Menu

The Road To Keeping Your Information Safe

by Rebecca Moonen

As a result of a routine credit check, I was recently informed that I’d been applying for credit cards with a Hong Kong bank- something that I was fairly certain I’d remember doing, having never visited. As a customer, I expect that my data will be kept secure by the companies I disclose it to, yet Symantec’s research shows that three out of every four Australian organisations experienced at least one data breach last year. Customer records, including personal information and credit card details are regularly lost in their thousands by the companies that collect them.

You’ll remember the Sony breach in April, where hackers accessed the personal records of around 100 million customers. A more recent incident at Citigroup was reported to customers three weeks after thousands of North American credit card numbers were stolen, with $2.7 million in unauthorised charges billed to card holders. But it’s not just your credit card data that’s in demand. On a global scale, job applications, blood donors, political party membership registers, and hotel patronage lists have found their way into 3rd party hands.

While the banks are likely to foot the bill for unauthorised transactions on your account (should you prove the charges are fraudulent), the aftermath for customers can be frustratingly time consuming. Changing passwords, scrutinising bank statements, and obtaining copies of your credit report (hopefully sans Hong Kong credit card applications) result in waning customer patience levels.

Putting aside the wrath of angry customers and damage to reputation, breaches also carry financial repercussions for neglectful organisations. A recent Symantec study has revealed that the post-breach clean up bill averages $2 million per incident.

Unlike in the USA, there’s no legislation in Australia that requires companies to notify their customers of data breaches. In fact, out of the thousands of organisations that reported incidents in 2010, only a third fessed up to their customers- most choosing to batten down the hatches and look the other way.

With e-health on the way (carrying the secrets of millions of Australians), the government is responding to recommendations for a revamp in privacy law reform to decide whether mandatory data breach notification laws should be implemented. But while legislation will play a part, it must carry appropriate penalties to avoid being seen as a slap on the wrist by nonchalant organisations.

In a world where deliberate attacks from disgruntled employees are common, accidental data breaches can occur through theft of a laptop or mobile device, inappropriate disposal of customer records, and exploitation of unknown weaknesses in company systems. Attackers will also seek out the personal information of the key players in organisations and socially engineer themselves to gain access through more legitimate means such as password retrieval and building entry.

Companies should be educated in safe data storage with a “need to have” vs. “nice to have” model for data accessibility. Eliminating unnecessary data by taking it offline should be teamed with routine monitoring tools to detect viruses, malware, and unauthorised access. Data should be encrypted where possible, and any device that leaves the office should be protected in the case of theft. Procedures should be updated to reflect industry best practice, with crisis management plans at the ready for quick response (should it all go pear shaped.)

Customers should be vigilant- being reimbursed for fraudulent credit card use won’t help to protect you from identify theft if the attacker also gets their hands on your personal information. In the meantime I’ll be stashing my loot under the mattress and saving for my trip to Hong Kong.

If you’d like to learn more about keeping your information secure, head to our Cyber Safety website and check out the latest fact sheets available for you to download or alternatively, take a look at the press release.

3 comments

  1. andy says:

    It’s Ironic that a security article should appear on IInet frontpage since I only just emailed them on Friday. The article mentions that companies don’t know about software weaknesses, but In the email I sent them I pointed out they need to up their security. For example a simple telnet on reveals IInet uses apache web server 2.2.14 – shame on the admin who didn’t remove the banner…..

    Also the supposed secure Toolbox/email spits out a plaintext Username and Password with a simple MITM-Man-In-The-Middle attack on the local Lan (or a Cafe’) No Javascript to hash the password???!!! the bottom line is if you want to talk the security talk – walk the security walk…..

    and Customers(Myself included) unless you want your credentials stolen – don’t check your email in a public place – they just don’t protect you well enough. Alot of ISP’s don’t, but then alot of ISP’s don’t brag about their security (check the source of the toolbox page..) Will you delete this comment IInet? Screenshot..

    • Adam O'grady says:

      Thanks for your comment.

      You raise a good point – connecting to our web server will cause it to report the software version installed – however we have processes in place to ensure our software and systems are secure. Simply removing the banner will not discourage attackers from trying various attack methods – similarly most financial institutions do not mask that information for the same reason.

      Any up-to-date browser will warn a customer of an MITM attack on SSL, so it’s uncommon for sites to use one-way Javascript encryption of passwords. That said, we’ll be doing a technical investigation of your suggestions as we continually try to find innovative ways to keep our customers satisfied and secure.

      Finally it’s worth mentioning that when using a public internet computer (such as a NetCafe) there is a risk of malicious software such as keyloggers capturing your password that neither SSL nor Javascript will protect against so we recommend customers should always be careful when using passwords on public computers.

  2. you never cease to amaze me .very interesting reading .

Menu

Search