All these articles about the need for proper data security and poor privacy regulation have been said and said again…by me… for years. The coverage is belatedly welcome but does not bode well for serious reform

March 29, 2023 |

In Greek mythology Cassandra was a Trojan priestess who was fated by Apollo to utter true prophecies which were never believed. When writing on privacy and data security matters on this page over the past 15 years I feel like Cassandra. Raising concerns about poor privacy legislation, ineffective regulation, a lack of proper data security, no training and no risk management have raised not even a shrug. But last year all of a sudden journalists and politicians have talked and written about privacy and data security as it appeared with the Christmas Amazon delivery. That has produced some truly trite pieces, such as the Australian’s Hack attack on all business ‘inevitable’, says Michael Sentonas. The article could have been written almost a decade ago with almost no changes. But journalists weren’t interested and companies would prefer to deal with the cyber attacks quietly, the Privacy Commissioner was out to lunh and governments had no interest in improving regulation. It is just that now that with 3 massive data breaches the issue cannot be avoided and this revelatory piece finds its way into a National paper.

It provides:

Australian businesses are being urged to immediately improve their cyber security defences as a cyber expert warned that it was “inevitable’’ every business would be attacked by wannabe hackers.

The Australian Cyber Security Centre revealed cyber criminals were pouncing “within minutes’’ of vulnerabilities being discovered, and company boards needed to understood their “crucial role’’ in ensuring companies invested appropriately to make their networks resilient to attacks.

With some Australians now having had sensitive data stolen three times – as customers of Medibank, Optus and Latitude – the ACSC urged companies to ensure cyber security was a core part of each business’s strategic planning and risk management.

“Companies need to lift their focus and ensure they protect not only their business but the trust of customers,’’ a spokesperson said.

The comments come after another big Australian company, the Harry Triguboff-founded Meriton, revealed it had been hacked.

Michael Sentonas, president of the global cyber security company CrowdStrike, said every company would be targeted by cyber criminals, and each must take steps to ensure those attacks were not ­successful.

Asked whether attacks on companies were inevitable, Mr Sentonas said “absolutely’’, and businesses needed to prepare accordingly. He said the apparently faster tempo of cyber attacks in Australia in recent months was “business as usual’’ but there were several dynamics at play.

“You’ve got a strong economy, you’ve got seemingly easy targets so there are a lot of people who are targeting Australian companies for financial benefit,’’ he said.

“And geo-politically, we have neighbours to our north who don’t necessarily agree with our government’s policies and the positions (it’s) taking.

There are no major instances reported where people have been the subject of fraud as a result of having identification documents stolen, and in some cases posted online. Few, if any, personal medical records stolen from Medibank made their way into mainstream social media.

Mr Sentonas said that did not mean the danger was over, and such hacks “had a long tail.’’

“Definitely could happen …. it will get used down the track,’’ he said. “It doesn’t happen necessarily immediately but here’s the thing: no one is going to go to that much effort and not use the data.

“They’re not going to dump the data and someone else isn’t going to be opportunistic in using it.

“The reality is also that sometimes it’s better for the adversary not to use it straight away because people are on heightened alert.

“So you wait … before you deal with that data or leverage that data maliciously.’’

Mr Sentonas would not discuss any individual company’s cyber situation. According to an online case study, CrowdStrike works with Latitude, but the company declined to comment on who its clients were.

Meanwhile, the Tasmanian government confirmed it was investigating claims it had been hacked by Russian cyber gang Cl0P. “The government is aware of these reports and they are being investigated,’’ a spokesman said.

Crown Resorts continues to investigate what data was accessed by Cl0P, although it has ruled out customer records, while the University of Melbourne has determined the group accessed nothing more than cost codes.

Home Affairs Minister Clare O’Neil said the threat of cyber crime was “relentless’’ but most cyber attacks could be prevented.

“We share the frustration of millions of Australia who have been involved in recent cyber incidents,’’ she said.

“Businesses and organisations across the country must work with government agencies to harden their defences.”

There is nothing wrong with what is in the article but that has been said for years. The problem is the willingness of governments to give the law proper teeth, have a strong and forceful regulator and be prepared to take action.  So far none of that has happened.  This year will tell whether the government will properly amend the Privacy Act. 

A second piece ponders in the most basic and general way that data laws are ineffective. The SBS piece The Latitude hack exposed personal details of millions. Are our data laws too lax? doesn’t even come close to analysing the law and where the problems lie.

