Australia has experienced a notable increase in cyber attack activity during the current year, leading to personal data compromise for millions of individuals. Multiple sectors, including finance, health services, and government, have been affected by these incidents, resulting in data loss and, in some cases, financial detriment. Businesses have also incurred substantial costs, with each data breach potentially amounting to millions of dollars in expenses.
Data Breach Statistics and Trends
In response to these events, the Office of the Australian Information Commissioner (OAIC) launched a Notifiable Data Breaches (NDB) statistics dashboard last month to provide public information on data breach volumes and types. From January to June of the current year, 532 data breaches were recorded, with over half attributed to malicious or criminal attacks. OAIC spokespersons indicated that a higher number of notifications have been received in the second half of the calendar year, suggesting a continued increase in incidents.
Associate Professor Vanessa Teague from the ANU College of Engineering, Computing and Cybernetics stated that the most significant data breaches might remain undetected, as effective attacks can be surreptitious and may not be noticed by service providers or lead to notification of affected individuals.
Organisational Responsibilities and Recommendations
Over the past four years, the OAIC has received between 397 and 594 data breach reports every six months. A significant incident in February involved an Australian fertility clinic, Genea Fertility, which later confirmed in July that patient and donor medical histories had been posted on the dark web. Patients of Genea Fertility have sought accountability from the company regarding this breach.
Dr. Teague observed an ongoing improvement in cyber attack methodologies and suggested that current cyber defenses are not progressing at a commensurate rate. She recommended that the government and businesses enhance their strategies to reduce future breaches. A key recommendation is the addition of data encryption to the Australian government's "Essential Eight" framework, a baseline list of strategies for data protection. Dr. Teague stated that encryption, which mathematically obscures data to allow only intended recipients with the correct key to access it, would significantly mitigate damage from data breaches.
Regarding ransom payments, Dr. Teague advised against them, citing the Qantas cyber breach earlier this year that affected 5.7 million customers and involved a ransom threat. She stated that paying ransoms incentivizes future criminal activity by funding attackers and does not protect data, but rather shields responsible parties from public embarrassment. Qantas reportedly worked with police and did not publicly confirm a ransom payment.
Dr. Teague also suggested updating the Privacy Act to hold both public and private entities accountable for data security and privacy. Carly Kind, the Privacy Commissioner, reinforced that organisations must take all reasonable steps to secure information and protect against breaches. These measures include investing in cybersecurity, implementing governance measures such as privacy training, establishing strong policies, and ensuring board-level engagement with privacy risks. Ms. Kind also emphasized the importance of reviewing data collection processes and avoiding unnecessary data retention, identifying lengthy data retention as an aggravating factor in breaches.
Individual Data Protection Measures
While Dr. Teague stated that individuals have limited control over their data once it has been submitted to a third party, preventative measures can reduce the risk of future involvement in a breach. For instance, superannuation funds have been targeted; AustralianSuper experienced 600 attempted cyber attacks in one month, resulting in $500,000 in losses for four members.
Individual recommendations include:
- Avoiding unnecessary data submission: Limit the sharing of data that is not essential.
- Utilizing end-to-end encrypted communication: Use platforms such as Signal, iMessage, Facetime, and WhatsApp for texts, calls, and video. Plain SMS messages and standard phone calls, along with emails from platforms like Outlook and Gmail, encrypt data between the user and the provider, but the provider can still access the content.
- Employing privacy-preserving browsers: Use browsers like Firefox or Safari in conjunction with a robust ad blocker.
- Exercising discretion with personal information: Avoid providing sensitive details like a real date of birth when not required, and refrain from uploading unnecessary information such as close-up facial images or driver's license copies unless strictly necessary for a service.