TGI Fridays admits to exposing customer data, as Aussie breaches spike

TGI Fridays

The Australian arm of restaurant TGI Fridays has become the latest company to apologise to customers after ‘potentially exposing’ their personal information.

The business, which has about a dozen stores in Australia and a much bigger network overseas, has admitted to a potential breach of back-up files containing the information of its loyalty program members.

An unnamed Melbourne-based cyber security firm was engaged to assess the exposure, and the company said the problem is fixed following a security audit of all its local platforms.

In a statement, TGI Fridays Australia chief executive James Sinclair claimed there was no malicious data breach or hack.

“We take the privacy of our customers extremely seriously and so notified them of this potential exposure promptly and are confident of the security and privacy of our data ongoing,” he said.

“We have also notified the Office of the Australian Information Commissioner (OAIC) who are satisfied with this matter,” Sinclair said.

However, in an email to customers seen by SmartCompany, TGI Fridays told customers to be wary of “unsolicited communications” like phishing emails in the wake of the exposure.

The company did not reveal how many Australian customers had their data exposed or what types of personal information was exposed, only claiming no financial information was involved.

It also did not confirm when it became aware of the breach, and when it notified customers, despite being asked. 

SmartCompany understands the business has been aware it exposed the personal information of its customers for more than a month. 

Data breaches spike

The restaurant chain is just the latest business to admit to a cyber security failure, as rates of malicious hacking and human error-induced customer data exposure increase in Australia.

Figures reported by OAIC last week revealed notifiable data breaches spiked from April to June, up to 245 for the three-month period, after dipping in the March quarter.

Australian information and privacy commissioner Angelene Falk said the findings showed the cyber security risks facing businesses remain real, with nearly 70% of breaches involving cyber incidents.

About a third (34%) of the breaches in the June quarter were tied to human error, while 62% were a result of malicious or criminal attacks and 4% due to system faults.

“The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks and to take the necessary precautions,” Falk said in a statement circulated last week. 

Interestingly, despite tracking a recent spike in data breach activity, OAIC has decided to wind back the frequency of its reporting on the issue from quarterly to biannually — effectively halving the rate.

Terry Burgess, vice president of Asia Pacific for SailPoint, said the quarterly disclosure demonstrated many businesses aren’t heeding cyber security warnings.

“The unfortunate reality is that many businesses continue to take a laissez-faire approach to cyber security, which is reflected in these reports,” he said.

“Business leaders need to put more effort into improving their security posture, which involves treating cyber threats the same way they treat overall enterprise risk.”

NOW READ: “Blind spot”: Australia’s biggest websites unable to differentiate robots from humans

NOW READ: Nine Australian cyber security startups raising money and kicking goals

COMMENTS