More than 400 employees at tugboat operator Svitzer Australia, have had personal information, including tax file numbers, stolen after the company was the victim of data theft for eight months.

The breach, involving three email accounts in finance, payroll and operations, was detected only after up to 60,000 company emails were automatically forwarded to two external accounts, the mailboxes of the external accounts became full and emails bounced back to the company.

Information forwarded between May 27 last year and March 1 this year included personal detail of employees, including their tax file numbers.

Svitzer said yesterday the theft was stopped within five hours of the company becoming aware of the breach on March 1. The Office of the Australian Information Commissioner had been notified. Steffen Risager, managing director of Svitzer Australia, said the theft had affected only the company’s Australian operations.

“This is a reminder of the constant threat individuals and businesses alike face,” Risager said.

“The nature of cybercrime means while we can get it right a thousand times, the perpetrator only needs to get it right once. We will learn from this experience.” Risager said the company had engaged forensic IT experts to understand what had happened, the extent of the theft, the identity of the perpetrator and how the company could further strengthen its systems. “We have adapted our monitoring strategy to include this theft type and we’re working with Microsoft to increase security,” he said.

“We can confirm that it is safe to write and receive emails from us, and that the details of any sensitive data stolen will be communicated directly with those potentially affected.”