DATA INCIDENT

January 16, 2019

UPDATE FROM NOVA ENTERTAINEMENT 16/01/2019

We would like to thank everyone affected by this incident for their continuing support and patience during our ongoing investigations into this issue. Rest assured we remain committed to achieving the best possible outcome for each of you.

As promised, provided below is an update of our investigation, including further responses to some frequently asked questions.

We wish to reiterate that if you require any assistance or support in understanding how this incident may affect you please contact IDCARE, Australia and New Zealand’s national identity and cyber support service, on 1300 432 273 (Australia) or +61 7 5373 0400 (International), or visit IDCARE's website: https://www.idcare.org/contact/contact-us. We have engaged IDCARE to provide specialist identity and cyber support services, and it is through IDCARE that we can provide you with the best level of support.

We can assure you that we treat privacy and the security of the information we collect from our listeners with the utmost importance, and we are treating this incident with the seriousness it deserves.

We will continue to update this page as more information becomes available.

Cathy O'Connor, CEO, Nova Entertainment

DATA INCIDENT 27/12/2018
Nova Entertainment has recently become aware that a legacy dataset containing information collected from our listeners during the period from May 2009 to October 2011 has been publicly disclosed.

We are in the process of notifying individuals affected by this incident of the steps they can take to prevent any potential misuse of their information.

The types of information disclosed in this incident varies from person to person, but generally includes biographical information (such as name, gender and date of birth), contact information (such as residential address, email address, and telephone number), and user account details (such as user names and passwords, which were protected by 'hashing'). We can confirm that no other information, including copies of identity documentation or financial information is contained in the dataset disclosed in this incident.

Upon confirming the validity of this incident, we immediately engaged leading Privacy, IT and Cyber Security consultants to understand the circumstances of the disclosure. Our investigation is substantial and ongoing. We are taking all necessary measures to ensure the strength and effectiveness of our cyber security, and there is currently no evidence of any suspicious activity or threats on Nova Entertainment's systems.

We have notified the Office of the Australian Information Commissioner of this incident, and we are in the process of contacting law enforcement bodies. We will fully and transparently engage with these entities in relation to this incident. We have set up a dedicated webpage (https://www.novaentertainment.com.au/dataincident) which contains advice and a dedicated email mailbox (privacy@novaentertainment.com.au) for further queries.

We have also engaged IDCARE, Australia and New Zealand’s national identity and cyber support service, to provide individuals affected by this incident with assistance and support. We encourage anyone affected by this incident concerned about the potential misuse of their personal information to contact IDCARE on 1300 432 273 (Australia) or +61 7 5373 0400 (International), or visit IDCARE's website: https://www.idcare.org/contact/contact-us.

During the Christmas period, IDCARE will be available to assist individuals affected by this incident on the following dates between 10 am and 3 pm AEST:
• Thursday, 27 December 2018
• Friday, 28 December 2018
• Wednesday, 2 January 2019
• Thursday, 3 January 2019
• Friday, 4 January 2019.

From Monday 7 January 2019 onwards, IDCARE will be available Monday – Friday from 8 am until 5 pm AEST. You can also access IDCARE's Learning Centre for further information at: https://www.idcare.org/learning-centre/learning-centre.

We take privacy, and the security of the information we collect from our listeners very seriously, and on behalf of Nova Entertainment I deeply and sincerely regret that this incident has occurred. We are fully committed to achieving the best possible outcome for anyone affected by this incident.

FREQUENTLY ASKED QUESTIONS - UPDATED 16/01/19

Q: Has Nova Entertainment notified all individuals affected by this incident?
A: Nova Entertainment is in the process of directly notifying all individuals affected by this incident for whom we have valid contact details. We anticipate that the notification process will be completed within the next 1-2 weeks.  If you do not receive correspondence from us but you believe that you provided your personal information to Nova Entertainment between May 2009 and October 2011, please contact us at privacy@novaentertainment.com.au and we can confirm if you have been affected by this incident.

