Australians’ private data is hugely vulnerable to cyber attackers. Source: ThinkStock
THE personal data you entrust to companies is at greater risk than you realise; and for businesses in today’s hi-tech world, it’s not a question of if this information will be breached, but when.
That’s the view of UK technology expert Guy Bunker, who says recent cyber attacks overseas should serve as a wake-up call for Australia.
Personal information of up to 750,000 Japan Airlines (JAL) customers was leaked last week due to a cyber attack. This followed the celebrity nude photo leak from earlier this month, where explicit photos showing more than 100 female stars, including Jennifer Lawrence, hit the internet.
The head of Australia’s corporate regulator has also warned that Australian businesses are not taking the risk of cyber crime seriously enough. In March, Australian Securities and Investments Commission chairman Greg Medcalf said each attack in Australia cost $2 million and that cyber crime had the potential to be the next “black swan event”.
Dr Bunker, the chief technology officer of information security company Clearswift, believes Australia is behind the rest of the world in protecting customers’ sensitive information — and says data breaches are much more common than what is disclosed.
Does your data policy comply with Australian regulations? Brush up on the latest Privacy Laws here
Australia is five to 10 years behind the US and UK in protecting customer data.
“In the UK, America and Europe, we’ve been hardened,” Dr Bunker said. “In general, organisations are better prepared through a huge number of small attacks.”
There have been a number of recent wide-scale hacking events that have rocked the world. Source: ThinkStock
Australian customers are more vulnerable because we lack specific laws to protect privacy. The Australian Law Reform Commission has recommended that it be mandatory for companies to notify affected individuals in the event of a data breach, but there is no legal obligation to do so.
“Australia is behind the curve, not least because of privacy laws. Those laws drive the adoption of security. The threat is no greater (in Australia), but because of the lack of privacy laws, you are more vulnerable,” Dr Bunker said.
It’s not clear if bank account or credit card information was compromised in the JAL attack, but Dr Bunker said hackers getting a hold of other customer details could be just as dangerous.
“They weren’t able to siphon off credit card information but that’s almost by the by because the cyber criminals are after other information: names, addresses, email addresses, birthdays — enough stuff to create a perfectly tailored phishing email,” Dr Bunker said.
Instead of seeking bank details directly, which are often better protected, hackers can use the other information companies have to create an email masquerading as a trustworthy business and entice the customer to enter their credit card number with an attractive offer.
“They know where you live, they know everything about you, so they create an email that says ‘You get a special discount if you book through this website’ and, bang, they’ve got your credit card number,” Dr Bunker said.
Companies also store information that commonly forms the answers to questions required when resetting online banking passwords, such as birth dates and maiden names, which is also highly valuable to fraudsters.
“That’s where the real threat comes from,” Dr Bunker said.
Your personal data could be at risk. Source: ThinkStock
In Australia, employees are most likely to be the source of data security breaches, with Clearswift research showing they are the culprits in 44 per cent of cases.
Twenty per cent of Australian organisations claim ex-employees are a source and 21 per cent blame customers, partners or suppliers.
And Dr Bunker has some frank advice for Australian companies on the need for cyber crime vigilance.
“First thing is, it’s not about if you are going to be breached, but when. And it’s often not if or when its happened, but when you find out — because it’s happening right now,” he said.
“It doesn’t matter how big or small you are, your data is of use to someone.”
He said companies’ reputations could be protected if they put in place proper safeguards, such as data-loss prevention systems, which allow sensitive data to be removed before the information leaves the organisation. If JAL has a system like this in place, the incident wouldn’t have occurred.
“If you’ve got a malicious insider, or ‘the enemy within’, you need systems in place that watch for information being used and abused, and travelling outside the organisation.”
Hacking has become more sophisticated. Source: Supplied
He said breaches could also occur inadvertently, through holes in company systems. Common mistakes can be workers printing out sensitive customer information, burning data on unencrypted CDs or not being careful enough with the details contained in emails.
“That inadvertent stuff happens a lot. It’s not just cyber attacks. JAL is a good wake-up call that those systems need to be checked out so the processes around them is secure and protected,” Dr Bunker said.
“Ask the people at the sharp end, do they know of any practices that might put information at risk?”
He said customers needed to be equally aware of the risks. The general public could learn from the celebrity nude photo hacking scandal, because it’s not just the picture itself that can be valuable, but the metadata contained in the image.
“In this particular case, it’s not about the obvious; it’s the other data. With the celebrity selfies, it’s really embarrassing to have a photo of you naked, of course, but the metadata tells you exactly where the picture was taken and this can be just as dangerous, in the hands of the wrong people, such as a stalker.
“The first thing is to acknowledge that using the net can be secure but it can also be very insecure.
“This has to be taken seriously, because actually your info is of incredibly good use to the cyber attacker.”