MyCRA Specialist Credit Repair Lawyers

Tag: data breach notification

  • Cybercrime goes all the way to RBA but do our laws protect us?

    [fusion_builder_container type=”flex” hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_color=”” border_style=”solid” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ background_position=”left top” background_color=”” border_color=”” border_style=”solid” border_position=”all” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”true” min_height=”” hover_type=”none” link=”” border_sizes_top=”” border_sizes_bottom=”” border_sizes_left=”” border_sizes_right=”” first=”true”][fusion_separator style_type=”default” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” sticky_display=”normal,sticky” class=”” id=”” flex_grow=”0″ top_margin=”” bottom_margin=”” width=”” alignment=”center” border_size=”” sep_color=”” icon=”” icon_size=”” icon_color=”” icon_circle=”” icon_circle_color=”” /][fusion_text]

    data breach notificationIt seems no Australian business is immune to cyber-attack, including the Reserve Bank of Australia which it was recently revealed has been hacked. A prominent cyber security specialist says cover ups happen all the time and that we must push for mandatory data breach notification laws to protect against the threat of identity theft and subsequent credit fraud. We look at the reality of these cyber-attacks, and the position SME’s find themselves in moving forward in issues of privacy.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

    How real is the threat of a major cyber-attack leading to mass money loss and credit fraud, or even cyber terrorism on our shores? As a recent story in the Australian Financial Review titled Attacks ‘highlight need for data breach notification law’ reveals, pretty real and it seems our lack of mandatory data breach notification laws is not only down-playing the threats Australians face, but could be helping these criminals.

    “Not a day goes by when someone is not attempting to hack into any of the banks around Australia.”

    This was a statement made by the outgoing technology chief of the National Australia Bank, Gavin Slater at a recent talk to investors.

    He also revealed that just a few weeks ago:

    “11 United States banks were targeted by terrorist organisations in response to something that happened in the Middle East.”

    So if our banks are constant targets, why aren’t we informed?

    It was recently uncovered that the Reserve Bank of Australia’s systems had been compromised by China-based hackers. In response, technology security experts, including the former head of investigations at the Federal Police’s Australian High Tech Crime Centre, Nigel Phair called for the passing of long planned mandatory data breach notification laws.

    Mr Phair, who is now Director of the Centre for Internet Safety at the University of Canberra says the breach highlights the need for these laws to be passed.

    “The RBA story was hugely important, because the attack happened some time ago, and we only found out about it because of a freedom of information request,” Mr Phair said.

    “We desperately need data breach legislation; we are quite behind in ­global terms on that, to force businesses to disclose when sensitive data is breached. I don’t know what is holding it up, and I would like to think it is achievable. It will help other government agencies and businesses, to be aware that it is not just them being ­targeted, that the threats are pretty wide ranging,” he told the Fin Review.

    Mr Phair said many businesses wanted to avoid bad publicity and that it was understandable they would try to keep news of the loss of any intellectual property and customer details quiet. He said for listed companies, the fear that investors would be spooked was a big factor. But he said the current code of silence was only making it easier for cyber criminals.

    The Fin Review revealed these statistics on data breaches:

    KPMG estimates that 75 per cent of the 1000 largest Australian companies have had a material data breach, reported to cost Australian companies an estimated $2.16 million per company per year, according to a 2011 study by the Ponemon Institute. The Australian Bankers Association has defended the strength of IT security processes in Australia’s banking system.

    ABA chief executive Steven Münchenberg recently told The Australian Financial Review that there were no reports of similar attacks on other local banks, and that effective processes were already in place to co-ordinate fraud investigations with federal and state police.

    “The Australian Bankers Association is not aware of any successful ­hacking attempts on Australian banks,” Mr Münchenberg said. “Banks have systems in place to protect customer information and accounts – such as employee training, employee accountability, strict privacy policies, rigorous security standards, encryption and fraud detection software.”

    “The nature of these discussions needs to remain confidential as any details may be misused by criminals,” Mr Münchenberg said.

    But Mr Phair elaborates in the Fin Review how easily cyber-attacks play out in business situations:

    Mr Phair warned that a significant number of Australian businesses and government agencies were ill-prepared for the kind of social engineering attacks which penetrated the RBA. In the attack it just required internal staff to be tricked into clicking on a fake email purporting to be from management.

    “Lots of organisations like the RBA have great perimeter and other security mechanisms in place, but this was basically just a phishing, social engineering attack. If I was a decent cyber criminal, that is what I would be doing,” he said.

    “People are the most susceptible and the weakest link, so you target them with what looks like a bona fide email, with an executable file in an attachment, and that is how you gain a weakness.”

     Mr Phair said the RBA’s subsequent claims that the attacks had been contained and that no sensitive information had been stolen were largely a public relations move to calm fears in the market.

