ABC reports Australian executives wary of announcing cyber attacks…hardly news..Vinomofo sends out a notice about a data breach..that is a welcome and new development
October 17, 2022 |
When writing on privacy and cyber security isseus I often feel like Cassandra, highlighting problems that are ignored. Until now. The ABC’s story Most Australian executives wary of announcing cyber attacks and online strategies amid increased demand for transparency is hardly news. Businesses not wanting to disclose data breaches. Quelle surprise!
I have been writing on the poor culture of non compliance and secrecy relating to data breaches for years. Non compliance and an attitude of impunity does not develop and exist in a vacuum. It develops when there is an ineffective, complicated and confusing legislative regime and very timid regulation. The practical net result has been a marked aversion to reporting data breaches, covering them up and generally doing as little as possible to comply with the Privacy Act. And why not when governments have, until recently, shown little interest in privacy enforcement and the penalty for non compliance is almost non existent in practical terms. In that sense the ABC article is something of a “been there, done that” to it. But it is worth highlighting the situation in the national press. Hopefully it will act as the “before shot” which will be compared to the “after shot” when the new legislation comes into effect and proper regulation commences.
While it will take some time for the culture to change and there will be a lot of back sliding there is clearly a changed atmosphere. The optus data breach has highlighted what poor cyber security can mean for ordinary people; stress, annoyance and the cost in time and money to avoid identity theft.
The comparison between enforcement in Australia and other developed economies is stark. For example in the United States the owner of the retailer Shein has been fined $1.9 million for covering up a data breach. The breach occurred in 2018 when log in details of 39 million accounts werre stolen. Most of the customers were not advised of the breach and Zoetop lied about the extent of the breach. Given the vagueness of the data breach notification provisions in the Privacy Act a company here wouldn’t need to cover up a breach. It would simply say that after considering the factors there was no serious harm resulting from the breach. In any event the Commissioner thus far has proven to be a reluctant enforcer.
As a sign that things may be slowly changing for the better I received a notice from Vinomofo about a cyber attack on its site. Interestingly it has been at least 3 years since I bought anything through Vinomofo. Why am I still in its system?
The notice stated:
Hi Peter,
I am writing to provide you with some important information about a recent cyber security incident at Vinomofo.
Vinomofo experienced a cyber security incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website.
We immediately engaged leading cyber security and forensic specialists (including IDCARE, Australia’s national identity and cyber support service) to investigate the claim and took steps to further secure our IT environment and strengthen our systems.
We also reported the matter to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).
Our investigation established that customers’ and members’ information on our database on this testing platform was unlawfully accessed by a third party. However, our cyber security and forensic specialists have assessed that the risk to our customers and members by this information being accessed is low.
Vinomofo does not hold identity or financial data such as passports, drivers’ licences or credit cards/bank details.
While no passwords, identity documents or financial information were accessed, the database includes other information about customers and members.
The information about you that was contained in the database that may have been accessed may include name, gender, date of birth, address, email address and phone number.
Working with our IT experts, we have taken steps to further bolster the security of our technology systems to help prevent any similar incidents happening again.
We are contacting you directly so you can take simple, precautionary steps to protect your information and avoid any potential scams.
We advise that you remain alert to any increased scam activity – especially email, SMS or telephone phishing scams – with fraudulent communications disguised to look like they come from an organisation you trust.
We recommend that you:
-
- Remember that good organisations do not contact you and ask you to “prove” who you are. If someone calls you unexpectedly claiming to be from an organisation, consider hanging up and calling them back on a known and trusted number.
- Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media. Protect yourself from scams. Never click on any links that look suspicious and never provide your passwords, or any personal or financial information. It is good practice to have up-to-date anti-virus software installed on any device you use to access your emails. Scamwatch also provides helpful guidance on how to spot a scam.
- Consider changing your email account passwords. Make sure you use strong passwords that you do not use for other accounts. Enabling multi-factor authentication is a good idea where possible.
While your Vinomofo account password is still safe to use, it’s a good idea to regularly change your password. You may wish to update your password as a precautionary measure.
You can find further information about online safety, cyber security and helpful tips to protect yourself at the Australian Cyber Security Centre or the ACCC’s Scamwatch website.
