“Date of birth is one thing, in terms of identity fraud, but where some kids work and their date of birth …”

Loading

“There are an awful lot of sinister things one could do with the information should one be so inclined. If it ends up on the web somewhere, it will take a whole new turn, as one thing someone can’t change is their date of birth.”

The parent estimates that thousands of Hungry Jack’s employees – including chief information officer Claudio Salinas – were exposed in the email, with about half aged under 18.

They have written to the chief executive asking for clarity around the 198 figure and for their concerns to be addressed.

Despite being only half the size of McDonald’s, Hungry Jack’s is a major national employer with a store network of 440 outlets employing more than 19,000 Australians.

In an email seen by this masthead, Hungry Jack’s head of capability, Melissa Anderson, said the inadvertent message was the result of an “internal processing error”.

“Hungry Jack’s takes the protection of personal information very seriously and took immediate action to investigate the incident. We are currently notifying and providing guidance to all the involved employees,” she said in the email.

Anderson said Hungry Jack’s had implemented additional security controls to prevent a recurrence. Hungry Jack’s staff who have further questions are being directed to the employee helpline.

‘Farcical’: Fast food union slams leak

The Retail and Fast Food Workers Union (RAFFWU) has criticised Hungry Jack’s response to the internal data breach as “fanciful” and “farcical”, slamming the burger chain’s claims that only 198 people received the spreadsheet and that it had successfully recalled and deleted emails.

“The file includes over 29,000 rows. Members who received the file have not been separately contacted – including by any email [other than the general one] to the email address which received the file,” said RAFFWU secretary Josh Cullinan.

“It beggars belief that if only 198 people received the file that Hungry Jack’s would not call and email all of those people asking them to delete the file.”

Cullinan said several members had reached out to the union and expressed concern that their private details may end up being used for identity theft, increase the likelihood of phishing, or be used to target them in other ways.

The union is also demanding that workers on minimum wage be paid $3000 compensation for the leak.

“This would recognise the time spent by workers changing passwords and accounts, putting in place further security measures, reading the correspondence, deleting the emails and discussing it with parents. It would also compensate workers for the upset and concern the breach creates,” said Cullinan.

The union secretary urged the burger chain to be clearer about how the leak occurred and to outline the specific steps it has taken to guard against a repeat incident.

“Employers must take the privacy of worker data seriously, and until such compensation is paid it is clear Hungry Jacks is more concerned with public perception than the privacy rights of our members,” he said.

The burger chain has been contacted for further information.