Westpac and ANU data breaches – What you can do to prevent these types of malicious attacks

The privacy of individuals and how organisations protect this privacy continue to gain attention in the media, with data breaches involving two prominent Australian organisations hitting the news in the last week.

Westpac Banking Corporation

It has been reported in Australian media that Westpac has been subject to an enumeration attack – when a malicious actor uses brute-force to either guess or confirm valid users in a system. Westpac confirmed that it “had detected mis-use of the [New Payments Platform’s] PayID functionality and we took additional preventative actions which did not include a system shutdown.” Westpac did not release the number of individuals affected, though The Age reported that 100,000 individuals’ names and phone numbers were compromised during the attack.

Australian National University

Additionally, on 4 June 2019 the Australian National University (ANU) stated that it had recently become aware that it’s system had been the subject to unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years. While the access occurred in late July 2018, ANU only became aware of the attack two weeks ago. The information that was compromised included include names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, and passport details.

Why this is an issue

Personal information is incredibly valuable, particularly as the world becomes increasingly connected through technological advances. Personal information can be used to carry out identity theft by impersonating the person to whom the information relates. Additionally data breaches can be a threat to the safety of individuals if they are at risk of serious harm due to the information being released.

Additionally, the introduction of the Notifiable Data Breach Scheme (NDB Scheme) in February 2018 has placed organisations on notice that the security of personal information is a serious issue in Australia. Eligible data breaches are now reportable to the Office of the Australian Information Commissioner (OAIC) and individuals affected. Eligible data breaches arise when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds; and
  • this is likely to result in serious harm to one or more individuals (see Is serious harm, and
  • the entity has not been able to prevent the likely risk of serious harm with remedial action.

Before the introduction of the NDB Scheme, a voluntary reporting scheme existed. In the 12-month period following the introduction of the NDB Scheme, a 712% increase in the number of reports made to the OAIC was recorded.

What you can do to prevent malicious attacks

The breaches that occurred at Westpac and ANU are indicative of the most common cause of data breaches, being malicious or criminal activity. 60% of the reports made to the OAIC in the first 12 months of the NDBS fall into this category. In order to reduce the opportunity for malicious attacks to occur, the OAIC recommends:

  • identifying and minimising known security risks;
  • engaging expert security advice;
  • implementing encryption and secure data transfer technologies;
  • undertaking proactive monitoring of systems; and
  • remove data that is unnecessary to the function of the system.

Prepare now

In its Notifiable Data Breaches Scheme 12‑month Insights Report, the OAIC identifies training and preparation as key tips for best practice in relation to data breaches.

We encourage organisations to prepare for a data breach before it happens to ensure a swift and cohesive response in the event that one occurs. The following recommendations are useful starting points:

1.  Implement a Data Breach Response Plan

A DBRP provides practical guidance on how to reduce the impact of a breach, meet obligations under the NDB Scheme and reduce harm to individuals. A DBRP should be tailored to your organisation and set our how you will assess whether there is a risk of serious harm and whether the breach is reportable – elements that we often find are lacking in DBRPs.

2.  Test your Plan

The OAIC encourages organisations to carry out regular exercises or data breach simulations, as they are a critical way that organisations can ensure preparedness as they often highlight deficiencies and risky dependencies. Moores recently carried out a data breach simulation workshop with our clients, which allowed clients to consider how to assess harm and the special considerations that were required for their data breaches.

3.  Train your staff

All employees should be trained on how to detect and report email‑based threats (such as phishing), understand basic account security (such as secure passwords) and how to protect their devices. Human error contributed to 35% of all data breaches in the first 12 months of the NDB Scheme. Education should also focus on data handling practices and how to report suspected privacy breaches. Moores regularly runs this training with our clients to raise awareness throughout the organisation.

How we can help

Moores is able to support organisations who are navigating the privacy landscape by providing an assessment of their privacy practices and updating their Privacy Policy or Data Breach Response Plan. Additionally, we can run training and simulations that are targeted at your organisation’s unique practices and in a format that is practical for employees.

For more information, please do not hesitate to contact us.

Authors