Data breach incident

11 March 2019

Notification for former employees and directors (from 2009 onwards)

At Amatil we pride ourselves on taking the initiative, owning the outcome and always being straightforward and open.  We also take the privacy of our people and their personal information very seriously.  

We are deeply sorry to report that we have had a data breach involving the personal information of current and former employees and directors (from 2009 onwards). This breach was limited to 4 current Amatil employees, and has been contained. The breach was the result of human error and our legacy systems and processes, all of which are totally unacceptable. 

True to our Amatil value of being straightforward and open, a Q&A is available below that details what happened, what information was involved and the corrective actions we are taking.   

We would like to reassure you that:

  • Once notified of the breach, we took immediate action to contain the personal information;
  • The information was accessible by 23 people with 4 of these people opening the attachment before the breach was identified;
  • All individuals have confirmed they have deleted the personal information, and that it was not copied or shared with anyone outside Amatil. Those that viewed the information did so inadvertently and with no malice;
  • We have taken steps to ensure this incident is not repeated and that personal information is protected.  

We sincerely apologise for this incident. We are working to remove the risk of human error, automate our processes and reporting where possible and to ensure the best possible safeguards of our people data are in place. 

Please direct any queries to our Privacy Officer at


What happened?

Each month, a chart of authority report (Report) is provided to 20 Amatil employees and 3 employees of a third party service provider (Recipients) that assists them to determine, amongst other things, Amatil credit card limits, Amatil mobile device purchase orders, and setting up Amatil traveller profiles via our corporate travel management provider. The information in this Report is generated using 2 third party systems that contain personal information, however it is not intended for the Report to include any personal information. 

Unfortunately, the February Report (circulated on 13 February 2019) inadvertently included a separate tab (in Microsoft Excel) containing personal information of current and former employees and directors (the former employees and directors date back to 2009, with no records for those that ceased employment prior to that date). The data tab containing personal information was viewed by 4 Coca-Cola Amatil Recipients. Our third party service provider confirmed that they did not access the file. 

This matter has been subject to investigation to identify the extent and nature of the incident, the cause, corrective actions and appropriate consequence management. 

What information was involved? 

Unfortunately, depending on the completeness of the record in the file used to create this Report, each individual’s date of birth, residential and contact details, remuneration and superannuation details may have been disclosed in this Report. 

What are we doing? 

We have taken the following actions to minimise any possible harm: 

  • All Amatil Recipients have been contacted and confirmed that the Report has been deleted, was not copied or shared with anyone outside of the organisation;
  • 4 Amatil Recipients viewed the tab that contained the personal information, however each has confirmed that the viewing was inadvertent and without malice;
  • The third party service provider Recipients have confirmed to us in writing that they did not view the personal information, and have deleted the Report from its system;
  • We have put the circulation of future chart of authority reports on hold until a full review of the process for generating and distributing these Reports is completed;
  • We have ceased the practice of sharing any file attachments containing multi-person, personal information of our people by email. A second layer of security must also be in place through the use of passwords on all such files;
  • We are undertaking a sensitive people data risk assessment to understand how each of our teams use people data on a day-to-day basis, identify all our risks, and develop mitigation strategies;
  • We have been investing in an upgrade to our systems and processes, and our supporting data governance framework; 
  • We will be conducting privacy awareness training for all relevant roles that access and use people data;
  • We will be incorporating a one-on-one privacy briefing into the induction program for new hires into above such roles; and
  • We have notified the Australian Information Commissioner.

What you can do to protect your information?

Whilst we are confident that this incident has been contained as outlined above, we recommend that you follow these principles to safeguard your personal information:

  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;  
  • Avoid clicking on links or downloading attachments from suspicious emails;
  • Use a second layer of security (such as passwords on all such files) when circulating personal information; and
  • Report any suspected Amatil related data breached to our Privacy Officer at