Personal data of ‘thousands’ of Hungry Jack’s staff exposed in internal leak
By Jessica Yun
The chief executive of Hungry Jack’s has confirmed that an internal data leak has accidentally exposed the names, birthdates and store locations of staff, including minors, across the country.
In the early hours of Monday, hundreds of employees received an email from the burger chain’s training and communication portal, Jedi, that included an attached spreadsheet of staff information outlining full names, job titles, personal email addresses, start dates, and employment classifications.
Hungry Jack’s says the ‘inadvertent’ message was shared with almost 200 staff – but one teenage worker’s parent believes that’s an underestimate.
In an email to some workers on Monday afternoon, Hungry Jack’s chief executive, Chris Green, said the spreadsheet, sent at 2.07am, was due to an “inadvertent data disclosure incident”.
“The result of our investigation indicates that you have a current Jedi account and some of your personal identifiable information within Jedi has been unintentionally disclosed via email to 198 Hungry Jack’s employees,” Green wrote.
“This was not a result of a cyberattack, nor was it deliberate or malicious.”
The burger chain has recalled and deleted most emails and has implemented additional security measures to prevent future similar incidences, he said. No passwords were disclosed, but employees were urged to regularly change their passwords.
Hungry Jack’s is reporting the incident to the Office of the Australian Information Commissioner.
However, the parent of a Hungry Jack’s employee who is a minor, and whose details were exposed in the leak believes the email may have been sent to many more than 198 workers.
“When I opened it, I was floored,” said the parent, who requested anonymity.
“Date of birth is one thing, in terms of identity fraud, but where some kids work and their date of birth …”
“There are an awful lot of sinister things one could do with the information should one be so inclined. If it ends up on the web somewhere, it will take a whole new turn, as one thing someone can’t change is their date of birth.”
The parent estimates that thousands of Hungry Jack’s employees – including chief information officer Claudio Salinas – were exposed in the email, with about half aged under 18.
They have written to the chief executive asking for clarity around the 198 figure and for their concerns to be addressed.
Despite being only half the size of McDonald’s, Hungry Jack’s is a major national employer with a store network of 440 outlets employing more than 19,000 Australians.
In an email seen by this masthead, Hungry Jack’s head of capability, Melissa Anderson, said the inadvertent message was the result of an “internal processing error”.
“Hungry Jack’s takes the protection of personal information very seriously and took immediate action to investigate the incident. We are currently notifying and providing guidance to all the involved employees,” she said in the email.
Anderson said Hungry Jack’s had implemented additional security controls to prevent a recurrence. Hungry Jack’s staff who have further questions are being directed to the employee helpline.
‘Farcical’: Fast food union slams leak
The Retail and Fast Food Workers Union (RAFFWU) has criticised Hungry Jack’s response to the internal data breach as “fanciful” and “farcical”, slamming the burger chain’s claims that only 198 people received the spreadsheet and that it had successfully recalled and deleted emails.
“The file includes over 29,000 rows. Members who received the file have not been separately contacted – including by any email [other than the general one] to the email address which received the file,” said RAFFWU secretary Josh Cullinan.
“It beggars belief that if only 198 people received the file that Hungry Jack’s would not call and email all of those people asking them to delete the file.”
Cullinan said several members had reached out to the union and expressed concern that their private details may end up being used for identity theft, increase the likelihood of phishing, or be used to target them in other ways.
The union is also demanding that workers on minimum wage be paid $3000 compensation for the leak.
“This would recognise the time spent by workers changing passwords and accounts, putting in place further security measures, reading the correspondence, deleting the emails and discussing it with parents. It would also compensate workers for the upset and concern the breach creates,” said Cullinan.
The union secretary urged the burger chain to be clearer about how the leak occurred and to outline the specific steps it has taken to guard against a repeat incident.
“Employers must take the privacy of worker data seriously, and until such compensation is paid it is clear Hungry Jacks is more concerned with public perception than the privacy rights of our members,” he said.
The burger chain has been contacted for further information.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.