Happy Anniversary! Data Breaches and Digital Security 1 Year into The NDB Scheme
Landmark White is a company that specialises in real estate valuation.
In January 2019, they were responsible for a massive data breach that saw details of up to 100,000 customers leaked over a 19-day period.
The source: an exposed API.
The details exposed in the breach included names, addresses, emails, telephone numbers and of course, property valuation data.
Unsurprisingly, their share price went into freefall as some of their biggest corporate customers - NAB and Commonwealth Bank among them - temporarily pulled the plug on using their service.
With individuals and organisations who used the service now being advised to take precautions, Landmark White faces a long road back to repair the trust, reputation and business that was shattered in an instant.
812 notifiable data breaches (or NDBs).
That’s the number The Office of the Australian Information Commissioner (OAIC) reported on over the course of 2018, as the NDB scheme hits its 1-year anniversary. The Landmark White breach was just one amongst hundreds of horrifying examples.
But here’s the really scary part: the data breaches reported and recorded represent just 3% of the total estimated number that hit Australian industry every year.
That doesn’t mean we’re left in the dark, though. Using data the Office gathers, we’re able to get a much clearer picture on what these breaches look like.
So, let’s dig a little deeper into the who, what and how...
Skeletons Out of the Closet: What are Notifiable Data Breaches (NDBs)
A data breach is when personal or confidential information held by a business or organisation is lost, access or modified without
permission, or misused. Any business or organisation that falls under the Privacy Act or the Australian Privacy Principles (APP) has to
report if and when they detect a breach of their data.
The two groups they have to notify are:
- Individuals affected by the breach
- the OAIC
The reason behind the breach is irrelevant. Whether it was accidental (e.g. an employee losing a laptop with confidential information) or
malicious (e.g. a cyber attack), they must still report it as a breach. If you want to find out more about data breaches and your
responsibilities around them (especially if you handle sensitive data), our post
on the NDB scheme
gives you all the details
Who: Industries Hardest Hit by Data Breaches
Health, finance and legal are all fields that frequently deal with sensitive and confidential information. So, it’s unsurprising to see these three sectors consistently reporting the highest number of data breach notifications since the scheme’s inception.
An Unwelcome “Achievement”: Top Five Sectors for NDBs Reported in Oct - Dec 2018
| Health service providers: | 54 |
| Finance: | 40 |
| Legal | 23 |
| Education | 21 |
| Mining & Manufacturing: | 12 |
In terms of the individuals affected by a breach, the majority of incidents in the last quarter of 2018 were on the smaller side. 83% of reported breaches impacted less than 1,000 people, with this frequency suggesting smaller businesses lack effective data security capabilities.
At the other end of the scale, there was only one “mega incident” that impacted more than a million people, but there were another four that involved anywhere from 50,000 to 500,000 individuals each time.
An “All-Star” Cyber Casualty List
While most data breaches affect a relatively small pool of people, there have been stunning cyber-related revelations in just the past few months from some of the biggest companies who operate in Australia...
Toyota
Toyota staff were locked out of their emails and had other IT systems affected for over a week by a cyber attack in February , crippling their customer service in the process.
Department of Parliamentary Services
The Australian Parliament’s servers were targeted in a cyber attack which may have involved a foreign power.
Bunnings
A team member stored employee performance data that contained staff and customer details on his home PC , exposing it to the wider Internet.
Marriott Hotels
Personal information of guests, including credit card details, accessed without authorisation over a four-year period from 2014-2018.
Optus
A systems issue caused suspicious account activity online and allegations of privacy breaches, from Optus customers.
What: The Secrets Being Spilled
Having your credit card details stolen is the typical “nightmare scenario” whenever a data breach is mentioned, but in this digital age, it’s far from the scariest proposition. Even the seemingly “benign” contact info that tops the most list of personal data breached is rife to all kinds of abuse. More alarmingly, financial and identity details that can directly hurt businesses and individuals were frequently part of a breach.
The top five types of personal information involved in data breaches over October - December 2018:
| Contact information: | 223 |
| Financial details: | 123 |
| Identity information: | 94 |
| Health Information: | 71 |
| Tax file number: | 46 |
How: Your Data’s Getting Out
With almost two thirds (64%) of last quarter’s reported data breaches being malicious, it’s worth looking at how attackers are getting hold
of sensitive data. Unsurprisingly, cyber incidents are by far the most common, with 114 reported. Physical theft was less than a quarter
with 25 incidents, while social engineering totalled only 9.