The SBS article provides:

Latitude Financial says that 7.9 million Australian and New Zealand drivers licence numbers were stolen in a hack earlier in March, a number far higher than initially estimated.

The non-bank lender, which offers loans, insurance and credit cards, said an additional 6.1 million records, including names, addresses, telephone numbers and dates of birth that were provided to the company dating back to “at least 2005” were also stolen in the cyber attack
 
The hack has highlighted some of the vulnerabilities in Australian data privacy laws, which have limited ability to protect consumer data, experts say.

 
A similar hack could happen again partly because the punishments for companies are not strong enough, Swinburne University lecturer on data privacy Belinda Barnet said.

“It could definitely be better regulated, with heavier fines for companies. It’s small change for a large company that has breached the privacy of millions of people and if you have a strong deterrent, then it’s an incentive for companies to protect the data,” Dr Barnet said.

“There should be regulation, so that the onus is on the company to have the strongest protections they can possibly afford for consumers’ private data. The onus shouldn’t be on customers to protect their own data and clean up the mess after a hack.”
 
Latitude Financial’s revelation comes after a series of high-profile cyber attacks in Australia over the past 12 months targeting large companies, including Optus and Medibank

In September, hackers stole data from telco Optus including the user names, dates of birth, phone numbers, email addresses, drivers licence numbers, passport numbers or addresses of
And following a large-scale attack on Medibank in October, which involved hackers publishing health records and private details of more than 40 per cent of the population, the federal government said it would ” hunt down the scumbags ” and set up a new policing model involving 100 officers.

Latitude Financial disclosed on 16 March that it had detected a “sophisticated and malicious cyber-attack” on its systems a few days earlier, but at the time thought it involved hundreds of thousands of customer records, not millions.

The company has agreements with retailers including JB Hi-Fi, The Good Guys and Harvey Norman

Skeeve is a convicted hacker. Here’s what he thinks Australia lacks in cyber security

Some 53,000 passport numbers were stolen and fewer than 100 customers had a monthly financial statement stolen, the company told the ASX.

“We are writing to all customers, past customers and applicants whose information was compromised outlining details of the information stolen and our plans for remediation,” the firm said.

Latitude will reimburse customers if they choose to replace their identity document, the company said.

How has the government responded?

Cyber Security Minister Clare O’Neil on Monday said the Latitude hack was “deeply concerning”.

Ms O’Neil acknowledged that cyber attacks are “a growing threat and will become a more routine part of our lives for years to come.”

“On 16 March the Federal Government convened the National Coordination Mechanism to bring together agencies across the Commonwealth, states and territories to ensure that all possible support is being provided to Latitude Financial and all those customers whose personal information has been stolen,” she said.
 
The federal government is working with states and territories to mitigate the impacts of licences being compromised, she said.

How safe is our data?

It’s a problem that nobody knows how safe their data is, according to Australian Privacy Foundation board member Jodie Siganto.

“We rely on organisations and government agencies to keep data safe but we have very little information about how they do it,” Dr Siganto said.

“There’s no base level cybersecurity system that is regulated and rolled out for companies. So if that was introduced it could give people some comfort to the ways that Australian organisations look after the data that they hold.”

Dr Siganto said some of the high-profile hacks we’ve seen “are not very sophisticated and could definitely happen again”.

“They’re due to internal failures of proper control,” she said.

“I don’t think the companies that got hacked are that much worse with data than many other companies.”

A cybercrime is reported every seven minutes in Australia. How can we protect ourselves?

Attorney-General Mark Dreyfus has committed to modernising the Privacy Act and has said he is considering the right for individuals to sue following data breaches, which does not currently exist in Australian law.

Last year legislation was introduced to increase penalties for serious or repeated data breaches from $2.2 million to whatever is the highest of the following options: $50 million, three times the value of any benefit obtained through the misuse of information, or 30 per cent of a company’s adjusted turnover in the relevant period.

Digital Rights Watch executive director James Clark said the Privacy Act needs to afford individuals much stronger protections.

“One of the best defences that we have against other breaches is to not collect unnecessary data to begin with,” he said.

“We really need a Privacy Act that makes it really clear that data minimisation and not collecting this information to begin with is the preference.

There are “some serious questions here that people should be asking about why Latitude kept all of that data”, Mr Clark said.

“Once you’ve identified someone do you really need to keep a copy of that record? Why does it need to be kept for over a decade?”

Leave a Reply





Verified by MonsterInsights