Data Breaches: An Australasian perspective

The recently published Jefferies Identity Theft Resource Centre End of Year Report 2018 looked at worldwide trends between 2017 and 2018. They noted that whilst there was a reduction of breaches by 23 percent, the number of records exposed rose 126 percent from approximately 197 million to 446 million. Hacking is still the most common event causing data loss.

Whilst data breaches are well reported, other types of breach are equally as important. An incident could also result in violation of laws, people’s trust, or privacy. Ultimately, the fines and eroded trust often impact the organisation long after the event itself. This article will cover some recent examples.

One of the big challenges for all security professionals in Australasia is getting buy-in for security investment.

With the phenomenon of security convergence becoming more widely recognised, the silos that have traditionally separated the Information, Physical, and Personnel security domains are fading away. Within the security multi-domain there are convergent risks and threats for which we require Governance, Compliance, Policies and Procedures, and security solutions. Organisations are now having to move to enterprise level wholistic security plans to avoid gaps in responses to these.

Ironically, the relative safety of New Zealand and Australia doesn’t help. The 2019 Global Finance Magazine Safety Index has New Zealand as 10th safest in the world, with Australia close behind at 18th. The safety index considers the risk of natural disaster, crime, terrorism and war.

A downside of this lower risk environment is that people settle on a laissez-faire attitude to security. An indifference to the risks and threats thus ultimately pervades all levels: Government, enterprise, SME, residential and personal security.

2019 has been a bad year for New Zealand Government departments and suppliers in terms of breaches. Simple security mistakes have led to serious data loss events. Many of these could have been avoided with better oversight, governance, and policies and procedures.

Privacy breach on gun buy-back site: Reported in early December 2019, this breach occurred after vendor SAP added a new security profile and incorrectly provisioned it to a group of 66 dealer users as a result of human error. This had not been authorised by police and gave dealers a higher level of access than approved, including access to information on all 70,000 fire-arm handin applications, including details of gun and owner bank account details.

The problem was only discovered when one dealer reported the new level of access to police. The site was shut down immediately, and a manual process invoked. The number of records compromised is not known.

NZ Budget leak on Treasury Website: The national opposition were able to access a copy of the yet-to-be released Budget by simply searching the treasury website. It had been published on the site earlier than it should have been. Whilst technically not a breach, it was highly embarrassing for all involved.

Tuia 250: The external web site of Tuia - Encounters 250 national commemoration held data insecurely.

On 25 August 2019 the Ministry for culture and heritage reported a breach involving the personal details of people who applied to the Tuia 250 Voyage Trainee programme, which included images of passports, driver’s licences, birth certificates and other forms of identification stored on the website. Information from investigators indicated that at least 370 documents had been compromised.

“Our advice from our security investigators,” stated the Ministry, “is that this wasn’t a targeted attack on the website, but rather an opportunistic finding of information that wasn’t as secure as it should have been.”

In the wake of the breach, Prime Minister Jacinda Ardern announced that the government would introduce mandatory requirements for certain agencies to procure all products and services from the list of approved providers on the ‘all-of-government ICT common capabilities list’ with immediate effect.

Tu Ora Compass Health: With their external web site hacked, Tu Ora Compass Health revealed in October 2019 a data breach resulting in the potential exposure of sensitive medical information belonging to one million individuals.

“On 5 August, our website was attacked as part of a global cyber incident,” reported the organisation. “As soon as we became aware, our server was taken offline, we strengthened our I.T. security and started an in-depth investigation. The investigation has found previous cyber attacks dating from 2016 to early March 2019. We don’t know the motive behind the attacks. We have laid a formal complaint with Police and they are investigating.

“We cannot say for certain whether or not the cyber attacks resulted in any patient information being accessed. Experts say it is likely we will never know. However, we have to assume the worst and that is why we are informing people.”

Banking incidents: Just because banks have resources and scale, does not mean they are immune to breach. They are major targets of attackers, and this is reflected in the number of incidents reported.

In addition to the expected data breaches, some banks failed to take governance and compliance seriously. This resulted in some of them breaching anti money laundering rules, leading to significant fines and endangering their banking licences.

