If we can learn anything from recent reports of more Australian cyber-crime victims, we must learn that personal information is so important to keep safe. Not only is today’s cyber-crook or scammer after your money – they are after the money you can borrow – through obtaining credit in your name. The recent arrests of seven Romanian people in Australia’s largest credit card data theft investigation in which those criminals had access to 500,000 Australian credit cards is a chilling reminder to all Australians that we are not immune to fraud and identity theft. The fact that these criminals were able to gain this information by hacking the databases of 100 Australian small businesses prompts us to look into what Australians can do to protect their customer information within their business network and keep their customer’s personal information and credit files safe.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

On Thursday, the Australian Federal Police announced in a joint release to the media, that they have arrested seven people in Romania in Australia’s largest credit card data theft investigation.

The criminal syndicate had access to 500 000 Australian credit cards and approximately 30 000 credit cards have been used for fraudulent transactions amounting to more than $30 million…

Stolen credit card data was being used to create false credit cards, enabling thousands of counterfeit transactions to be carried out in numerous overseas locations including Europe, Hong Kong, Australia and the United States.

After the AFP identified the cause of the data compromise, the investigation grew to involve numerous international law enforcement partners and the Australian banking and finance sector also provided strong support…

No Australian credit card holders lost money as a result of these fraudulent transactions. Australian financial institutions reimbursed the financial losses of cardholders…

Abacus Australian Mutuals CEO Louise Petschler said today’s developments show that cyber crime is a global enterprise.

“It underlines how a coordinated approach by law enforcement agencies, financial institutions, merchants and consumers can help fight card fraud. We all have a role to play to ensure credit card transactions are safe and secure,” Ms Petschler said.

“Policing is only one part of the solution to stop data compromises – credit cards should be kept in a secure place, ATMS should be checked for any unusual attachments, personal details including PIN numbers should be protected, financial statements should be checked continuously, mail boxes should be secured and if possible, ‘chip and pin’ security implemented on credit cards,” Commander McEwen said.

The ABC ran a story the same day on this issue, ‘Australian small businesses targetted by data theft syndicate.’

It featured IT security expert, Nigel Phair from the Centre for Internet Safety at the University of Canberra. He says it proves that many small businesses are not taking data security seriously enough.

While he’s surprised at the scale of the operation, Nigel Phair isn’t surprised Australia was a target.

”We are susceptible. We are a good economy, we are ripe for the picking for these international criminals,” Nigel Phair says.

He says the issue for small businesses, is they spend next to no money on any IT security.

He says it is relatively simple for criminals to get hold of those credit card details if a company doesn’t have any such security.

“It really is a matter of just hacking into the organisation, finding where their credit card details are stored and then stealing them and then transacting them yourself, you know. And then the next question coming out of that is after you do a transaction with a small to medium enterprise, there’s no reason for them to retain your data,” he says.

“In the small to medium category I would suggest most

[small businesses] aren’t adhering to it [best practice when it comes to credit card data].”

Preventing Data Breaches in Small Businesses

Following the introduction of amendments to Australia’s Privacy Laws in the form of the Privacy Amendments (Enhancing Privacy Protection) Bill 2012, there will be more protection for individuals in regards to their personal information.

How this will flow through to small business procedures is still to be officially outlined, as they will be exempt from some of the new laws.

Small businesses looking to comply as much as possible with best practice guidelines for personal information security right now, should consult the Privacy Commissioner’s guidelines, found on the OAIC website.

The Privacy Commissioner, Timothy Pilgrim says appropriate security safeguards for personal information need to be considered across a range of areas. This could include maintaining physical security, computer and network security, communications security and personnel security. To meet their information security obligations, agencies and organisations should consider the following steps:

Risk assessment – Identifying the security risks to personal information held by the organisation and the consequences of a breach of security.

Privacy impact assessments – Evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.

Policy development – Developing a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security.

Staff training – Training staff and managers in security and fraud awareness, practices and procedures and codes of conduct.

The appointment of a responsible person or position – Creating a designated position within the agency or organisation to deal with data breaches. This position could have responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches.

Technology – Implementing privacy enhancing technologies to secure personal information held by the agency or organisation, including through such measures as access control, copy protection, intrusion detection, and robust encryption.

Monitoring and review – Monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place.

Standards – Measuring performance against relevant Australian and international standards as a guide.

Appropriate contract management – Conducting appropriate due diligence where services (especially data storage services) are contracted, particularly in terms of the IT security policies and practices that the service provider has in place, and then monitoring compliance with these policies through periodic audits.

He goes on to say that in in seeking to prevent data breaches, agencies and organisations should be considering their other privacy obligations to do with data collection and retention. Some breaches or risks of harm can be avoided or minimised by not collecting particular types of personal information or only keeping it for as long as necessary.

Consider the following:

What personal information is it necessary to collect? – …“Personal information that is never collected, cannot be mishandled,” he says.

How long does the personal information need to be kept? –…”destruction or de-identification of information that this no longer required will usually be a reasonable step to prevent the loss or misuse of that information).”

For a full and complete picture of the OAIC Privacy Guidelines, including the relevant Privacy Principles and obligations you may be subject to, we recommend you read the above information in its full context, in this article: the Office of the Australian Information Commissioner, Data breach notification: a guide to handling personal information security breaches – April 2012.

Image: cooldesign/ www.FreeDigitalPhotos.net