AICD’s membership data stolen


Australia’s peak organisation for company directors has warned its members to be on the lookout for attempts at identity fraud, after today disclosing that a computer had been stolen from its offices which may have contained data on its many thousands of high-profile members and clients located around the nation.

In a statement released this morning, the Australian Institute for Company Directors said the computer was stolen during a scheduled power outage which affected the whole George St, Sydney building in which one of its facilities was located. Its office’s normal security systems were temporarily disabled. iTNews has reported the theft took place from a datacentre owned by the National Australia Bank.

The group’s chief executive John Colvin said that the data on the computer was protected. “We understand that the risk of its being accessed and used for fraudulent purposes is low and that its utility is minimal, as much of the information is publicly available,” he said. “We felt it was important, however, to let our members and clients know what had happened.”

The data contained on the PC was test data which could “possibly” include names, addresses, phone numbers, dates of birth, and in some cases, the names of personal assistants of company directors and their email addresses. No credit card numbers, banking details, passwords or the personal email addresses of members and clients themselves was included, however.

The AICD has more than 27,000 members, according to its corporate profile, with an undisclosed additional number of client companies. It also reaches a wider community — for example, in the 2010 financial year, it held almost 850 events and courses around Australia, which were attended by more than 40,000 members and others.

The organisation is investigating the theft with the police and reviewing its security, as well as consulting the Federal Privacy Commissioner. It stressed its other electronic assets were not under threat.

“This loss of data was the result of criminal activity involving the theft of computer hardware,” said Colvin. “We have assured our members and clients that we have strong data security precautions in place and that our data storage and other systems, including our website, are not compromised in any way.”

Despite the low risk, the organisation warned members in a public letter (PDF) to be alert for “suspicious” phone calls or other communications — in what appeared to be an attempt to forestall identity fraud carried out on its members using the stolen database.

Image credit: Mattox, royalty free


  1. Ok, how the heck does someone with nefarious intent just walk into a data centre and remove assets from it and during a power outage to boot? Were the security procedures on the centre so lax and unchecked that they did not adequately ensure the facility was protected during such events?

    Raises more questions than answers if you ask me.

Comments are closed.