a lot of personal data… on A LOT of people. Basically everyone I work with and everyone doing the same job as me… for the entire state. There are some 3000+ entries on this list.

The data includes;
Name: (first and last)
Address:
Ph: (Both home and mobile)
Start date:
Internal staff ID:
Area: (where they work)
Supervisor:
Zone:
Current employment status: (includes inactive/sacked/quit/retired as well as active employees)

I called work to find out what their policy was to deal with such a huge data leak and if they reported it and was informed that no, no reporting required as everyone was asked to delete the email and a "recall" was sent out to users who have this function turned on and that the information was technically not reportable because it didn't contain payment or any ID information.

So, what do I do form here? I'm kind of ambivalent about it (been through Optus and Medibank recently, so I am already on hyper vigilent mode) until I spoke to work who brushed it off as "dealt with". A poll because you love a nice poll ;)

Poll Options

  • 24
    Pastebin it and give us the link or it isnt real...
  • 4
    Sell it on the DarkWeb for iTunes cards
  • 1
    Load up an email with all the addresses and have some LoLZ
  • 2
    Change all your details... "again"
  • 117
    Report it as a data breach yourself
  • 2
    Go over your supervisors head and report it to IT dept.
  • 10
    Kick back, feet up, drink your coffee and get on with your life
  • 3
    Carry on like a Karen and demand CoMpEnSaTiOnZ!!!
  • 2
    Panic, like my whole life is ruined and hair is on fire
  • 1
    Other (see comments)
Education & Work

Comments

  • thatonethere on 22/11/2022 - 11:36
    +16

    You could make a complaint to OAIC - https://www.oaic.gov.au/

  • Benoffie on 22/11/2022 - 11:36
    +9

    If you think the horse has bolted, report the breach. Perhaps if more people were proactive, ACSC would stand a better chance in helping.

  • baronorder on 22/11/2022 - 11:37
    +7

    Report it to the CISO/CSO, worst case is they just say thanks and do nothing. There are likely some disclosure requirements either on internal policy or gov reg wise so just make sure you are covered by reporting it to your internal security group.

  • Jimothy Wongingtons on 22/11/2022 - 11:40
    +8

    On one hand: report

    On the other hand: thinking about all the high profile leaks lately and how many go unreported… I wonder what ISNT leaked these days..

    • pegaxs on 22/11/2022 - 11:47
      +11

      That was my thoughts on it so far. They have less data than what Optus of Medibank have. At best its just a spam list with confirmed contact details. There is no ID (like birthday or drivers license type info) or other stolen information… So I wonder if it's any more than what is already available to scammers and spammers already through other sources.

      My manager was "well, I sent out an email to ask everyone to delete it, so they will delete it…" I laughed and just said, "yeah, ok, champ, I am sure not one person in that 3000+ list is going to have fun with this or try and sell it…"

      • Ghost47 on 22/11/2022 - 11:54
        +9

        Your manager sounds like a fool.

  • bobbified on 22/11/2022 - 11:57
    +9

    The person you spoke to at work who pretty much said not to worry about it might just be trying to cover their own ass, so I think you should firstly take it up with senior management and see where it goes from there. Then report to relevant government agency if you want to escalate it.

    If it's gone out to multiple people, there's a good chance that someone else has already reported it externally.

  • Cheaplikethebird on 22/11/2022 - 12:01
    +5

    Whether or not it contained personal info it was a data breach and should be dealt with as such so that the processes that are (hopefully) in place are kicked into gear to avoid a similar breach occuring.

    Also… always gotta laugh when a user asks about the e-mail recall feature, IMO you're almost better off not using it, Barbara Streisand effect and all.

    • pegaxs on 22/11/2022 - 12:06
      +3

      Yeah, I love that "recall" email go out. I am sure about 1 in 100+ users even have that turned on. It's usually only internal work email setups that have it and no one on this list has an internal email address, it's all bigpond, Gmail and Hotmail accounts.

      And yeah, when I get home and have time I'll report it if the IT team haven't confirmed they have.

      • Cheaplikethebird on 22/11/2022 - 12:19
        +3

        Haven't ever seen it work even for internal e-mails.

      • DoctorCalculon on 22/11/2022 - 22:03

        Yeah, I love that "recall" email go out.

        The recall function in Outlook never ever works, especially if you are on a Mac.

  • nfr on 22/11/2022 - 12:20
    +3

    I'm beginning to think this is actually normal.

    • pegaxs on 22/11/2022 - 12:26
      +2

      Had another one last year that wasn't as bad. It was only about 200 names and email addresses when instead of doing a BCC, they just CC'd everyone in my zone area.

      That one was quite funny when we were asked to reply that we had read and received the attachment, so I got another 40+ emails from people just hitting the "reply all" button :D

      • nfr on 22/11/2022 - 13:20

        Hahaha I love silly and funny!

