Are data breaches becoming more common? An expert in digital security explains it

A cyber security expert says businesses and organizations have become “complacent” when it comes to their cyber security measures.

In the past month alone, seven domestically recognized companies have publicly identified breaches of their cybersecurity systems, resulting in the leakage of customer data.

Some, like Optus’ large-scale breach, saw millions of customers affected, while others have created public relations nightmares and consumer distrust.

Speaking to news.com.au, APJ global solutions engineer at cyber security services company Sophos, Aaron Bugal puts the rise in security breaches down to a combination of increased sophistication and, for some companies , to a lack or prior planning.

“The biggest problem I see today is that cybercriminals are just as knowledgeable as the defenders. They have access to the tools of the networks, they know how thoughts work, and they’re spending all their time trying to exploit them,” he said.

“These days, threats are much more complex, criminals have much more opportunistic ways of getting in, and they’re only going to continue to take advantage of that.”

Bugal says that while there has been government support to help businesses become more resilient, the information has been “on deaf ears”.

“There is a certain complacency and, in some cases, almost negligence where organizations are not responsible for implementing correct and basic cyber controls, and cyber hygiene, and having a very ‘she’ll be right’ attitude towards security,” he said. to say.

Without naming the organizations, he criticized the companies for being a “deer in the headlights” after security breaches.

“It will only lead to more and more customers taking their business elsewhere or demanding that organizations be more responsible and implement proper cyber security,” he said.

EnergyAustralia: Customer data exposed

On Friday, power company Energy Australia became the latest entity to be implicated in a data breach. A cyber attack on the online platform, My Account, saw the details of 323 residential and small business customers exposed.

The leaked data included names, addresses, email addresses, electricity and gas bills, phone numbers and the first six and last three digits of credit cards.

While EnergyAustralia said there was no evidence the information appeared on a third-party site, the utility provider has updated its password policy.

Users must now implement 12-character passwords, including a mix of upper and lower case letters, numbers and special characters, whereas previously passwords were only required to be longer than eight characters.

Medibank: ransom demands, threats issued

One of Australia’s largest private health insurers, the Medibank data breach scandal escalated significantly this week.

On Wednesday, the company confirmed it had been contacted by a group that wanted to “negotiate with the company regarding its alleged deletion of customer data.” While Medibank is still verifying the claims, the Sydney Morning Herald said the hacking group’s message threatened to sell the 200 gigabytes of stolen data and contact high-profile customers.

The escalation came just a week after the health insurer said a “cyber incident” had not led to access to customer data.

“At this stage there is no evidence that any sensitive data, including customer data, has been accessed,” Medibank said in a statement.

“As part of our response to this incident, Medibank will isolate and remove access to some customer-facing systems to reduce the likelihood of damage to systems or loss of data.”

Speaking about the worst-case scenario of a potential breach, Bugal said that as an insurance provider, Medibank would have access to customers’ personal data and personal illnesses such as heart conditions and chronic conditions.

“What could happen is limitless,” he said.

“Scammers could start using it against individuals. I would hate to see that done at a level when it comes to medical conditions.”

MyDeal: “Sold by Author” data

A Woolworths Group subsidiary, MyDeal.com.au, also came under fire after 2.2 million customers had their names, email addresses and phone numbers exposed in a data breach.

In an update published on Wednesday, October 19, MyDeal said it believed customer data “has been reported to have been sold by the author”. A statement from the company advised customers to keep a close eye on any suspicious activity in their online accounts and to be weary of email, phone and SMS scams.

“It is important to note that no passwords, payment details or identification documents were exposed in the MyDeal customer data breach,” the statement said.

“Around half of affected MyDeal customers only had their email addresses accessed in the breach.”

Optus: 10 million customers breached

The recent Optus data breach showed the severity of a large-scale cyber attack.

The identifying data of 10 million customers was exposed from passport details, driving licenses and Medicare cards, leaving customers vulnerable to hackers and the potential for identity theft.

Almost a month after the telco discovered the breach on September 22, the fallout has continued for those affected.

On Friday, a customer, who has since switched operators, said that, without consultation, Optus has prevented customers from using their passports in verification services. However, the document can still be used for international travel, the correspondence says.

“To prevent misuse of your identity, we have asked the Home Office to block the use of your passport through the Document Verification Service (DVS),” the letter said.

“This means it cannot be used to verify your identity online using the DVS. You can still use your passport to verify your identity in person for up to three years after it expires.

Telstra and NAB details leaked in third-party breach

Telstra and NAB employees were also implicated in a data breach, after information stolen in 2017 was made public.

Both companies confirmed that the breach did not affect their internal systems and only affected the third-party provider, Pegasus. Owned by My Rewards International, the independent platform offers rewards programs for businesses.

According to the telco, 30,000 employee details from 2017 had been published on a platform linked to the Optus hack. The information included first and last names and email addresses that customers used to register on the site.

According to the Sydney Morning HeraldNAB and Telstra were among 15 companies affected by the breach, which affected up to 72,000 current and former employees.

Vinomofo: 500,000 potential affected

On Tuesday, customers of online wine retailer Vinomofo were notified of a data breach by a third party that may have affected up to 500,000 of its customer base.

The information that was at risk of exposure included details of customers’ names, birthdays, addresses, emails, phone numbers and genders.

However, in an email to customers, Vinomofo chief executive Paul Edginton said the company did not store details such as credit card information and formal identification.

“Vinomofo experienced a cybersecurity incident in which an unauthorized third party illegally accessed our database on a testing platform that is not linked to our live Vinomofo website,” he wrote.

“Vinomofo does not hold identity or financial data such as passports, driver’s licenses or credit card/bank details. Although passwords, IDs or financial information have not been accessed, the database includes other customer and member information”.

Cybercrime rates are only increasing, warns the minister

Speaking on ABC Radio on Thursday, Cyber ​​Security Minister Clare O’Neil said rates of cyber attacks were likely to only increase and were now the “main concern for international crime”.

“This is the new world we live in. We’re going to be under relentless cyber attack, essentially from here on out,” he said.

Ms O’Neil also hinted that regulatory changes were coming.

“So I think combined with Optus, this is a big wake-up call for the country. And it certainly gives the government a very clear mandate to do some things that, frankly, probably should have been done five years ago, but I think they’re still very important,” he added.

However, Bugal says companies will also have to adapt to smarter technology and hacking groups that have become increasingly aggressive in their attacks.

“I have a lot of sympathy for employers today because you can’t have a five-year plan of what’s going to happen in cybersecurity because it changes monthly,” he said.

“So you just have to have people who are cyber-aware, who have their finger on the pulse and can put their time into it.

“This will be a big step forward in effectively running faster than the rest of the people out there so as not to be caught as a victim.”

Leave a Comment

Your email address will not be published. Required fields are marked *