Story on PM about personal data sold to scammers

July 1, 2014 |

Data leakage and identity theft is a constant and ubiquitous problem.  Under Privacy Principle 11 of the Privacy Act an organisation or agency has obligations to maintain data security.  That deals with hacking or other unauthorised access, use and disclosure of personal information. For a recent example see Cybersecurity expert says little risk from Butler data breach which despite the headlines reports on hackers accessing records of 163,000 individuals who were students, employees, applicants and alumni of Butler University, Indianapolis, United States.

The other side of the problem is inadvertent release of information by individuals through phishing, spear fishing and other scams to obtain personal information and use that to defraud, blackmail or extort individuals.  The latter situation is highlighted in Personal data sold to scammers on black market.

The ABC report highlights not only the emotional distress associated with sensitive personal information being used against an individual but the reputational damage done to agencies, in this case the Australian Taxation Office whose name was used in vain by the scammers. Interestingly the story highlights that last week, 24 June, the Auditor General found that seven government agencies are vulnerable to cyber attacks.  Compliance in the private sector is anecdotally quite patchy.  Ineffective regulation in the past has lead to a culture of complacency.  Until the Privacy Commissioner exercises his new found regulatory muscles the culture is unlikely to change.  That doesn’t mean perp walks of malefactors on the six o’clock news.  But it does mean more profile than gentle scolding in the boardroom and extracting promises to do better next time.  As ASIC has learned from the criticism it has taken for its lax dealings with the CBA having a “take their word for it” co operative softly softly approach to maintaining standards can result in massive reputational damage for the regulator and non compliance by industry. As the FTC in the UK and the ICO in the UK demonstrate privacy regulation has to be seen to be effective to send the correct signal to that part of the market that only responds to potential threat of action before complying.  That has not been the history of Privacy regulation in Australia if a long view is taken.

The story provides:

MARK COLVIN: Scammers posing as Australian Tax Office employees are using personal data to extort money from hundreds of victims across the country.

Police say the personal details of Australians are being hacked and sold on a black market to scammers overseas.

The Tax Office is urging people to be wary.

AMY BAINBRIDGE: When Perth mother Sudeshna Majumdar answered the phone last week she quickly became worried when the man on the other end of the line knew a lot of her personal information.

SUDESHNA MAJUMDAR: My address, my phone number – this phone number, my Tax File Number.

AMY BAINBRIDGE: The scammers said they were from the Tax Office. He also knew about a tax lodgement issue she’d resolved some months ago.

SUDESHNA MAJUMDAR: He told me if you don’t pay the money at the moment, the police will come to your house because warrant is already issued in your name. That time I was really scared.

AMY BAINBRIDGE: She was told her to load money on to a Pay and Go card at the post office. Mrs Majumdar paid $628 to the scammers.

Her daughter Soolag-na is furious and has complained to authorities.

SOOLAG-NA MAJUMDAR: Information that was supposed to be private with her and the ATO (Australian Taxation Office) was being used in a really threatening conversation, she was scared, she felt vulnerable and she felt like she really had to get out of the situation as soon as possible, that’s what compelled her to pay $628 within that period.

AMY BAINBRIDGE: Mrs Majumdar is among thousands of Australians whose personal information is falling into the wrong hands.

Detective Superintendent Brian Hay is from the Queensland Police Fraud and Cybercrime Unit.

BRIAN HAY: There’s more Australian data in the dark markets of the internet and there’s more Australian identity data out there that allows these crooks to target people

AMY BAINBRIDGE: He says Australians are being targeted by thousands of phishing emails.

They’re emails that look to be from a trustworthy source but then direct you to a fake website and trick you into updating your personal information.

Detective Superintendent Hay says the practice started in 2003 and global data shows phishing attacks were up 24 per cent for the month of April to more than 52,000.

BRIAN MAY: The crooks over these years for the last 11 years have harvested this information significantly, we know that they’ve put them into, if you like big data – databases, they’ve written big search engine scripts to pull pieces of the puzzle together, so they may have had your name come up in 14 different forays into compromised data, but they’ve used that to pull it together and they now have a complete profile of you, sometimes including your tax file number. That then provides a wonderful basis from which to even to take over your identity.

AMY BAINBRIDGE: More than 300 people have reported the ATO scam to the Australian Competition and Consumer Commission (ACCC) since the start of this year.

ACCC Deputy Chair Delia Rickard is expecting scammers to ramp up activity as tax time approaches.

DELIA RICKARD: They’ll take a topical issue of the day, it could be carbon, it could be tax, it could be a whole range of things and they will build a scam around it, so it’s not so much the topic of the scam but the sign posts of it, being asked to pay money to get money that you’re told is yours, that is a classic sign of a scam.

AMY BAINBRIDGE: Last week, an Auditor Generals’ report found seven government agencies, including the Tax Office, are vulnerable to cyber attacks.

It found agency processes and practices have not been sufficiently responsive to the ever-present and ever-changing risks that government systems are exposed to.

In a warning to consumers, the ATO says anyone concerned about providing personal information over the phone, should ask for the caller’s name and phone them back through the tax office switchboard.

An ATO spokeswoman has told PM databases are secure.

MARK COLVIN: Consumer Affairs reporter Amy Bainbridge.

One Response to “Story on PM about personal data sold to scammers”

  1. Story on PM about personal data sold to scammers | Australian Law Blogs

    […] Story on PM about personal data sold to scammers […]

Leave a Reply