    He said it was not really possible to tell exactly what people do once they have had access to networks.

     He also believed the problem was much wider spread than is ever reported, because a large number of hacking victims remain ignorant of the fact.

    “The RBA was right to come out with its public response.

    “The average person out there reading your pages would like to know that the RBA is protected,” Mr Phair said.

    Last October, the federal government was considering requiring companies to notify customers and the public of serious data breaches. However, the Fin Review reports it is over four years since a similar recommendation was made by the Australian Law Reform Commission.

    The then attorney-general, Nicola Roxon, published a discussion paper on potential implementation of plans, which could require companies and public-sector agencies to notify the Office of the Australian Privacy ­Commissioner when names, addresses and financial data are leaked or obtained by someone else.

    A spokeswoman for Attorney-General Mark Dreyfus said there were voluntary guidelines on how Australian companies and organisations should report a security breach, but increasing risks meant tougher laws could be on the way.

    “The Attorney-General is considering proposals that would require companies to report to consumers and the Commonwealth Privacy Commissioner when a data breach occurs, to improve privacy, bolster the security culture within organisations and bring Australia into line with international jurisdictions.”

    SME’s and Data breach notification.

    data breach notification SME'sData breach notification is a complicated issue. Yes, by sharing how threats have occurred we could be inviting copy-cat attacks. But Australians need to be made aware of what could threaten them.

    There has been much criticism after past data breaches such as the well-publicised Sony data breach, that companies who have in the past “held out” on their customers following a data breach, waiting days or up to a week or so to notify customers were putting the consumer’s personal information may be at risk.

    And rightly so. During the time, of ‘silence’ it can be argued that hackers have free access to this personal information without the consumer being able to do anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.

    For small to medium businesses, we need to make plans and take precautions to prevent future attacks and protect our consumers – and without the requirement out there to disclose data breaches SME’s are missing a big opportunity to be guided by the example of big business in how to handle (or not to handle) cyber-attack.

    That wider issue is what Australian SME’s face today – we are in the firing line for cyber-attacks simply by having a website, and staff with email addresses – but we rarely have the same security capabilities, the same profit margin and in many cases the same ‘publicity’ power that large entities would have. I can’t help imagining that as data breach laws begin to be enhanced, that SME’s could become the section of business most concerned with privacy issues, and the application of privacy law and indeed lawsuits against SME’s could be just as big a threat as the data breaches themselves.

    That is another reason why big business needs to set the example. Until the law requires them to do so, it would be ideal for them to voluntarily disclose data breaches as they  occur, with a view to educating the whole community on the nature of cyber-attack, and showing examples of the correct process for both preventing occurrences and dealing with them when they happen.

    Currently, the best place to go for up to date information on cyber-security and your rights and obligations is the Office of the Australian Information Commissioner (OAIC). The OAIC’s article A Guide To Handling Personal Information Security Breaches is really essential reading for SME’s and includes information on obligations under the Privacy Act 1988, and advice on both handling a data breach, and preventing future data breaches in your company.

    As consumers.

    If you suspect your credit accounts may have been affected by identity theft – either through a cyber-attack or any form of credit fraud, you should do three things:

    1. Contact Police to report it.

    2. Notify your banks and Creditors.

    3. Notify the credit reporting agencies which hold your credit file.

    Act quickly. The faster you are able to take these actions the better you will be able to protect your credit file from impairment.  Catching identity theft early could prevent defaults and other credit listings.T

    This is why mandatory data breach notification is so important from the perspective of the consumer. Recovering your clean credit file following identity theft which has led to credit fraud can be difficult for individuals to do, as you have to prove you didn’t initiate the credit in your name.

    For further help or advice contact a MyCRA Credit Repair Advisor on 1300 667 218.

    Image 1: renjith krishnan/ www.FreeDigitalPhotos.net

    Image 2: AscensionDigital/ www.FreeDigitalPhotos.net

    [/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

  • How Can You Prevent a Data Breach in Your Small Business?

    If we can learn anything from recent reports of more Australian cyber-crime victims, we must learn that personal information is so important to keep safe. Not only is today’s cyber-crook or scammer after your money – they are after the money you can borrow – through obtaining credit in your name. The recent arrests of seven Romanian people in Australia’s largest credit card data theft investigation in which those criminals had access to 500,000 Australian credit cards is a chilling reminder to all Australians that we are not immune to fraud and identity theft. The fact that these criminals were able to gain this information by hacking the databases of 100 Australian small businesses prompts us to look into what Australians can do to protect their customer information within their business network and keep their customer’s personal information and credit files safe.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

    On Thursday, the Australian Federal Police announced in a joint release to the media, that they have arrested seven people in Romania in Australia’s largest credit card data theft investigation.