If you have any outstanding concerns, we have partnered with IDCARE to provide specialist case management support. IDCARE’s service are at no cost to you. Their expert case managers can be booked online at a time that suits you during business hours (9am to 6pm AEDT). If you wish to engage IDCARE, please complete a Get Help form for individuals at idcare.org or contact 1800 595 160, quoting reference VMF22.
We take the privacy and the protection of customer information very seriously and I apologise for any concern or inconvenience the incident has caused.
It is a reasonable letter, by Australian standards, advising of the data breach. By comparison to letters sent in the USA it is middle of the pack, if that. It is a reasonable first draft in jurisdictions where mandatory data breach notification has been the norm for some time.
The positives of the letter are that it provided some detail of what happened, though it could have said more, it explained what was exposed, what information could not be accessed and what steps might be taken to avoid scams. It also partnered with Idcare.
The negatives are that it is vague about when the breach occurred or was at least discovered, it did not offer a credit check, probably because it would argue that it does not hold financial data. That restrained approach can be false economy if customers become the victims of fraud through identity theft. The letter could do with an edit. It is repetitive and somewhat verbose. In the United States statements tend to get to the point much quicker and offer more comprehensive support at the earliest opportunity. There are exceptions of course. As these notices become more common they will become more effective in providing information in as clear and precise a manner as possible.
Vinomofo has set up a FAQ. As with the letter it is not bad, but could be a lot better. it is somewhat vague when it shouldn’t be and is not as precise as it could be. And in parts it is vague to the point of meaningless. But it is better than the dreadful job Optus did and is generally covering the key issues.
It provides:
1. What has happened?
Recently, Vinomofo experienced a cyber security incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website.
We immediately engaged leading cyber security and forensic specialists (including IDCARE, Australia’s national identity and cyber support service) to investigate the claim and took steps to further secure our IT environment and strengthen our systems.
2. What information has been accessed?
Vinomofo does not hold identity or financial data such as passports, drivers’ licences or credit cards/bank details.
While the investigation established no passwords, identity documents or financial information were accessed, the database includes other information about customers and members.
The information about you that was contained in the database that may have been accessed, could include name, gender, date of birth, address, email address and phone number.
However, our cyber security and forensic specialists have assessed that the risk to our customers by this information being accessed is low.
3. Have authorities been notified?
Yes, the matter has been reported to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC). The ACSC has reported the matter to law enforcement bodies.
4. Who is included in the incident?
In the interests of the privacy of our customers and partners, and to reduce the risk of attempts by scammers to target them, we are not publicly releasing the total number of customers included in the incident.
5. When will I hear from Vinomofo?
Customers we have identified as being included in the incident will be contacted directly by Vinomofo in writing via email with further information and guidance on the precautionary steps that they can take to protect their information and privacy.
6. Has my information been published online?
This forms part of our investigation. We are contacting you know so that you can take precautionary steps to avoid any potential scams.
7. Why did Vinomofo have my details in the first place?
Vinomofo has records of people who have purchased product through the Vinomofo website. The types of personal information that Vinomofo collects, and how we collect, handle and use that information, is documented within our Privacy Policy.
8. Can I request that Vinomofo delete my information from its database?
Yes. Our Mofos have always been able to request this. Any customer can request that we delete the personal information we hold about them at any time, and we will take reasonable steps to delete their personal information from our current records. If you would like your information removed, please contact privacy@vinomofo.com.
9. What should I do to protect myself?
We advise that you remain alert to any increased scam activity – especially email, SMS or telephone phishing scams – with fraudulent communications disguised to look like they come from an organisation you trust.
We recommend that you:
– Remember that good organisations do not contact you and ask you to “prove” who you are. If someone calls you unexpectedly claiming to be from an organisation, consider hanging up and calling them back on a known and trusted number.
– Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media. Protect yourself from scams. Never click on any links that look suspicious and never provide your passwords, or any personal or financial information. It is good practice to have up-to-date anti-virus software installed on any device you use to access your emails. Scamwatch also provides helpful guidance on how to spot a scam.
– Consider changing your email account passwords. Make sure you use strong passwords that you do not use for other accounts. Enabling multi-factor authentication is a good idea where possible.
While your Vinomofo account password is still safe to use, it’s a good idea to regularly change your password. You may wish to update your password as a precautionary measure.
