In September last year, news broke of the Optus data hack. The personal data of up to 10 million current and previous customers of the Telco had been compromised. 1 month later, we learned Medibank had suffered a similar fate, with the personal data of approx. 9.7 million customers breached. Woolworths and Energy Australia also made announcements of data breaches.
Today we have learned that Latitude Financial has experienced a data breach/data hack. At this stage, it is being suggested that 328,000 customer records have been stolen. Latitude says that it is continuing to respond to what it describes as a malicious and sophisticated Cyber Attack and has removed access to some customer-facing and internal systems. The hacker was able to obtain Latitude employee login credentials, using these to steal personal information that was held by two of its service providers.
These hacking events are a blunt reminder of the very real risk to our personal data, our privacy and our ability to control what companies (and individuals) know of our identity. If you weren’t caught up in the Optus or Medibank hacks and are fortunate enough to not be a customer of Latitude Financial, there’s still cause for concern, as it’s unfortunately very likely there will soon be another similar incident that may well impact your privacy.
7 minutes. That’s how often the Australian Cyber Security Centre (ACSC) receives a report of another cybercrime attack. And that’s only the events that are reported. Many more occur and go unreported. What we do know is that the chronic underinvestment in cybersecurity has become an acute threat to Australians and Australian businesses.
Surprisingly, this isn’t a new threat. While executive teams may only more recently be taking notice of the importance of cybersecurity, this is a space that’s been around a long time, and there’s plenty of solid knowledge on what the threats are and how to defend against them, along with what to do when defenses fail.
The Right To Be Forgotten
The Optus, Medibank and Latitude Financial data breaches give rise to the question: Why are so many businesses holding on to, and at times sold on, consumer personal data long after it was first required, with no mechanism in place to permanently delete or forget this information? For too long, this practice has gone unchecked, and it’s having devastating impact on consumers as a result of this behaviour.
Although the right to be forgotten is beginning to be enshrined in law around the world, it is important that technical leaders are building in functions for systems to automatically unlearn and forget data at certain trigger points, be it removing certain records after an initial period of time, or a particular service – to which that data was originally collected for – has now been dropped by the consumer, therefore the data can be deleted etc.
An Overview of Cyber Security Threats
There’s a myriad of ways to classify cyber security threats, but let’s stick to 3 key categories.
Can a Successful Cyber Attack be Prevented?
Data is at the center of this prevention process. Destroy the data that’s not absolutely required for the operation of the business, and only collect what is absolutely necessary.
It goes without saying, that businesses must establish, deploy and very effectively maintain exceptionally strong cyber defenses around all data-based assets and any devices, technology or infrastructure that can be used to access those data assets. Once these defenses have been deployed, every business must then perform constant cycles of actively looking for vulnerabilities in these defenses and then actively plugging those.
How Much Does it Cost to Prevent a Cyber Attack?
Yes, Cyber defense costs money. But, the cost of recovering from a Cyber Attack will cost more. The average cost of a data breach in Australia is $3.35 million per breach, an increase of 9.8% year on year. This average figure will increase next year as the Australian Federal Government introduces tougher data breach penalties in response to the devastation of the Optus & Medibank breaches. This legislation plans to increase the penalty for serious or repeated data privacy breaches to $50 million, or 30% of a company’s adjusted turnover in the relevant period, whichever is greater – a significant increase from the former penalty amount of $2.22 million.
Most businesses underinvest in Cyber Security and attack prevention. Keeping in mind that the entire process is one comprised of defending against attacks. Monitoring your defenses and systems for any signs of weakness and fixing those, alongside monitoring for signs of an attack, and finally, investment in the systems, processes and resources that offer the ability to swiftly react to an attack.
There’s no one size fits all in terms of what budget is required for Cyber Security. You need to look at the individual circumstances and make an informed decision. How sensitive is the data? How large is the data set? Are there legacy systems to consider? How much of the data is at rest? And how much of it is in transit? Do you have partner businesses that present a risk to your customer data? The list goes on.
Cyber Security is an existential issue. and if a business cannot afford to defend its data against cyber threats, then that business should not be collecting or storing data in the first place.
A wise general rule would be for businesses to only collect and (critically) store the information they absolutely require from their customers in order to operate their business. In doing so, alongside robust defense systems, monitoring and capable response to an attack, will dramatically limit the impact on both the business and its customers.