NSW container scheme accidentally releases commercially sensitive data
UPDATE: Australian Brews News was contacted by Exchange for Change expressing concern at our use of the term ‘data breach’ in our reporting of its inadvertent and uncontrolled release of commercially sensitive data belonging to a number of brewers. Exchange for Change advised that our use of the term data breach to characterise their accidental information release was not correct, saying:
“No data breach has occurred. The disclosure of the information does not classify as a data breach which, in accordance with the Privacy Act 1988, is an event where personal information is disclosed to third parties and serious harm is likely to occur as a result.
The information disclosed was limited to company names, invoice dates, invoice numbers and outstanding amounts. Due to the nature of the calculation of the invoice amounts including factors such as individual supplier true-ups, advance contributions, and scheme material mixes, the figures contained therein do not provide an accurate reflection of the production of any supplier. The information that was disclosed is therefore not capable of causing significant harm to any entity including that it cannot be used to calculate any entity’s financial position or manufacturing figures nor was any market share or volume data included.”
Accordingly Brews News has removed references to data breach for this from this article.
Breweries were among a number of drinks companies to have their sensitive financial information released accidentally to other businesses in an uncontrolled manner by the operator of the beleaguered New South Wales container deposit scheme last week.
The release, which saw invoices containing financial data released to competitors via email, originated with Exchange for Change, the coordinator of the NSW Return and Earn container deposit scheme.
Exchange for Change is a joint venture between some of Australia’s biggest beverage companies which “have more than 40 years of experience in managing container refund schemes in Australia” according to the organisation’s website.
In an embarrassing error for the scheme, which has already faced implementation difficulties and backlash from the industry, a number of companies were sent documents of a sensitive financial nature, intended for individual breweries and bottled water companies whose containers fall under the initiative’s remit.
A later email apologised for the error blaming ‘patch testing’ for the accidental release, calling it an “inconvenience”.
“We’ve noticed that a reminder email and attachment has been accidentally sent to you during today. We’re sorry to have inconvenienced you,” the email said.
“Please be assured that our systems have not been compromised – the mistake was due to patch testing on our systems.”
When contacted for comment by Brews News, New South Wales’ Environment Protection Authority, which oversees the scheme, appeared unaware of the issue.
Ben Rylands, founder of the New England Brewing Co in Uralla, rural NSW, said that his experiences with the container deposit scheme on the whole had been negative, and the most recent data release issue was symptomatic of wider issues relating to the execution of the scheme.
“I don’t know what other emails other breweries may have seen, and it might have been even more sensitive if Tooheys’ info was sent to CUB as an example,” he said.
“Is this life threatening for a business? Not really, but it is a major credibility problem [for Exchange for Change] if you consider the issues that every small brewery has had in dealing with the scheme and the red tape, which has meant we’re spending hundred of dollars a month on back office functions.”
Exchange for Change was brought in by the NSW Environment Protection Authority (itself effectively a subsidiary of the NSW Planning and Environment state government department) to manage the finances of the container deposit initiative and ensure “that the scheme meets its state-wide access and recovery targets”.
It is a joint venture between Asahi, Carlton and United Breweries, Coca Cola Amatil, Coopers and Lion.
“The government outsourced this function and chose that industry model and now we have an issue where our major competitors [big brewers] are running this industry scheme,” explained Rylands.
“They said from the start there was meant to be Chinese walls within the company and shareholders would never have access to information, but it makes me nervous – how can we trust that when we’ve had emails sent to us like this?”
Even breweries in other parts of the country have been affected as they also attempt to navigate the NSW container deposit scheme.
Karen Golding, owner of Red Hill Brewery in Victoria, said the release was just the latest issue they had encountered.
“It sure is a mess. I didn’t know initially that my information was shared with our competitors,” she said.
“There has been a lack of communication throughout from Exchange for Change, and even before the [accidental release], we’ve had issues – receiving invoices for thousands of dollars backdated for years of containers for example.
“I was shocked when we got the invoice which backdated to 2017, and they charged us for the collection for the last two years, even though we have been compliant with the system throughout.
“I think it’s quite unreasonable to backdate invoices this far, let alone share everyone’s invoices with us and ours with them,” she said.
Rylands of New England Brewing said that the confidentiality breach was just another issue in a long line of problems with the implementation of and thinking behind the Return and Earn scheme.
“Nothing will change, but this is another example of really poor implementation of a policy that didn’t have a reason to be implemented,” he said.
“There is a massive regulatory cost to breweries in and outside New South Wales to participate in this, and we don’t understand the benefit.”
He said cost benefit analysis of the scheme indicated that it wasn’t worth the government’s while, and breweries are now having to absorb the cost of the scheme or risk alienating customers by passing it onto them.
“They have been sloppy in their calculation methodology and communicating that methodology with people. No one’s had the time to sit down and figure out what’s going on except the big breweries.”
He said that the impositions in conforming to the regulations, implementing the changes and understanding the system were a huge challenge for small brewers, and there seemed to be a lack of understanding at government levels of the demands for a small business.
“It’s a huge hassle for everyone, Victoria hasn’t signed up to it, it’s never really going to work nationally.
“The whole thing is absurd – there’s more regulatory requirement to do this each month than there is to do excise.
“It seems that no one in the government cares about the impact on small breweries.”
The container deposit scheme began rolling out across New South Wales on 1 December 2017, with a transition period ongoing until 1 December 2019.
Exchange for Change was contacted for comment on how the sensitive brewer data came to be released to competitors but did not respond by time of publication.*
A spokesperson for the NSW Environment Protection Agency said that Exchange for Change is responsible for all invoicing-related matters, and that “information security and data integrity is of the utmost importance”.
“The NSW Government expects EFC to meet its obligations for information and data security and will seek a full analysis of the cause, impact and corrective actions following an issue in October,” they said.
Update 4/11/2019: Exchange for Change responded to requests for comment.
“On 25 October 2019, while Exchange for Change undertook testing for migration to a new automated system, 16 invoice reminder letters were emailed to the wrong supplier address in error.
“We immediately notified the affected suppliers, and we would like to assure all suppliers that no supplier market share or volume data was revealed.
“As there was no personal information included in the letters, there was no need to report the error to the OAIC.
“Exchange for Change takes data security seriously. We are subject to regular independent IT security audits with the most recent audit, completed in September 2019, confirming we are meeting all of our strict security obligations.
“We are currently investigating the error to ensure that this does not occur again,” it said.