Of the cyber incidents, these were the most common methods used to access data:
| Phishing (compromised credentials): | 43% |
| Compromised or stolen credentials (unknown method): | 24% |
| Ransomware: | 10% |
| Brute-force attack (compromised credentials): | 8% |
| Malware: | 7% |
The Essential 8: Stop Data Breaches In Their Tracks
While data breaches happen for all sorts of reasons, from a lack of resources to simple mistakes to targeted attacks, we see one prevailing trend seriously aggravating the problem:
Most approaches that businesses use are influenced by a “damage control” philosophy, rather than a pro-active approach that includes recovery as a component.
Limiting damage plays a part, but as security specialists, we use a more rounded, complementary approach to protect the businesses we work with. That’s why we use the “Essential 8”: techniques that combine to protect a business from a data breach and mitigate any damage in the rare chance it happens.
Prevention
As the potentially devastating consequences of a data breach shows, the old saying “prevention is better than cure” holds true today. It’s why half of the “Essential 8” focuses on preventing data breaches, rather than just trying to clean up or contain the damage.
1. Use firewalls & email antispam
Keeping would-be intruders out of your systems and networks is the obvious place to start. Using a combination of intelligent firewalls in your offices with intrusion prevention along with an email antispam solution to protect your email, you can go a long way to warding off attacks on your systems.
2. Protect your endpoints
From desktops to laptops and mobiles, endpoints are a tempting vulnerability for cyber attack. Constant monitoring and threat detection with automated remediation around your endpoints can sound the alarm for a quick response if they’re ever threatened. These days antivirus is not enough to protect against new and evolving threats.
3. Continuously scan the “dark web”
You might have heard of the “dark web” and how stolen credentials often end up on there, sold to the highest bidder. With scanning software designed to search the dark web for a your data, you can be constantly checking that none of your credentials have ended up there with out your knowing.
4. Harden your applications
Your managed services provider (MSP) should already be one step ahead in this respect, with solid processes and pro-active measures that lock down your apps. They should also be running internal vulnerability scanning to keep a watchful eye on your systems and keep everything continually secured.
Limitation
You can never 100% anticipate or eliminate the risk of a data breach, whether it’s through a malicious attack or careless employee. However, you can take steps to mitigate and limit the damage if the day arrives.
5. Train your staff in security
Training your staff to be more aware about cyber security risks can be a quick win for your digital security. This might include subjects like:
- How to handle suspicious emails or web links
- Password management
- Attacks like CEO fraud and spear phishing
While online training might have been reserved for bigger businesses it is now affordable and accessible to businesses of any size and is a very worthwhile investment over the mid to long-term.
6. Stay on top of software patches
Out-of-date, unpatched software is like hanging a neon sign over your network saying “hack me!”. Always keep your software patched and by harnessing automated tools you ensure patches get applied quickly and without the risk of exposing your entire network because a team member forgot.
7. Use multi-factor authentication
A password from a careless user might be all it takes to crack your system open like a ripe watermelon. However, multi-factor authentication (or MFA) makes it exponentially more difficult for would-be attackers to get into your systems. Combining conventional passwords with push notifications, QR codes or one-time passwords that software like AuthPoint provides means your users passwords are much less of a vulnerability.
Recovery
Data recovery is driven by more than just the threat of cyber attack or data breach, but they’re still scenarios that make these contingencies critical to your organisation and ensuring your business can survive any disaster.
8. Include offsite data backup & business continuity
Ensuring your systems can be up and running quickly in the event of a cyber incident or disaster means investing in some sort of business continuity system. Local and offsite cloud back-ups combined with back-ups for SaaS apps like Office 365 gives you near-complete protection from the spectre of data loss. And we use the 3-2-1 rule, that's 3 copies of your data, 2 on different systems onsite and 1 offsite (and offline).
Data breaches aren’t just bad news. They can be ruinous events that destroy a business.
What’s more, they’re happening every day… whether they’re being reported or not.
If there’s only one thing you take away from this, we hope it’s a fresh understanding of the massive implications of a data breach, and how seriously the issue should be addressed.
This doesn’t mean your business is helpless. Use the “Essential 8” as a starting point to shore up your digital and human defences, shut
down vulnerabilities and make your business safer for yourself and your customers.