High-profile breaches turn the spotlight on data security risks
On 22 September 2022, Optus announced its systems had been hacked and the private data of 9.8 million current and past customers had been exposed.
While all customers had their names, dates of birth, email addresses and phone numbers compromised, 2.8 million also lost identity document details such as driver’s licence numbers, passport details and Medicare card numbers, along with home addresses.
Dubbed the biggest data breach in Australian history – affecting about 40% of the population – the incident had far-reaching implications, leading to:
- anger amongst Optus’ customers
- the Australian Federal Police establishing Operation Hurricane in conjunction with the Australian Signals Directorate, Office of the Australian Information Commissioner (OAIC) and international law enforcement agencies including the FBI
- condemnation from Government and the flagging of mandatory reporting laws
- government agencies and financial institutions having to heighten their protections
- the unscrupulous capitalising on the incident (scams)
- additional workload for government departments to replace driver’s licences and passports
- the instigation of two inquiries (one by the OAIC into the company’s handling of customers’ data and one by the Australian Communications and Media Authority into whether Optus breached its privacy obligations)
- calls for a review of data retention laws and the Privacy Act, and
- two law firms looking into class actions.
The hackers ransomed the data, demanding $1.5 million in Monero cryptocurrency with the threat of releasing the details of 10,000 customers each day if their demands weren’t met. In a bizarre twist, the hackers later apologised for the theft and said they wouldn’t release any more information – they had already published 10,200 records on the web.
Customers pay the price
The loss of private data presents a myriad of potential problems for those whose data is stolen. Armed with identity details, criminals can use that information to carry out financial crimes including identity theft and fraud – making purchases, accessing bank and superannuation accounts, applying for credit, applying for fraudulent identification in the person’s name and accessing sensitive information (enabling blackmail). It also opened a Pandora’s Box, ‘releasing’ a flurry of cybercriminals exploiting the highly publicised hack to perpetrate social engineering and phishing attacks. The Australian Competition and Consumer Commission’s Scamwatch said they had received about 600 reports a day since 22 September, with many scammers pretending to be from Optus, Equifax Protect (the credit reporting agency tasked with supporting victims of the breach), Medicare or MyGov.
A costly affair
The fallout from the breach is likely to be a costly one for Australia’s second largest telco – both financially and in terms of reputational damage.
The financial costs involved in the data breach are tipped to be extensive, with Optus facing expenses which may include, but are not limited to:
- tech resourcing
- investigation costs – Deloitte has been engaged to conduct a comprehensive review
- remediation (fixing weak security and IT systems)
- fines – the maximum fine that can be imposed for a data breach is $2.2 million (though the extent of this incident has resulted in the Government looking at introducing legislation that would see the maximum raised to $50 million)
- monitoring – such as credit monitoring and identity protection
- compensation/reinstatement costs – replacing passports and driver’s licences
- loss of customers
- potential litigation, and
- associated management exposures.
In addition to the financial costs (some experts estimate it will cost up to $1 billion in monitoring, identity protection and document replacement costs alone), damage to the company’s reputation may be felt through loss of customer, industry and shareholder trust, and loss of existing and future customers.
Data breaches escalate
Less than a month after the Optus hack, the private data of up to 9.7 million customers was stolen from private health insurer Medibank Private. Hackers threatened to sell confidential customer information, including sensitive health conditions and credit card details, if Medibank did not pay the ransom. In a statement released to the ASX, Medibank said a criminal claimed to have stolen 200 gigabytes of data including customer names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
The attack on the health insurer was the latest in a string of cyberattacks targeting Australian consumers and followed breaches of wine retailer VinoMofo and MyDeal, an online shopping site owned by Woolworths. Over the course of just five weeks, six major privacy breaches occurred – affecting more than 14 million customer records, reported The Sydney Morning Herald.
Speaking on ABC Radio following the Medibank breach, cybersecurity minister, Clare O’Neil, warned of a new world “under relentless cyberattack” and that cyberattacks would only increase and organisations that held Australian’s data needed to get better at protecting it.
