According to zdnet.com.au, ADP Australia made email addresses accessible on the internet. Depending on how you view it, you could claim that data encryption should have been used to protect the information.
Marketing List from 2007
ADP is the biggest payroll processing company in the US. In fact, it’s so big that it releases its own US national employment report that, according to many experts, is very accurate. Like any successful business, it’s gone beyond national borders to tap growth, and hence their presence in Australia.
According to zdnet.com.au, ADP Australia inadvertently exposed on the internet a list of email addresses that were used in signing up for a company newsletter. No other information was exposed besides the email addresses (no names, phone numbers, etc.).
It’s made clear that the list was dated 2007, but apart from this, ADP hasn’t been forthcoming about the details. For example, what does it mean by “dated 2007?” Is it a list of people who signed up for the newsletter in 2007? Or is it a list that contains all the email addresses that signed up for the newsletter up to, and including, the year 2007, or what?
Is this a Data Breach?
A more important question might be, is this a data breach? After all, if it isn’t, what does it matter whether the information pertained to 2007 only or otherwise?
Truth be told, a list of email addresses being exposed doesn’t really feel like a data breach. On the other hand, I’ve already noted before that it can be a vector for further crimes (just like an SSN is not really valuable in of itself):
You can run an untargeted scam. Think of spam regarding ED drugs: those emails are sent without considering who receives it, in the hopes that someone will say “yes”
You can run a targeted scam (while the list only contains email addresses, everyone knows it’s from ADP Australia). Think of targeted phishing attacks.
Aside from the above, one might also want to consult the law. I don’t know about Australia, but there have been cases in the US that show that email addresses are indeed personal data, and hence their untimely exposure is a data breach. Also, Canada is another nation where email addresses are considered personally identifiable information.
Related Articles and Sites: