The majority of Australian organisations will soon be required to report major data security breaches. But what does this mean, and how can businesses avoid associated risks?

Several years ago, JDS received a fax. This was unusual for two reasons: firstly, it was a fax in the 21st century; secondly, it was an authorisation for payment of 60 million dollars from a large market fund. The fax was from a broker, who was merely confirming 'our' bank account details before sending through the transfer—if JDS were in the business of heists, it would have been a matter of changing a digit or two, then faxing the form back for payment.

As you can tell by the fact JDS haven't converted downtown Melbourne into a tropical beach, no such skullduggery transpired: instead, JDS MD John Bearsley called the broker and explained that he might have the wrong fax number on file. The broker was a bit shocked, to say the least. But what about the client? Did they ever find out?

Under Australia's new mandatory data security notification laws, applicable from 22 February 2018, the broker would have been forced to notify the client and the Office of the Australian Information Commissioner (OAIC) of the information breach. This is because, through a simple mix-up, we gained access to personal and private information about the fax's intended recipient, and the breach could have had serious consequences. Under the new requirements, data security breaches are to be dealt with as follows:

  1. Contain the breach and assess
  2. Evaluate risks or individuals associated with the breach
  3. Consider whether there is need for notification
  4. Review and take action to prevent further breaches

The difference between this new schema and any internal risk or incident management procedure lies in the role of compulsory reporting. If there is real risk of serious harm, then the individuals involved, and potentially the police as well as the OAIC, must be notified. This notification is to include the scope of the breach, and information regarding containment of the breach and action taken to prevent further breaches.

So what construes 'serious harm'? This relates to the type of information, information sensitivity, whether the information is protected, if the information can be used in combination with other information to cause harm, the attributes of the person or body who now hold the information, and the nature of the harm. It ties into existing Australian privacy and information security legislation, and has particular relevance for organisations that hold databases of information, particularly personal or sensitive information, about their customers or users. Consider the following IT security-related disasters that have come to light, noting that a number are based in the US, where compulsory reporting is already in effect:

Bangladesh Bank

A group of internationally-based hackers attempted to steal nearly US$1 billion from Bangladesh Bank after identifying some security vulnerabilities. They compromised the bank’s network, and used the credentials they gained to authorise bank transfers to the tune of US$951 million. Similar attacks have been seen at the Banco del Austro in Ecuador (US$12 million stolen) and the Tien Phong Bank in Vietnam (unsuccessful).

Result

US$101 million of transfers were successfully completed by the thieves; US$63 million was never recovered.

Indiana University

The names, addresses, and Social Security Numbers of a large number of Indiana University students and graduates were stored on an unprotected site. The lack of protection meant that several data mining applications not just accessed, but downloaded all the data files.

Result

Students and credit reporting agencies had to be notified; ongoing risk for financial fraud and identity theft, and associated liability.

Anthem

Anthem suffered a cyber attack in late 2014, with information accessed potentially including names, home addresses, email addresses, employment information, birth dates, and income data. The FBI investigation found that the attacks were conducted by international parties who were curious about the American healthcare system. Almost all of Anthem’s product lines were impacted.

Result

Anthem had to pay US$115 million to settle a class action litigation suit as a result of the breach. They also provided up to four years of credit monitoring and identity protection services to affected customers.

Philippine Commission on Elections (COMELEC)

Weaknesses in COMELEC’s network and data security meant hackers were able to access the full database of all registered voters in the Philippines. The database contained personal details many of which were stored in plain text, and included fingerprints, passport numbers and expiry dates, and potentially voting behaviour.

Result

The data could be used for extortion, phishing, or blackmailing purposes, and related hacks may lead to election manipulation.

Tesco Bank

Tesco Bank had monitoring and security mechanisms in place. However, Tesco Bank data such as credit card verification had to be accessed by the parent company Tesco, which does not appear to have been as secure. Security is only as strong as the weakest link in the chain, and in this instance, money was stolen and customers defrauded.

Result

Customers defrauded to the tune of 2.5 million pounds. The bank had to pay associated costs, and manage associated brand damage.

Yahoo

Yahoo’s security was breached twice, in 2014 (500 million accounts stolen by a state-sponsored actor) and 2013 (one billion accounts). Information included user names, telephone numbers, birth dates, and encrypted passwords.

Result

Yahoo’s sale price to Verizon was reduced by some US$350 million as a result of the hacks.

The above breaches cover a wide scope of industries—from health to insurance, government, and education. They have led to wide-ranging financial and reputational damage.

It would be naive to think that similar data breaches don't take place in Australia, though at the moment, it is not compulsory to report them. In 2015–2016, 107 organisations voluntarily notified the OAIC of breaches, and we are likely to see a rise in this number once the new legislation kicks in.

What does this mean for your organisation?

If your organisation deals with sensitive or personal information, including data such as emails, passwords, addresses, birth dates, health records, education records, passport numbers, ID numbers, travel information etc., then you need to prepare for the upcoming legislation. Part of this will be ensuring you have the correct policies, procedures, and training in place—and the other part will be making sure your environment is protected. The security of your IT infrastructure has always been, and will continue to be, vital: but now, there is an increased risk to your organisation, financially and particularly reputationally, if you do not ensure your environment is as secure as possible before mandatory reporting comes in. Test and assess your infrastructure and applications now, rather than down the line following a reportable incident.  

For advice or to book an assessment, call our friendly JDS consultants today.

 

Leave a Reply