    The criminal syndicate had access to 500 000 Australian credit cards and approximately 30 000 credit cards have been used for fraudulent transactions amounting to more than $30 million…

    Stolen credit card data was being used to create false credit cards, enabling thousands of counterfeit transactions to be carried out in numerous overseas locations including Europe, Hong Kong, Australia and the United States.

    After the AFP identified the cause of the data compromise, the investigation grew to involve numerous international law enforcement partners and the Australian banking and finance sector also provided strong support…

    No Australian credit card holders lost money as a result of these fraudulent transactions. Australian financial institutions reimbursed the financial losses of cardholders…

    Abacus Australian Mutuals CEO Louise Petschler said today’s developments show that cyber crime is a global enterprise.

    “It underlines how a coordinated approach by law enforcement agencies, financial institutions, merchants and consumers can help fight card fraud. We all have a role to play to ensure credit card transactions are safe and secure,” Ms Petschler said.

    “Policing is only one part of the solution to stop data compromises – credit cards should be kept in a secure place, ATMS should be checked for any unusual attachments, personal details including PIN numbers should be protected, financial statements should be checked continuously, mail boxes should be secured and if possible, ‘chip and pin’ security implemented on credit cards,” Commander McEwen said.

    The ABC ran a story the same day on this issue, ‘Australian small businesses targetted by data theft syndicate.’

    It featured IT security expert, Nigel Phair from the Centre for Internet Safety at the University of Canberra. He says it proves that many small businesses are not taking data security seriously enough.

    While he’s surprised at the scale of the operation, Nigel Phair isn’t surprised Australia was a target.

    ”We are susceptible. We are a good economy, we are ripe for the picking for these international criminals,” Nigel Phair says.

    He says the issue for small businesses, is they spend next to no money on any IT security.

    He says it is relatively simple for criminals to get hold of those credit card details if a company doesn’t have any such security.

    “It really is a matter of just hacking into the organisation, finding where their credit card details are stored and then stealing them and then transacting them yourself, you know. And then the next question coming out of that is after you do a transaction with a small to medium enterprise, there’s no reason for them to retain your data,” he says.

    “In the small to medium category I would suggest most [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][small businesses] aren’t adhering to it [best practice when it comes to credit card data].”

    Preventing Data Breaches in Small Businesses

    Following the introduction of amendments to Australia’s Privacy Laws in the form of the Privacy Amendments (Enhancing Privacy Protection) Bill 2012, there will be more protection for individuals in regards to their personal information.

    How this will flow through to small business procedures is still to be officially outlined, as they will be exempt from some of the new laws.

    Small businesses looking to comply as much as possible with best practice guidelines for personal information security right now, should consult the Privacy Commissioner’s guidelines, found on the OAIC website.

    The Privacy Commissioner, Timothy Pilgrim says appropriate security safeguards for personal information need to be considered across a range of areas. This could include maintaining physical security, computer and network security, communications security and personnel security. To meet their information security obligations, agencies and organisations should consider the following steps:

    Risk assessment – Identifying the security risks to personal information held by the organisation and the consequences of a breach of security.

    Privacy impact assessments – Evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.

    Policy development – Developing a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security.

    Staff training – Training staff and managers in security and fraud awareness, practices and procedures and codes of conduct.

    The appointment of a responsible person or position – Creating a designated position within the agency or organisation to deal with data breaches. This position could have responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches.

    Technology – Implementing privacy enhancing technologies to secure personal information held by the agency or organisation, including through such measures as access control, copy protection, intrusion detection, and robust encryption.

    Monitoring and review – Monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place.

    Standards – Measuring performance against relevant Australian and international standards as a guide.

    Appropriate contract management – Conducting appropriate due diligence where services (especially data storage services) are contracted, particularly in terms of the IT security policies and practices that the service provider has in place, and then monitoring compliance with these policies through periodic audits.

    He goes on to say that in in seeking to prevent data breaches, agencies and organisations should be considering their other privacy obligations to do with data collection and retention. Some breaches or risks of harm can be avoided or minimised by not collecting particular types of personal information or only keeping it for as long as necessary.

    Consider the following:

    What personal information is it necessary to collect? – …“Personal information that is never collected, cannot be mishandled,” he says.

    How long does the personal information need to be kept? –…”destruction or de-identification of information that this no longer required will usually be a reasonable step to prevent the loss or misuse of that information).”

    For a full and complete picture of the OAIC Privacy Guidelines, including the relevant Privacy Principles and obligations you may be subject to, we recommend you read the above information in its full context, in this article: the Office of the Australian Information Commissioner, Data breach notification: a guide to handling personal information security breaches – April 2012.

    Image: cooldesign/ www.FreeDigitalPhotos.net[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]