Massive data breach in the US highlights the need for mandatory data breach notification regime in Australia.

December 30, 2013 |

Australia has no mandatory data breach notification regime.  The previous Parliament almost passed the Privacy Alert Bill 2013 earlier this year. The Bill passed the House of Representative and was awaiting the debate after the Second Reading speech in 2013.  That Australia does not have some form of mandatory data breach notification is a flaw in the privacy regulation.  Individuals should know if their personal information has been accessed and their privacy interfered with.  The consequences are not illusory.  As Zdnet highlights in Stolen Target customer data ‘flooding’ black markets, report says.

It provides:

Target confirmed earlier this week that the credit card data of more than 40 million customers had been stolen, prompting many to question what would anyone be able to do with that vast, perhaps overwhelming, trove of information.

Well here’s an answer that is both upsetting but not terribly surprising either.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach on his blog earlier this week, filed an update to Krebs on Security on Friday.

Basically, according to Krebs, all of that information has been circulating underground black markets around the world for weeks now.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

The big box retailer affirmed Krebs’s original scoop that the breach lasted from the day before Thanksgiving (November 27) through December 15. During that time, the still-unidentified hackers illegally obtained customer names, credit and debit card numbers, card expiration dates as well as CVVs (the three-digit security code), according to a letter to customers.

Target is working with the United States Secret Service, among other law enforcement agencies, to track down the culprits.

In the meantime, there are a number of security software providers and experts as well as financial institutions doling out advice to those possibly affected as well as anyone else shopping — in stores or online — this holiday season.

Eric Chiu, CEO of virtualization security and compliance solutions provider HyTrust, outlined some initial recommendations in a blog post on Friday that are applicable to and should be observed by everyone, such as vigorously monitoring bank and credit card statements and even signing up for fraud prevention services.

For those involved in this week’s high-profile breach, Chiu suggested reaching out to Target directly as they might provide fraud prevention and detection services for free, as many other corporate entities have done for their customers in the past.

Based on the comments of Paul Lipman, CEO of cloud security network Total Defense, it would be wise for Target to heed that latter note as well as take more proactive steps in assisting customers right now.

In an email, Lipman argued that while the impact on holiday sales will be minimal, he warned that “it will be the long term fallout from the ongoing costs related to the breach, and the loss of customer trust, that will have a larger impact on the company.”

The Business Spectator on 7 November 2013 in The Coalition needs to act on data breach laws called for the introduction of mandatory data breach legislation in the November session of Parliament.  Perhaps a bit early given the new government had a list of bills relating to removal of the mining tax and the carbon tax legislation.  But important nevertheless.

The article provides:

Recent events in Queensland and Indonesia are a timely reminder that the new Government will be faced with a tough decision when the 44th Parliament opens on 12 November 2013.

Will the Coalition government become the champion of privacy and security for all Australians in the digital world or will it succumb to lobbying by business advocates for the Privacy Alerts Bill 2013 to be consigned to history. 

The government must choose wisely because the wrong choice will make it the pin-up for organised crime and the hackers they employ.

The former liberal Prime Minister John Howard acted wisely and quickly after the Port Arthur massacre to put the safety of Australians before the interests of the powerful gun lobby when his government banned a range of high powered semi-automatic and automatic weapons. The Howard government benefited by a huge bounce at the polls and he will be remembered for his strength and courage at a time of national disaster.

Australians value governments that put their safety and protection first and there can be no doubt that ordinary Australians are under attack. But what does it take before politicians become interested in online privacy and security? The threat of an attack on a politician of course!

Last week a video that was incorrectly associated with the hacktivist group Anonymous was believed to contain a threat to the Queensland Premier Campbell Newman. Outrage followed.  Why?

Because Anonymous have been linked, often by their own admission, to hacking attacks on government, defence, security organisations and corporations. The thought of what Anonymous might do if they turned their attention on Newman was seen to be an attack on democracy and Newman’s right to security and privacy online.

But what about the rest of us? Australians are attacked every minute online, bank accounts are broken into and emptied, personal details stolen, lives ruined.

Where is the outrage from the Queensland Police Minister Jack Dempsey about the constant online attacks by organised crime on the lives of ordinary Australians?

Does it take the actions of one misguided young man in Queensland to get politicians to realise there is a problem facing Australian families every minute of every day?

Anonymous was in the news again this week when Anonymous Indonesia reacted to the news that Australia is alleged to have spied on Indonesia at the behest of the US government and National Security Agency (NSA). Anonymous Indonesia hacked into more than 100 Australian websites belonging to small business and government organisations, defaced many of the websites and tweeted the list of victims with the message “Stop spying on Indonesia!”

The actions of Anonymous Indonesia were illegal and should be condemned.

To make matters worse the apparent ease with which they were able to hack into so many websites demonstrates the lack of security applied by business and government organisations to their online presence.

Anonymous Indonesia could have done more than defacing websites. They could have hacked into websites, stolen credit card or bank details or other personal information and posted it online.

But why do this when the loss of personal data, bank or credit card details has become commonplace in Australia?

In October 2013 Symantec estimated the cost of cybercrime affecting Australians to be about $1 billion per annum. That means the average cost per victim was about $200.

The European Union (EU) requirement for data breach reporting came into force on 25 August 2013. In the EU telecommunication, Internet Service Providers (ISP) and organisations conducting business online have 24 hours to report data breaches to authorities from the moment the data breach was discovered.

The argument by business lobbyists that the cost to business will be high and data breach reporting to the Australian Privacy Commissioner would be an unnecessary burden to place on struggling Australian businesses just does not carry any weight. The ease at which Anonymous Indonesia was able to hack into Australian websites clearly shows there is a problem that is not being addressed despite repeated calls for business to get its collective act together.

Coalition government aims to have a close relationship with business, and any action that increases business costs will test that relationship. But this is one of those occasions when the government will need to step back, take a deep breath, and explain to business that mandatory data breach reporting is good for them (and the government).

Business could help the Coalition government out of this predicament by adopting the provisions in the Privacy Alerts Bill 2013 as a mandatory industry best practice guide – but will business leaders have the forethought to act before the Coalition government does?

The previous Labor government failed to introduce the Privacy Alerts Bill 2013 before the end of the last Parliament. Labor’s failure to acknowledge the extent of cybercrime by not introducing the Privacy Alerts Bill 2013 into Parliament has left the new Coalition government with a narrow window of opportunity.

The Coalition government has a stark choice to make and it cannot put the decision off. The new Parliament is fast approaching and the Privacy Alerts Bill 2013 must be addressed one way or another – will the Coalition government act to protect Australians in the online world or not?

The alleged attack on Campbell Newman has firmly put the issue of online privacy and security on the front page. Failure to act will be seen to be an act of cowardice by the Abbott government in the face of attacks by Anonymous Indonesia and misguided lobbying by Australian business.

Leave a Reply