  • YoungQuan on 22/11/2022 - 13:17

    don't be a jack bastard, delete and get on with your life

    • coffeeinmyveins on 22/11/2022 - 14:49
      +5

      All fun and games until it is your data that gets leaked.

      • Quantumcat on 22/11/2022 - 15:18

        It isn't really a problem for the individuals, it's the company who is more likely to suffer as the information can be used for phishing attacks etc.

        • pegaxs on 22/11/2022 - 16:16

          "Yeah, hi… this is… \checks sheet* Bob Smith… from… *check notes* Islington West…"

          And yeah, the big issue is that there are people I work with who I absolutely do not want them knowing my phone number or my home address…

          There was one lady that my current work buddy told me about that he used to have as his work buddy that he almost had to get an AVO out on because she was a nutter… there is a good chance she also got emailed this list of names and numbers.

          Rumour has it that she also blames me for taking her job, now I have her details and she has mine…

  • EightImmortals on 22/11/2022 - 13:25
    +4

    Negotiate a payrise!

  • Zeph101 on 22/11/2022 - 13:30

    Since it appears to be a privacy/data leak that is internal and has not be shared with external parties that MAY be why it isn't necessarily reportable.

    • pegaxs on 22/11/2022 - 13:55
      +5

      Although it was shared with employees only, it has also gone out to previous employees who no longer work for this employer. I can even search up who was and who is employed. There are records here dating back to the early 90's.

      If it has gone to ex-employees as well, it has gone out to external parties. (Confirmed it has, I rang a friend who did work for them, and they confirmed they got the email this morning. Haven't work for this employer for around 5 years.)

  • GG57 on 22/11/2022 - 13:36

    Was the email to your work email address, or to your personal email address?

    • pegaxs on 22/11/2022 - 13:52
      +4

      All casual and part time staff are external emails. They dont even give us access to intranet services. If we need anything (example: SOP, policy enquiry, change of details, payslip, etc) we have to email our supervisor and they fetch the info on our behalf from the intranet portal.

      Every single email address on this list is an external email address. There is not one single internal email address.

  • brendanm on 22/11/2022 - 14:34
    +2

    Ask for compensation.

  • coffeeinmyveins on 22/11/2022 - 14:49
    +2

    was informed that no, no reporting required as everyone was asked to delete the email and a "recall" was sent out to users who have this function turned on

    Lol. Imagine saying that because you asked people nicely to delete something that that constitutes due diligence for a data breach.

    • pegaxs on 22/11/2022 - 16:10
      -1

      I wonder if Optus and MediBank tried sending "recall" and "delete" emails to the DarkWeb to scrub thair data…

      Optus: "Well, we asked them to delete it, so our part is done…"

  • payless69 on 22/11/2022 - 15:32
    +1

    Looks like you were only empoyered in the first place?

    • pegaxs on 22/11/2022 - 16:11
      +1

      At first I was like… "huh"… but figured it out! :D Cheers!

      • payless69 on 22/11/2022 - 22:35

        Oope, English is my 3rd language, spelling takes time to learn.
        Re data leak: 1. April some event happened at Optus, but the new world is prohibited to talk about. Then later well the bubble burst.
        Could mention so many more!

  • ECE on 22/11/2022 - 22:39

    Share the leak, win a friend 🤣👍🏿

  • mikekiwimike on 23/11/2022 - 07:59

    It is likely a notifiable data breach to the intent of the act. Being that there are over 3k people in the company in your state alone it is a large company…. With the above obligations and due to their size, you should reach out to your CISO and security leads, they may not have been made aware of this and they will have the playbooks to respond to this in a suitable way.

  • larndis on 23/11/2022 - 08:50

    Definitely think you should report to OAIC (even if it was an internal email, which it wasn't), contact details can definitely be considered sensitive information and reporting will reduce the chances of it happening again.

  • bbinc on 23/11/2022 - 09:40

    Report! The reason is any leak, with or without ID can be data matched with other sources/leaks building a more complete picture of individuals.

  • chuderino on 23/11/2022 - 10:46

    Report to the InfoSec team and delete emails, move on.

  • MrBear on 23/11/2022 - 18:10

    I've had something similar happen twice:

    1. My (ex) Real Estate property manager sent me a report on ALL their clients income/expenses for the entire year instead of just mine.
    2. My (ex) account sent me multiple invoice and statements for other clients instead of mine.

    Both manual user error mistakes but both with confidential information.

  • lew380 on 24/11/2022 - 01:40
    -2

    Go ahead, report your employer to secret police because someone accidentally sent out the wrong attachment. Its also not that special data, most of your workmates will know this data anyway and unless your worried about some stalker in another state/region, just know that he/she can easily find that data easily by other means.

  • Tim-A on 24/11/2022 - 03:03

    Send it to Troy Hunt at Have I Been Pwned

Login or Join to leave a comment
Login Join