Author: Conrad Caburian

Cyber security encompasses a set of practices, technologies, and processes designed to protect computer systems, networks, and data from unauthorised access, attacks, and exploitation. It’s like a digital immune system, constantly monitoring and defending against threats.

The Office of the Australian Information Commissioner (OAIC) is an independent Australian Government agency responsible for privacy and   freedom of information. 

The Notifiable Data Breach (NDB) scheme was established in February 2018 to drive better security standards and accountability for protecting personal information and to improve consumer protection. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 that experiences an eligible data breach must notify affected individuals and the OAIC.

According to the OAIC Report:

1. 📉 Breaches Decline

• During this period, 409 breaches were reported, marking a 16% decrease compared to the 486 breaches in the previous July to December 2022 period.

2. 🦹 Leading Causes

• Malicious or criminal attacks remained the primary cause, accounting for 70% of data breaches.

3. 📅 Swift Identification

• Human error breaches were swiftly identified, with 81% detected within 30 days or fewer.
• In contrast, only 57% of system faults were identified within the same timeframe.

4. 🏥 Top Reporting Sectors

• The health and finance sectors continued to be the most active reporters of data breaches.
• Health reported 63 breaches (constituting 15% of all notifications), while finance reported 54 breaches (representing 13% of all notifications).

5. 👤Impact on Individuals

• The majority of breaches (63%) affected 100 or fewer people.

According to OAIC, and their Notifiable Data Report from January 2023 to June 2023:

The Optus data breach stands as one of the largest security breaches in Australian history. As Australia’s second-largest telecommunications company, this incident has prompted inquiries into the country’s data security policies and corporate practices. 

Data Breach Details

Personal information of 11 million customers was compromised. The accessed data included names, birth dates, phone numbers, email addresses, home addresses, driver’s licenses, passport numbers, and Medicare ID numbers.

Customer Notification

Optus proactively contacted all customers. They began by notifying those directly impacted by the breach and then extended notifications to those whose data remained secure.

Phishing Attacks Surge

In the aftermath of the breach, there was a notable increase in phishing attacks and fraudulent attempts specifically targeting the affected customers.

Ransom Demand and Data Exposure

Despite a ransom demand, Optus chose not to comply. As a consequence, the attackers publicly released a text file containing 10,000 customer records on September 26. This exposed the data to other malicious actors who could potentially use it for their own phishing campaigns.

Data Breach Impact

Approximately 40% of the population had their personal data compromised.

High-Risk Individuals

Among those affected, approximately 2.8 million people whose passport or license numbers were stolen face a significant risk of identity theft and fraud.

Medicare Card Theft

The breach also resulted in the theft of 37,000 Medicare cards belonging to customers.  

The Australian personal loan and financial service provider, was affected by a data breach that impacted millions of people from Australia and New Zealand. Latitude is currently being investigated for its role in the attack and whether or not it had sufficient ability to prevent the attack from happening. The company is also being investigated for a class-action lawsuit.

• In March 2023, a significant data breach impacted 14 million customers through Latitude Financial. Initially, the disclosure indicated that only 328,000 individual customers were affected. However, further investigation revealed the true extent of the breach.
• The breach occurred when employee credentials were stolen, granting unauthorised access to Latitude’s customer data. This dataset primarily included full names, physical addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, and passport numbers1.
• Notably, a substantial portion of this information was data stored since 2005. This raised questions about why companies continue to retain customer records beyond the required seven-year timeframe.

Canva, the Australian unicorn in the online design space, experienced a massive data breach affecting millions of users. To contextualise this, Canva currently boasts approximately 55 million active monthly users.

The breach occurred when a cybercriminal group infiltrated Canva’s defenses. Although Canva detected malicious activity in their systems and intervened, the interception did not happen swiftly enough to prevent the breach.

• In May 2019, 137 million of its users were impacted
• Accessed usernames, real names, email addresses, country data, encrypted passwords, partial payment data

Mitigation strategies in cyber security aim to reduce the risk of cyber threats and attacks. Here are some common mitigation strategies: 

An increasing trend in the industry is now the adoption, or alignment, to several frameworks focused on improving an organisation's ability to mitigate cyber incidents.

ISO27001

It is an internationally recognised standard for Information Security Management Systems (ISMS). It provides guidance for organisations of any size and across all sectors to establish, implement, maintain, and continually improve their information security management systems.

SOC2

Service Organisation Control 2, is a widely recognised auditing standard developed by the American Institute of CPAs (AICPA). It is specifically designed for service providers, such as cloud computing vendors, Software as a Service (SaaS) providers, data centres, and other entities that handle customer data or provide services to other organisations.

The SOC 2 framework focuses on five key trust service criteria:

1. 🛡️ Security: The system is protected against unauthorised access, both physical and logical.
2. ✅ Availability: The system is available for operation and use as committed or agreed.
3. ⚙️ Processing Integrity: System processing is complete, valid, accurate, timely, and authorised.
4. 🤫 Confidentiality: Information designated as confidential is protected as committed or agreed.
5. 🔒 Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice and criteria set forth in Generally Accepted Privacy Principles (GAPP)

CPS 234

CPS 234 refers to a prudential standard issued by the Australian Prudential Regulation Authority (APRA), known as CPS 234 Information Security, which came into effect on July 1, 2019. CPS 234 sets out requirements for APRA-regulated entities, such as banks, insurance companies, and superannuation funds, regarding their management of information security risks.

The primary objective of CPS 234 is to ensure that APRA-regulated entities take appropriate measures to protect their information assets and maintain the confidentiality, integrity, and availability of those assets. This standard is crucial for safeguarding the financial sector against cyber threats and ensuring the resilience of critical financial systems and services.