Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Victorian government-owned Greater Western Water has suffered at least 320 privacy breaches after it replaced its billing system.
The billing systems being replaced belonged to City West Water and Western Water, which were merged to form Greater Western Water.
However, the new billing system began having issues in March, when almost 200 customers had their bills sent to the wrong addresses, resulting in customer privacy breaches.
Greater Western Water said the issue arose as a result of inaccurate customer data being transferred to the new system, CustomerPlace.
“The source data in the two legacy systems included inactive and dummy accounts, out-of-date customer contact details, and manual workarounds,” Greater Western Water told the Office of the Victorian Information Commissioner (OVIC).
Additionally, the older system’s data values, formats and fields did not match CustomerPlace, leading to Greater Sydney Water introducing “81 validation rules” to prevent incorrect data being migrated across.
However, just as the new billing system was about to go live, Greater Sydney Water said it removed some of the rules “so that accounts that would not otherwise have met the set criteria could be loaded into the new system in time for the go-live date”, according to the OVIC.
One of the rules also created issues, which meant that the customers’ preferred billing method was not included.
“The result was that any account listed with a preference of ‘e-bill or BPAY’ in a legacy system defaulted to postal address in the new system when it was migrated,” said the OVIC.
On top of that, the two systems’ data were migrated concurrently, incomplete data was used for testing, and “satellite” systems also had changes.
According to the OVIC, the number of potential breaches discovered has reached 320, but the commissioner said “it is likely that the true number of privacy incidents is significantly higher”. However, the commissioner has decided not to attribute blame or launch a further investigation.
“No conclusions should be drawn as to whether Greater Western Water or its vendors were primarily at fault,” the commissioner said.
The OVIC also concluded that deadlines should not be prioritised over implementing systems safely and securely.
“Organisations should not prioritise deadlines and timing at the cost of individuals’ privacy,” OVIC said.
“While it may be frustrating to miss intended dates for a system to go live, the Greater Western Water experience demonstrates that reducing the robustness of a data validation process may have more negative impacts than a project delay.”
Greater Western Water chair Lisa Neville told the OVIC that the agency had “fallen short of the standards our customers expect, and those we hold ourselves to,” and added that privacy and data security improvements had since been made.
Be the first to hear the latest developments in the cyber industry.
