As a result of a routine credit check, I was recently informed that I’d been applying for credit cards with a Hong Kong bank- something that I was fairly certain I’d remember doing, having never visited. As a customer, I expect that my data will be kept secure by the companies I disclose it to, yet Symantec’s research shows that three out of every four Australian organisations experienced at least one data breach last year. Customer records, including personal information and credit card details are regularly lost in their thousands by the companies that collect them.
You’ll remember the Sony breach in April, where hackers accessed the personal records of around 100 million customers. A more recent incident at Citigroup was reported to customers three weeks after thousands of North American credit card numbers were stolen, with $2.7 million in unauthorised charges billed to card holders. But it’s not just your credit card data that’s in demand. On a global scale, job applications, blood donors, political party membership registers, and hotel patronage lists have found their way into 3rd party hands.
While the banks are likely to foot the bill for unauthorised transactions on your account (should you prove the charges are fraudulent), the aftermath for customers can be frustratingly time consuming. Changing passwords, scrutinising bank statements, and obtaining copies of your credit report (hopefully sans Hong Kong credit card applications) result in waning customer patience levels.
Putting aside the wrath of angry customers and damage to reputation, breaches also carry financial repercussions for neglectful organisations. A recent Symantec study has revealed that the post-breach clean up bill averages $2 million per incident.
Unlike in the USA, there’s no legislation in Australia that requires companies to notify their customers of data breaches. In fact, out of the thousands of organisations that reported incidents in 2010, only a third fessed up to their customers- most choosing to batten down the hatches and look the other way.
With e-health on the way (carrying the secrets of millions of Australians), the government is responding to recommendations for a revamp in privacy law reform to decide whether mandatory data breach notification laws should be implemented. But while legislation will play a part, it must carry appropriate penalties to avoid being seen as a slap on the wrist by nonchalant organisations.
In a world where deliberate attacks from disgruntled employees are common, accidental data breaches can occur through theft of a laptop or mobile device, inappropriate disposal of customer records, and exploitation of unknown weaknesses in company systems. Attackers will also seek out the personal information of the key players in organisations and socially engineer themselves to gain access through more legitimate means such as password retrieval and building entry.
Companies should be educated in safe data storage with a “need to have” vs. “nice to have” model for data accessibility. Eliminating unnecessary data by taking it offline should be teamed with routine monitoring tools to detect viruses, malware, and unauthorised access. Data should be encrypted where possible, and any device that leaves the office should be protected in the case of theft. Procedures should be updated to reflect industry best practice, with crisis management plans at the ready for quick response (should it all go pear shaped.)
Customers should be vigilant- being reimbursed for fraudulent credit card use won’t help to protect you from identify theft if the attacker also gets their hands on your personal information. In the meantime I’ll be stashing my loot under the mattress and saving for my trip to Hong Kong.
If you’d like to learn more about keeping your information secure, head to our Cyber Safety website and check out the latest fact sheets available for you to download or alternatively, take a look at the press release.