Dicing with a data disaster

It’s a company that regularly features in lists of New Zealand’s most trusted brands, its yellow livery and distinctive AA logo instantly recognisable to thousands of Kiwis.

But in May, the Automobile Association revealed it had suffered a massive data breach, exposing the personal details of “thousands, to hundreds of thousands of people”.

Its mothballed aatravel.co.nz website, which had been active between 2003 and 2018 for travel insurance and accommodation bookings through its AA Traveller arm, was hacked in August 2021.

A trove of data, including names, email addresses, phone numbers and passwords, was stolen. Hackers typically sell the information on the dark web or use it for identity-theft scams.

“You should be able to give your data and for that to be secure,” Greig Leighton, AA’s general manager of travel, tourism and publishing, told customers. “We understand that and respect that and are incredibly sorry.”

For Deputy Privacy Commissioner Liz MacPherson, the AA hack is a classic example of a data breach that can seriously damage a company’s reputation but which is easily avoidable.

“Over-collection of information is a real problem,” she says. “If you don’t need it, don’t collect it. If you do need to collect it, make sure you really understand how it’s been stored, how it’s being used, and have a really robust retention and destruction policy.

“Boards need to be taking the responsibility for personal information as seriously as they are taking the responsibility for health and safety.”

It is hard to measure the damage done to AA’s brand. But a major study published in the Journal of Cybersecurity last year and looking at major data breaches at 45 companies between 2002 and 2018, found they suffered a 5-9% decline in “reputational intangible capital” following a data breach.

Consumer-facing businesses take a bigger reputational hit in the wake of a data breach. That is borne out in the Privacy Commission’s most recent survey of consumers, which found that 63% of New Zealanders would consider changing service providers if they heard they had poor privacy and security practices.

“So that’s your bottom line,” says MacPherson. “Are you a trusted custodian of the personal information that you hold? Because it is just as valuable an asset as anything else that you hold.”

The new Privacy Act, which came into effect in December 2020, has been widely criticised for lacking the teeth necessary to make companies and government agencies alike take data security and privacy seriously.

Owning up to breaches

But it did introduce one significant provision – mandatory breach notifications. Any organisation that suffers a significant data breach that could cause “serious harm” must inform the Privacy Commission and affected parties as soon as possible, typically within 72 hours of them becoming aware of it.

The AA worked with the Privacy Commission and hired a cyber-security firm to secure its systems and try to ascertain the extent of the breach.

Malicious cyberattacks have been on the rise since the pandemic forced workers in their millions to increasingly log in from home, and businesses had to hastily digitise systems to accommodate social-distancing requirements.

The major ransomware attack on the servers of the Waikato District Health Board in May, 2021 showed how disruptive such attacks can be. The health board’s management refused to pay hackers a ransom for the return of sensitive data about patients, staff and finances. That is exactly what the Privacy Commission recommends, not giving into ransom demands.

But surgeries were cancelled and test results delayed while the health board’s IT team had to painstakingly rebuild dozens of computers and servers.

Such attacks should serve as a stark reminder to any board that cyber security needs to be made a top priority to mitigate the risk of unauthorised access.

But the biggest risk of data breaches remains ‘human error’. It can be fairly prosaic in nature – a spreadsheet of customer details being inadvertently emailed out to hundreds of recipients, data entry and redaction errors, or slip-ups in couriering documents to the wrong address.

Over a quarter of breaches reported to the Privacy Commission relate to people emailing out sensitive information, says MacPherson.

“Because it’s human error, they feel they don’t have to deal with it because it’s just one of those things. But you should be taking responsibility for scaffolding the people within your organisation to make it more difficult for them to make those human errors.”

The privacy threat within

Simple systems and processes around information management would prevent the majority of data breaches and would also tackle another overlooked privacy risk – the inappropriate sharing of data within an organisation.

The Accident Compensation Corporation (ACC) was embarrassed last October when a whistleblower revealed to RNZ that employees at ACC’s Hamilton contact centre had been sharing photos of client injury descriptions in a private Snapchat group called “ACC Whores”.

ACC stood down 12 employees while it undertook an investigation. It was an incredibly bad look for an organisation that holds highly sensitive health information on hundreds of thousands of Kiwis.

MacPherson says regular internal checks, spot audits and reviews of access privileges should be undertaken by organisations holding similarly sensitive data.

Of the complaints lodged each year with the Privacy Commission, more than 80% relate to problems people encounter trying to access the information an organisation has on them.

During the year to 31 March 2022, OPC received:

The right to view that information is enshrined in the Privacy Act. The commission has even created the AboutMe tool, which is a standardised way for organisations to streamline the handling of data requests.

“But individuals essentially have to keep complaining to us in order to get access to their information,” says MacPherson. “If you fight me for that information, what does that tell me about you as a business?”

If board directors can instil more discipline about data management processes to avoid human slip-ups and advocate for more investment in cyber security, we will likely see fewer data breaches as a result.

Emerging issues

Emerging technologies are creating new risks and also require careful consideration at the top of companies.

Facial recognition technology is increasingly being used by retailers for security purposes and as a convenient way to access financial services. But biometric data is particularly sensitive.

“It’s not like your password, it’s hard to change your face and it’s hard to change your fingerprints,” says MacPherson. “If that’s hacked or lost, it has a dramatic amount of impact on individuals and makes them incredibly vulnerable to having your identity stolen.”

Is there a less intrusive and ultimately less risky way of achieving the same goal without gathering biometric information?

That’s the question board members should ask management, says MacPherson.

Those organisations setting out to “do the right thing” by customers will ultimately lessen the risk of costly and embarrassing data breaches occurring.

“A board that takes a purely compliance approach is never going to actually deal with your privacy issues. Culture eats compliance for breakfast.”

Close to home

The Institute of Directors experienced a cyberattack earlier this year that forced us to shut down our online credit card facility. Problems with the interface between our website and an external payments system were discovered by our bank on March 24. We immediately ceased operating the payments facility, then put our incident response plans into action.

While there were concerns that this was the second incident in three years (our homepage was defaced in 2019), the attacks were unrelated. To ensure members can benefit from our experience, a report on the incident and our learnings will be prepared as soon as possible.

This is a reminder that the hacking arms race never stops. Just because your system is secure today, it doesn’t mean it will still be secure tomorrow.

Top three priorities for boards

Only collect the data you need

It starts with the leadership team requiring a data collection policy that minimises the collection and retention of data. The more data you have sitting in digital repositories, the more likely you will have a data breach. Only hold the data you really need and have effective systems for secure data retention and destruction.

Regular privacy status reporting

The senior leadership team and board of directors should receive regular reports from the privacy officer detailing privacy policy compliant, data breaches, near misses and data access requests.

A privacy incident management plan

Make sure you have provisions in place if a breach is discovered. What will you do to minimise the harm to customers and uphold your obligations under the Privacy Act? MacPherson says: “You don’t want to find out that your staircase exit is blocked when there’s a fire. The same thing goes for privacy breaches.”