Q: How did this incident occur?
A: Nova Entertainment is working with leading Privacy, IT and Cyber Security consultants to understand the circumstances of this incident, including how and when it occurred. Those investigations are substantial and ongoing.

Q: Has Nova Entertainment engaged with law enforcement?
A: Nova Entertainment has reported the incident to Australian Cybercrime Online Reporting Network (ACORN) and the NSW Police. Our engagements with both ACORN and NSW Police are ongoing.

Q: Is my Facebook account safe?
A: Yes. The dataset contained Facebook authentication tokens of some users whom linked their Facebook and Nova Entertainment accounts, however these tokens would have expired a long time ago, and used an older version of the Facebook authentication platform. These tokens should therefore no longer work. We have been advised by independent experts that it is not possible to access a user’s Facebook profile using these tokens.

Q: How did this happen?
A: We have engaged leading Privacy, IT and Cyber Security consultants to help us understand the circumstances of the disclosure. Those investigations are substantial and ongoing. We will provide further information as it becomes available.

Q: Who is responsible for this incident?
A: Nova Entertainment takes its privacy obligations very seriously and is investing significant resources into investigating the source of the disclosure of the dataset. We have engaged leading Privacy, IT and Cyber Security consultants to help us understand this and will work with law enforcement as required.

Q: Have I been affected?
A: We are in the process of directly notifying all individuals who are affected by the incident. If you have received correspondence from us, it means that your information was contained in the dataset, and you should take steps to maximise the ongoing security of your personal information. If you did not receive correspondence from us but believe that you provided your personal information to Nova Entertainment between May 2009 and October 2011, please contact us at privacy@novaentertainment.com.au to confirm if you have been affected.

Q: Why are you notifying me?
A: We take information security and privacy seriously and want to be open and transparent with you about this incident. We also want to provide you with some practical steps you can take to maximise the ongoing security of your personal information.

Q: Why are you notifying people during the Christmas holiday week?
A: We apologise for contacting people during the holiday period. However, it was very important that we were open and transparent with everyone affected by this incident, and that we provided information regarding the practical steps that can be taken to respond to this incident, as quickly as possible. We have worked with IDCARE to ensure that individuals can receive assistance throughout this period.

Q: What information is contained in the dataset?
A: Forensic experts have identified that the information contained in the dataset depends on what information you provided to Nova Entertainment and varies from person to person. However, the type of information could include (if provided):

  • ID number (assigned by Nova Entertainment);
  • username (created by you);
  • gender, first and last name;
  • email address;
  • residential address;
  • date of birth;
  • contact phone number (home, work and / or mobile number);
  • password (protected by 'hashing');
  • IP address;
  • contact preferences ( opt in / out); and/or
  • Facebook or mobile phone authentication token.

We can confirm that no other information, including copies of identity documentation or financial information was contained in the dataset.  

Some of the data contained in the dataset is 'dummy data' and may not be legitimate, valid or active. This may be the case because the dataset is a legacy dataset compiled between May 2009 and October 2011.We are nonetheless treating all relevant data as legitimate and contacting individuals on that basis.

Q: What about passwords?
A: While passwords were contained in the dataset, we note that these are protected through a security technique called 'hashing'. Regardless, we would encourage anyone affected by this incident to change your password for your email account and all other online accounts where you use the same email address, username or password. This includes email, social media and online banking accounts.

Q: Is it safe to provide my contact and personal information to Nova Entertainment?
A: The disclosed dataset is a legacy dataset, and was compiled and stored on a system which is no longer used by Nova Entertainment. We have no reason to believe that this incident poses a threat to Nova Entertainment's current systems and so it is safe to provide your contact and personal information to Nova Entertainment. We continue to investigate the circumstances of this incident as a priority.