Annual Cyber Threat Report
On November 14 2023 the Australian Cyber Security Centre (ACSC) published its fourth Annual Cyber Threat Report which revealed that it had received 94,000 cybercrime reports in the last financial year, a 23 per cent increase on the previous year.
That means the Agency, which is part of the Australian Signals Directorate, received a cybercrime report every seven minutes.
Fraud, online shopping and online banking were the most reported types of cybercrime, but ransomware was the most damaging.
SMEs at risk
While the data breaches of big-name businesses make the headlines, hackers find victims in businesses of all sizes and SMEs are a particular target.
A government survey two years ago found almost half of SMEs reported spending less than $500 a year on cybersecurity, with the lack of protection making them vulnerable and an attractive target for cybercriminals. In fact, small business is the target of 43% of all cybercrime in Australia, according to a report from Kaine Mathrick Tech. The report also found just 5% of businesses’ data folders are protected.
A Westpac survey found 49% of Australian SMEs had experienced a cyberattack in the last 12 months. Of those SMEs that had experienced a cyberattack, 17% had to shut operations until the issue was fixed, 25% lost data and 8% had to pay a ransom to end the attack.
The Council of Small Business Organisations Australia notes a lack of resources and time as key reasons why small businesses have difficulties with cybersecurity upskilling. It also found that six out of 10 small businesses rate their cybersecurity as either poor, in need of improvement, or only okay. The Actuaries Institute warns of ‘uneducated’ SMEs being exposed to cyber threat, while the Insurance Council of Australia notes that only 20% of SMEs have cyber insurance.
Data privacy – top tips
To help safeguard data, businesses should take a risk-based approach to cybersecurity. Measures should include:
- Assessing what private data they collect, store and use.
- Collecting as little sensitive information as required to operate their business.
- Understanding their data security obligations, particularly if governed by the Privacy Act and subject to the notifiable data breach (NDB) regime.
- Developing sound policies to make clear the business’ approach to data security.
- Employing security protocols including privileged access management controls, multi-factor authentication, encryption, application controls, patch applications, configuring macro settings, user application hardening, antivirus software, patching operating systems, regular back-ups, implementing a zero-trust model and focussing on application programming interface (API – the interface that allow machines to talk to one another) security.
- Using best-practice to de-identify or destroy data no longer required (subject to data retention laws).
- Educating and training staff on data handling practices and best-practice data protection (people are the weakest link when it comes to cybersecurity).
- Investigating third-party risks (organisations are often infiltrated through their partnerships with external suppliers). Businesses should also ensure they understand any ‘shared responsibilities’ when it comes to storing data on the cloud.
- Developing a data breach response plan.
- Regularly testing systems.
Role of insurance
An important element in being prepared for a cyber incident is to have appropriate cyber insurance. Not only can the cover protect against financial losses associated with a data breach but, often, the policy includes features such as access to an incident response panel. These experts provide independent insights, advice and strategy which, in the immediate aftermath of an event, can prove invaluable. Services may include threat-actor negotiation, analysis of large data sets for evidence of compromise, privacy and other regulatory advice, and communications strategy/media exposure guidance. In the longer term, a cyber policy may also respond to associated legal costs under privacy-related regulatory action (subject to the nature of the policy wording and definitions, and insurability of fines and penalties and associated costs). Immediately following the Optus hack, one cyber insurance provider noted a 184% increase in cyber insurance enquiries from SMEs.
In addition, a directors’ and officers’ (D&O) policy may respond to liability issues arising from obligations of care and skill under the Corporations Act, which requires that directors guard against key business risks including cyber.
While insurance is not a substitute for good cyber security and responsible management of risks, it should be an integral element of every business’ proactive risk mitigation strategy as it can provide essential financial protection and operational support. Talk to your EBM Account Manager about cyber insurance and other liability policies.
