Brewers hit by NSW container deposit scheme data breach

Breweries were among a number of drinks companies to have their sensitive financial information released accidentally to other businesses in a data breach by the operator of the beleaguered New South Wales container deposit scheme last week.

The breach, which saw invoices containing financial data released to competitors via email, originated with Exchange for Change, the coordinator of the NSW Return and Earn container deposit scheme.

It is a joint venture between some of Australia’s biggest beverage companies which “have more than 40 years of experience in managing container refund schemes in Australia” according to the organisation’s website.

In an embarrassing error for the scheme, which has already faced implementation difficulties and backlash from the industry, a number of companies were sent documents of a sensitive financial nature, intended for individual breweries and bottled water companies whose containers fall under the initiative’s remit.

A later email apologised for the error blaming ‘patch testing’ for the breach, calling it an “inconvenience”.

“We’ve noticed that a reminder email and attachment has been accidentally sent to you during today. We’re sorry to have inconvenienced you,” the email said.

“Please be assured that our systems have not been compromised – the mistake was due to patch testing on our systems.”

When contacted for comment by Brews News, New South Wales’ Environment Protection Authority, which oversees the scheme, appeared unaware of the issue.

Ben Rylands, founder of the New England Brewing Co in Uralla, rural NSW, said that his experiences with the container deposit scheme on the whole had been negative, and the most recent data breach issue was symptomatic of wider issues relating to the execution of the scheme.

“I don’t know what other emails other breweries may have seen, and it might have been even more sensitive if Tooheys’ info was sent to CUB as an example,” he said.

“Is this life threatening for a business? Not really, but it is a major credibility problem [for Exchange for Change] if you consider the issues that every small brewery has had in dealing with the scheme and the red tape, which has meant we’re spending hundred of dollars a month on back office functions.”

Exchange for Change was brought in by the NSW Environment Protection Authority (itself effectively a subsidiary of the NSW Planning and Environment state government department) to manage the finances of the container deposit initiative and ensure “that the scheme meets its state-wide access and recovery targets”.

It is a joint venture between Asahi, Carlton and United Breweries, Coca Cola Amatil, Coopers and Lion.

“The government outsourced this function and chose that industry model and now we have an issue where our major competitors [big brewers] are running this industry scheme,” explained Rylands.

“They said from the start there was meant to be Chinese walls within the company and shareholders would never have access to information, but it makes me nervous – how can we trust that when we’ve had emails sent to us like this?”

Even breweries in other parts of the country have been affected as they also attempt to navigate the NSW container deposit scheme.

Karen Golding, owner of Red Hill Brewery in Victoria, said the breach was just the latest issue they had encountered.

“It sure is a mess. I didn’t know initially that my information was shared with our competitors,” she said.

“There has been a lack of communication throughout from Exchange for Change, and even before the data breach, we’ve had issues – receiving invoices for thousands of dollars backdated for years of containers for example.

“I was shocked when we got the invoice which backdated to 2017, and they charged us for the collection for the last two years, even though we have been compliant with the system throughout.

“I think it’s quite unreasonable to backdate invoices this far, let alone share everyone’s invoices with us and ours with them,” she said.

Rylands of New England Brewing said that the data breach was just another issue in a long line of problems with the implementation of and thinking behind the Return and Earn scheme.

“Nothing will change, but this is another example of really poor implementation of a policy that didn’t have a reason to be implemented,” he said.

“There is a massive regulatory cost to breweries in and outside New South Wales to participate in this, and we don’t understand the benefit.”

He said cost benefit analysis of the scheme indicated that it wasn’t worth the government’s while, and breweries are now having to absorb the cost of the scheme or risk alienating customers by passing it onto them.

“They have been sloppy in their calculation methodology and communicating that methodology with people. No one’s had the time to sit down and figure out what’s going on except the big breweries.”

He said that the impositions in conforming to the regulations, implementing the changes and understanding the system were a huge challenge for small brewers, and there seemed to be a lack of understanding at government levels of the demands for a small business.

“It’s a huge hassle for everyone, Victoria hasn’t signed up to it, it’s never really going to work nationally.

“The whole thing is absurd – there’s more regulatory requirement to do this each month than there is to do excise.

“It seems that no one in the government cares about the impact on small breweries.”

The container deposit scheme began rolling out across New South Wales on 1 December 2017, with a transition period ongoing until 1 December 2019.

Exchange for Change was contacted for comment on how the sensitive brewer data came to be released to competitors but did not respond.

A spokesperson for the NSW Environment Protection Agency said that Exchange for Change is responsible for all invoicing-related matters, and that “information security and data integrity is of the utmost importance”.

“The NSW Government expects EFC to meet its obligations for information and data security and will seek a full analysis of the cause, impact and corrective actions following an issue in October,” they said.

Related

Comments are closed.