An Australian tsunami of cybersecurity breaches
First Optus. Then Woolworths, Telstra, Medibank, Australian Clinical Laboratories… Major Australian companies who have revealed, in the last two weeks, that their customers personally identifiable information (PII) was accessed. The result is that millions of Australian are now at risk of fraud through identity theft.
Optus Data Breach – Lest We Forget (synercon.co)
Medibank data breach – Lest We Forget (synercon.co)
A decade of ignoring cybersecurity
While the rest of the world were stiffening their cybersecurity systems and privacy legislation, the previous Australia government refused to address the growing problem of identity theft and cybersecurity fraud. To quote Professor Vanessa Teague, a cryptographer from the Australian National University:
We’ve had a decade of anti-security policy,” she said. We’ve had laws that required the acquisition of data that didn’t need to be acquired, laws that demand the retention of data that didn’t need to be retained.
Medibank, Optus, Woolworths data hacks show how a ‘decade of anti-security policy’ is putting Australia at risk, experts say – ABC News
Has led to the unconstrained collection of personal data
Personally identifiable information that has been accessed includes passport details, date of birth, drivers licenses, Medicare card details, health conditions, credit card details, home addresses, email addresses, phone numbers.
For years Australian citizens have been subject to the overcollection of PII data, most of which is completely unnecessary. For example:
- Online check-in for the Accor Hotel Chain which requires your date of birth data to validate your identity.
- Other hotel chains who require a photocopy of your photo identification.
- Real estate agents who demand passport or birth certificates, pay-slips, drivers licenses and credit scores, along with social media history, work history and rental history.
This unconstrained data collection would not be permissible in the UK or Europe where the right to protection of PII is enshrined in tough data protection regulation, namely the General Data Protection Regulation (GDPR) and the UK Data Protection Act.
Many have lost 100 points of identification
In most Australian jurisdictions, individuals are required to provide a total of 100 points of Australian or state-issued documents to prove identity. Different types of identity documents are worth different points and are used in combination to make up 100 points, with at least 1 primary document (usually passport or driver’s license).
I remember a time when it was only necessary for these documents to be ‘sighted’ by an appropriately authorized officer. But now we are required to scan and upload this precious data
But for 2.8 million people affected by the Optus breach, 100 points of identification was stolen, leaving them particularly vulnerable to identity theft.
We don’t know where the risk is
As individuals, we are expected to digitally hand over our identification data and images, in order to do conduct online business. Our precious identification data is scattered widely across the digital landscape in multiple unidentified systems.
We don’t remember who we have provided our data to, and we certainly don’t know in which systems our personal data is held. If we did, we probably be shocked.
But neither do the data custodians
It’s not just business who are in the data collection business. All levels of government collect data from individuals.
For example, Councils collect personal data in order to deliver dozens of online services, such as paying fines, obtaining permits and licenses, registering pets, making payment arrangements… in process dozens of local databases are created as spreadsheets, Access databases, SharePoint lists. It is only during an information asset audit that the scale of data collection becomes apparent.
Information Asset Management exposes the risk
All organizations, large and small, are prey to data breaches, whether from external threats or human error. And it’s becoming critical that directors and executives are made aware of the scale of data collection so they can assess the risks they face.
Creating and maintaining an Information Asset Register is just the start – it’s mandatory in the United Kingdom and Europe. Even when it’s not a requirement, it’s good business practice for any organization that holds personally identifiable information, privacy protected information, or intellectual property.
Don’t have an information asset register, or is your existing one falling short? Synercon can help.