It seems no Australian business is immune to cyber-attack, including the Reserve Bank of Australia which it was recently revealed has been hacked. A prominent cyber security specialist says cover ups happen all the time and that we must push for mandatory data breach notification laws to protect against the threat of identity theft and subsequent credit fraud. We look at the reality of these cyber-attacks, and the position SME’s find themselves in moving forward in issues of privacy.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.
How real is the threat of a major cyber-attack leading to mass money loss and credit fraud, or even cyber terrorism on our shores? As a recent story in the Australian Financial Review titled Attacks ‘highlight need for data breach notification law’ reveals, pretty real and it seems our lack of mandatory data breach notification laws is not only down-playing the threats Australians face, but could be helping these criminals.
“Not a day goes by when someone is not attempting to hack into any of the banks around Australia.”
This was a statement made by the outgoing technology chief of the National Australia Bank, Gavin Slater at a recent talk to investors.
He also revealed that just a few weeks ago:
“11 United States banks were targeted by terrorist organisations in response to something that happened in the Middle East.”
So if our banks are constant targets, why aren’t we informed?
It was recently uncovered that the Reserve Bank of Australia’s systems had been compromised by China-based hackers. In response, technology security experts, including the former head of investigations at the Federal Police’s Australian High Tech Crime Centre, Nigel Phair called for the passing of long planned mandatory data breach notification laws.
Mr Phair, who is now Director of the Centre for Internet Safety at the University of Canberra says the breach highlights the need for these laws to be passed.
“The RBA story was hugely important, because the attack happened some time ago, and we only found out about it because of a freedom of information request,” Mr Phair said.
“We desperately need data breach legislation; we are quite behind in global terms on that, to force businesses to disclose when sensitive data is breached. I don’t know what is holding it up, and I would like to think it is achievable. It will help other government agencies and businesses, to be aware that it is not just them being targeted, that the threats are pretty wide ranging,” he told the Fin Review.
Mr Phair said many businesses wanted to avoid bad publicity and that it was understandable they would try to keep news of the loss of any intellectual property and customer details quiet. He said for listed companies, the fear that investors would be spooked was a big factor. But he said the current code of silence was only making it easier for cyber criminals.
The Fin Review revealed these statistics on data breaches:
KPMG estimates that 75 per cent of the 1000 largest Australian companies have had a material data breach, reported to cost Australian companies an estimated $2.16 million per company per year, according to a 2011 study by the Ponemon Institute. The Australian Bankers Association has defended the strength of IT security processes in Australia’s banking system.
ABA chief executive Steven Münchenberg recently told The Australian Financial Review that there were no reports of similar attacks on other local banks, and that effective processes were already in place to co-ordinate fraud investigations with federal and state police.
“The Australian Bankers Association is not aware of any successful hacking attempts on Australian banks,” Mr Münchenberg said. “Banks have systems in place to protect customer information and accounts – such as employee training, employee accountability, strict privacy policies, rigorous security standards, encryption and fraud detection software.”
“The nature of these discussions needs to remain confidential as any details may be misused by criminals,” Mr Münchenberg said.
But Mr Phair elaborates in the Fin Review how easily cyber-attacks play out in business situations:
Mr Phair warned that a significant number of Australian businesses and government agencies were ill-prepared for the kind of social engineering attacks which penetrated the RBA. In the attack it just required internal staff to be tricked into clicking on a fake email purporting to be from management.
“Lots of organisations like the RBA have great perimeter and other security mechanisms in place, but this was basically just a phishing, social engineering attack. If I was a decent cyber criminal, that is what I would be doing,” he said.
“People are the most susceptible and the weakest link, so you target them with what looks like a bona fide email, with an executable file in an attachment, and that is how you gain a weakness.”
Mr Phair said the RBA’s subsequent claims that the attacks had been contained and that no sensitive information had been stolen were largely a public relations move to calm fears in the market.
He said it was not really possible to tell exactly what people do once they have had access to networks.
He also believed the problem was much wider spread than is ever reported, because a large number of hacking victims remain ignorant of the fact.
“The RBA was right to come out with its public response.
“The average person out there reading your pages would like to know that the RBA is protected,” Mr Phair said.
Last October, the federal government was considering requiring companies to notify customers and the public of serious data breaches. However, the Fin Review reports it is over four years since a similar recommendation was made by the Australian Law Reform Commission.
The then attorney-general, Nicola Roxon, published a discussion paper on potential implementation of plans, which could require companies and public-sector agencies to notify the Office of the Australian Privacy Commissioner when names, addresses and financial data are leaked or obtained by someone else.
A spokeswoman for Attorney-General Mark Dreyfus said there were voluntary guidelines on how Australian companies and organisations should report a security breach, but increasing risks meant tougher laws could be on the way.
“The Attorney-General is considering proposals that would require companies to report to consumers and the Commonwealth Privacy Commissioner when a data breach occurs, to improve privacy, bolster the security culture within organisations and bring Australia into line with international jurisdictions.”
SME’s and Data breach notification.
There has been much criticism after past data breaches such as the well-publicised Sony data breach, that companies who have in the past “held out” on their customers following a data breach, waiting days or up to a week or so to notify customers were putting the consumer’s personal information may be at risk.
And rightly so. During the time, of ‘silence’ it can be argued that hackers have free access to this personal information without the consumer being able to do anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.
For small to medium businesses, we need to make plans and take precautions to prevent future attacks and protect our consumers – and without the requirement out there to disclose data breaches SME’s are missing a big opportunity to be guided by the example of big business in how to handle (or not to handle) cyber-attack.
That wider issue is what Australian SME’s face today – we are in the firing line for cyber-attacks simply by having a website, and staff with email addresses – but we rarely have the same security capabilities, the same profit margin and in many cases the same ‘publicity’ power that large entities would have. I can’t help imagining that as data breach laws begin to be enhanced, that SME’s could become the section of business most concerned with privacy issues, and the application of privacy law and indeed lawsuits against SME’s could be just as big a threat as the data breaches themselves.
That is another reason why big business needs to set the example. Until the law requires them to do so, it would be ideal for them to voluntarily disclose data breaches as they occur, with a view to educating the whole community on the nature of cyber-attack, and showing examples of the correct process for both preventing occurrences and dealing with them when they happen.
Currently, the best place to go for up to date information on cyber-security and your rights and obligations is the Office of the Australian Information Commissioner (OAIC). The OAIC’s article A Guide To Handling Personal Information Security Breaches is really essential reading for SME’s and includes information on obligations under the Privacy Act 1988, and advice on both handling a data breach, and preventing future data breaches in your company.
If you suspect your credit accounts may have been affected by identity theft – either through a cyber-attack or any form of credit fraud, you should do three things:
1. Contact Police to report it.
2. Notify your banks and Creditors.
3. Notify the credit reporting agencies which hold your credit file.
Act quickly. The faster you are able to take these actions the better you will be able to protect your credit file from impairment. Catching identity theft early could prevent defaults and other credit listings.T
This is why mandatory data breach notification is so important from the perspective of the consumer. Recovering your clean credit file following identity theft which has led to credit fraud can be difficult for individuals to do, as you have to prove you didn’t initiate the credit in your name.
For further help or advice contact a MyCRA Credit Repair Advisor on 1300 667 218.
Image 1: renjith krishnan/ www.FreeDigitalPhotos.net
Image 2: AscensionDigital/ www.FreeDigitalPhotos.net