You can find further information about online safety, cyber security and helpful tips to protect yourself at the Australian Cyber Security Centre or the ACCC’s Scamwatch website.
10. Do I need to update my passwords on my Vinomofo account?
While your Vinomofo account password is still safe to use, it’s a good idea to update your password as a precautionary measure.
11. Do I need to replace my driver licence or passport as a precaution?
No.
12. Do I have to get a new Medicare card?
No.
13. I’ve had a scam call/s or unsolicited emails etc, is this linked to the Vinomofo incident?
We are not currently aware of any customers having suffered harm, but we encourage you to have heightened awareness across your accounts.
We advise that you remain alert to any increased scam activity – especially email, SMS or telephone phishing scams – with fraudulent communications disguised to look like they come from an organisation you trust.
14. What is the relationship between VinoDirect and Vinomofo?
VinoDirect is Vinomofo’s direct-to-consumer service.
15. Vinomofo is an online company. Is it only Australian customers included in the incident?
Yes. Overseas customers are NOT included in the incident. (Singapore customers and previous New Zealand customers are NOT included in the incident).
16. Where can I find more information?
If you have any questions, please contact privacy@vinomofo.com.
The ABC article provides:
Australian executives remain wary about publicly disclosing cyber attacks and cyber strategies, despite growing demands for transparency.
A new survey suggests 90 per cent of Australian executives are still concerned publicly sharing information about cyber attacks on their businesses could hurt their bottom line and lead to a loss in advantage over their competitors.
Shareholders, regulators and politicians are increasingly demanding Australian companies be much more open about how they are protecting themselves from attacks and crucially securing the data of their customers.
These pressures have only grown in the weeks since the details of the massive hack on Optus was made public.
But the survey, carried out by PwC, suggests executives in Australia remain slightly more worried than their global counterparts about the downsides of publicly detailing attacks, incidents and their broad strategies.
“It’s a really tricky topic for many organisations to get their heads around,” said Rob Di Pietro from PwC.
“Some sectors are doing this well [sharing information with similar companies] but some are just starting out on that journey.”
Operators of critical assets in sectors like broadcasting, banking, food, transport, fuel, communications and utilities are required to report to authorities when they are under attack.
Data is increasingly valuable to companies and criminals, and so, high-profile attacks are expected to become more common.
But the survey suggests about 81 per cent of executives feel mandatory reporting could discourage some companies from getting in touch with law enforcement.
It also indicates Australian organisations are more reactive to cyber incidents than their global counterparts, with more companies invoking plans after an incident has occurred, rather than anticipating attacks in advance.
“What that suggests to me is there is a still a way to go for us to realise the value of sharing threat information,” said Mr Di Pietro.
“If one organisation gets hit and they can quickly share that information with others, it prevents them from also being impacted.”
The Australian Cyber Security Centre warns attacks are increasing in frequency, scale and sophistication and says cooperation will make the country stronger.
“Sharing cyber threat intelligence and reporting all cyber security incidents … are key to building a truly national threat picture,” a spokesperson said.
“It’s only through closer collaboration and sharing of cyber threat intelligence that we can better prepare for the cyber threats all Australians face.”
Most companies boosting cyber budgets
The PwC survey was carried out before the Optus hack but cyber security was still front of mind for executives.
It was in the top five scenarios included in “organisational resilience plans”, only coming after concerns about a global recession and supply chain bottlenecks.
Australian companies were most worried about being targeted by criminal organisations but also had concerns about hacktivist groups, disgruntled insiders and some competitors.
Sixty per cent of organisations surveyed said they were planning to increase their cyber budget in 2023.
“We are in a digital age where these events are going to happen,” Mr Di Pietro said.
“What we’ve learned from recent high-profile events is it’s how you respond that actually dictates how you maintain your trust.”
The Optus hack has caused more boards and companies to review their cyber security measures, something which has been broadly welcomed in Canberra.
MPs and senators involved in security committees in the federal parliament have been warning of the growing threat for some time.
“It is not an optional extra to be investing in and preparing for and protecting against cyber-attacks,” said the shadow minister for cyber security, James Patterson.
“No one is immune. Everyone is going to be a victim of it one day.
“The only difference is some companies will be better prepared and better protected and some companies will be less protected.”