Commonwealth Bank has had a bad few years on this front.

Australian banks are required to report large transactions of $10,000 or more within 10 business days. This allows the federal financial intelligence agency AUSTRAC to monitor funds going to criminal or terrorist networks.

In June 2018 CBA agreed to pay AUSTRAC AUD 700 million plus legal costs. The bank admitted to the late filing of 53,506 anti-money laundering reports. The bank also failed to properly monitor transactions on 778,370 accounts to check for money-laundering red flags over a three-year period.

In June 2019 using a court enforceable undertaking, the Office of the Australian Information Commissioner (OAIC) asked CBA to substantially improve its privacy practices after an investigation of two incidents in which the bank mishandled data:

• In 2016, the bank lost two magnetic storage tapes containing 20 million customers’ historical statements.

• In August 2018, CBA reported inadequate internal access controls to customer data to the OAIC

Westpac Bank also has been in the news. In November 2019, AUSTRAC reported legal action against Westpac relating to 23 million breaches (totalling AUD 11 billion) of the anti-money laundering laws, with potential links to child exploitation. With each of the 23 million breaches carrying a potential penalty of up to AUD 63,000, the potential total fine runs as high as AUD 1 trillion.

It expected that the bank will negotiate for significant financial penalty in excess of AUD 1 Billion.

This has initiated further investigations likely to directly impact the bank’s directors and senior executives. The scandal led to the resignation of CEO Brian Hartzer.

“As CEO I accept that I am ultimately accountable for everything that happens at the bank,” Hartzer said. “And it is clear that we have fallen well short of what the community expects of us, and we expect of ourselves.”

Chairman Lindsay Maxsted also stood down. The brand itself has been damaged, and it is expected to make it more difficult for the bank to raise capital from investors with large penalties looming.

Many organisations have decided to implement Two Factor Authentication to reduce and mitigate risks of a breach of customer records. Many industries, including banks, use it to send an authentication code to a customer’s mobile number via text to verify the person for logins and transactions.

Attackers have responded by finding vulnerabilities and identifying new avenues of attack, such as porting fraud and SIM swapping processes. This is a major problem worldwide with mobile telecom providers having to review the process of shifting a mobile number between providers.

The number porting process in NZ and Australia has lacked safeguards to ensure the person porting the number is the current user. When attackers look to compromise an account’s login details, for example, they could request to port the mobile number associated with that account. Once the number is on a SIM they control they can use it to reset passwords and to access sensitive data or do financial transactions.

The consequences of this type of attack on an individual can be significant. They can, for example, jack a twitter account and post offensive material to damage the reputation of the account holder. Twitter CEO Jack Dorsey had his mobile number ported by an attacker in August 2019. The attacker sent out offensive tweets to 4.2 million of his followers via a text to tweet feature of the service.

On the more serious side, an attacker could gain access to sensitive data from an organisation or individual. Attackers have financially ruined people by locking them out of their bank accounts and draining available funds. The process to recover from this type of event is normally slow and stressful for the victim.

Whilst we live in a safe part of the world, the examples in this article demonstrate that we are not immune from the risks, threats and vulnerabilities faced by the rest of the world.

We should also recognise that a breach is not just a cyber event. Poor access control policies can have severe impacts and cause a breach by having authorised users with too-high level access creating a leak. Poor publishing policies on a website could release important documents when embargoed. Poor handling of storage media devices also presents a risk.

Poor governance, as I’ve noted, can result in the breaking of laws, such as anti-money laundering legislation. These carry significant penalties and can result in loss of senior leadership, serious brand damage, and serous fines, hindering investor confidence.

One common outcome of a breach event can be more rigorous oversight by regulators. When this happens, they often find other infringements. This can result in much tighter regulation and rules that can impact on the profitability of the business.

Two factor Authentication is only as good as the processes related to number porting. The consequences of the SIM swap can be significant to the organisation or person affected, and it can take a very long time to recover from this type of event.

Moving from the traditional siloed approach to security to enterprise-level wholistic security plans is an important step for organisations looking to avoid gaps in their responses to risks and treats.