Q: How are we responding?
A: We have retained leading cybersecurity firms to investigate this incident and will make any necessary system improvements identified over the course of the investigation to ensure the strength and effectiveness of our cyber security. We take our privacy obligations very seriously and will ensure that our systems, and the data that we hold, remains as secure as it can be.
We have notified the Office of the Australian Information Commissioner of this incident and are in the process of engaging with relevant law enforcement bodies. We will fully and transparently co-operate with these entities in relation to this incident. You can visit the OAIC's website for more information at https://www.oaic.gov.au.

Q: What actions do you need to take?
A: We have engaged Australia's national identity and cyber support service, IDCARE, to assess the risk of harm that this incident may pose to you, as well as the steps that you could take to prevent any potential misuse of your information.

Specific steps that you should take:
Although passwords contained in the dataset are protected ('hashed') and are not visible in plain text, there is a risk that they can be decrypted. This would allow third parties to potentially gain unauthorised access to your online accounts where you use the same or similar passwords.
To prevent this from occurring, you should:

  1. Change your password for your email account and all online accounts where you use the same email address, username or password. This includes email, social media and online banking accounts.
  2. Enable multi-factor authentication and other available security measures provided by your other online services.  As part of good cyber security practice, you should consider whether you need to store copies of identity credentials and other personal information in your email accounts (including those of others – such as family and friends). It is best practice to delete such information if not required.  Additional steps that you can take:
  3. Review and continue to monitor your consumer credit report for any discrepancies or unusual activity. You can apply for an annual free credit report from each of the consumer Credit Reporting Agencies below. If you are not resident in Australia, you should contact your local Credit Reporting Agency or IDCARE for further advice.

CREDIT REPORTING AGENCY - WEBSITE
Equifax (formerly Veda) - https://www.mycreditfile.com.au/products-services/my-credit-file
Illion (formerly Dun & Bradstreet) - https://www.checkyourcredit.com.au/Personal
Experian - http://www.experian.com.au/consumer-reports
Tasmanian Collection Service - https://www.tascol.com.au/about-my-credit-file/

4. You should consider requesting that a 'credit ban' be put in place while you investigate further. When a ban is put in place it ‘freezes’ access to your credit file and Credit Reporting Agencies are not able to disclose any personal information from your consumer credit file to any credit providers unless you provide written consent for them to do so, or if they are required by law. You are able to later lift this ban if you need to later apply for credit.
5. Review and continue to monitor your financial and payment card account statements for any discrepancies or unusual activity. Contact your financial institution if you have any concerns.
6. Remain vigilant to telephone call, SMS and email phishing scams requesting your personal details or the payment of money. Avoid opening attachments from unknown senders via email or social media. If you receive a communication from us and are in doubt as to whether it is legitimate, contact us to check (privacy@novaentertainment.com.au). More information about phishing scams is available on the ACCC's website here: https://www.scamwatch.gov.au/types-of-scams/attempts-to-gain-your-personal-information/phishing.
7. Remain vigilant to unauthorised requests to port your mobile telephone number to another provider. In most cases the first indicator of unauthorised porting will be your mobile phone unexpectedly losing coverage and going into 'SOS' mode. If this occurs, contact your telecommunications service provider to confirm whether a request for porting has occurred, and if so, request a reversal. You should also contact your financial institution to temporarily suspend online banking. More information about this type of scam is available on IDCARE's website here: https://www.idcare.org/fact-sheets/unauthorised-mobile-porting-sim-swap.
8. You can find additional guidance about protecting your identity by visiting the OAIC's website here: https://www.oaic.gov.au/individuals/data-breach-guidance/what-to-do-afte.... You can also find additional guidance by visiting IDCARE's website here: https://www.idcare.org/learning-centre/fact-sheets.

Q: Who do I contact for more information?
A: We have a dedicated email address available to answer your questions. If you have any further questions after reading these FAQs, please email us at privacy@novaentertainment.com.au.