Major data breach at cleaning and catering company Spotless

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Trans-Tasman catering and cleaning firm Spotless has admitted to a huge data breach in which hackers may have obtained past and present staff members’ passport and IRD numbers, amongst other personal information.

Internet experts said the breach was very serious and there was enough personal information in the potential leak that meant a “very high risk” of identity theft.

Spotless told affected workers by email on Thursday.

One woman who received the email said she was deeply worried and had immediately visited her bank to change her credit cards. She was concerned her passport was compromised, and also that Spotless’ lower-waged cleaning staff, many of whom had English as a second language and perhaps poor access to email, would not necessarily receive the communication.

* Fears Airpoints members’ personal information leaked in data breach
* ID theft stings, but it’s hard to pin on specific data hacks
* Marriott will pay for new passports after data breach ‘if fraud has taken place’
* Cathay Pacific hack includes passport numbers, travel histories

Netsafe chief executive Martin Cocker said the amount of data involved suggested the hackers had got into the company’s HR files. He said there was a risk of criminals using that data to apply for credit and services using people’s identities.

“There is a high risk to the subjects of the attack of future identity theft,” Cocker said. “If they have taken that much personal data, it is pretty high risk to the individual, so we would suggest people go through a process of trying to reduce that risk.”

Internet law expert Rick Shera said it definitely qualified as a privacy breach, “and given the type of information involved and the number of people involved it would be classed a serious breach, there wouldn’t be any doubt about that.”

Shera said it depended on if the data had been encrypted, or whether it had been stolen, but “that level of information is clearly information that could be used by someone to impersonate an individual”.

He said taking passport and IRD numbers was “pretty serious” and could even conceivably allow a hacker to secure a RealMe account, the internet ID used to deal…