Chain reaction

Personal data is the currency of the modern world. Businesses collect copious amounts on their customers for all manner of reasons – and even if this is driven by some purpose to enhance service or innovation, often there is little consideration for the negative value of its potential loss and disclosure.

In contrast, cybercriminals understand very well how powerful personal information is, particularly when stolen and leveraged to extort money from their corporate victims. That’s why we have seen an increasing trajectory of attacks and breaches against those sectors known to hold information, such as health, hotels, telcos and finance.

If personal data is caught up in a cyber incident, most people think of the immediate, tangible impacts. Individuals impacted face the inconvenience of having to replace their documents and change their passwords; at worse becoming the victim of identity fraud. And certainly, there is a cost applicable to the breached company, especially if their operations are halted as they deal with the aftereffects.

But on a governance level, there is something more sinister to consider because cyber breaches present a real threat to the credibility of national frameworks and trust structures.

Passports and drivers’ licences form the cornerstones of modern life. We use them to validate our identity and transact in the world, from opening bank accounts, securing jobs, obtaining credit, and even renting and buying property.

Which begs the question – what faith can we have in identification documents if millions have been exposed, potentially corrupted and used for fraud? The tertiary impact of breaches may spread across many sectors and the economy as a whole.

The state of Victoria recently faced this very question, when nearly one million drivers’ licences were exposed as part of the Optus breach in 2022. As a mitigation, an additional security number was introduced by VicRoads as a means of validating the authenticity of replacement cards, along with the introduction of a two-step verification process.

The kicker – the cost of reissuing drivers’ licence cards was passed back to the breached entity, significantly increasing the financial impact. Similarly, New South Wales recovered the costs of reissuing their drivers’ licence cards.

As consumer trust erodes in the ability for big business to protect its personal data, there are broad questions in the top levels of governments on what will spark more motivation for businesses to lift their information security to a level that truly reflects the potential of a serious breach.

Over the past 12 months, Australia has been rocked by some of the largest privacy breaches, with three major cyber security incidents causing ongoing damage.

Between the Optus, Medibank and Latitude finance breaches, millions of drivers’ licences, passports, personal details and medical records have been laid bare on the dark web, ready to be exploited. With many customers having used identity documents issued offshore, the breaches have touched people and firms globally.

As a direct result, legislators are preparing to make significant adjustments to the country’s privacy and data protection laws.

The incidents have cast a spotlight on the perceived lack of “bite” in the penalty fees, with proposals to increase fines to A$50 million (or 20 per cent of a company’s adjusted turnover), and the introduction of the “right to be forgotten” for consumers–reminiscent of the European Union’s General Data Protection Regulation. While introducing technical capabilities to ‘forget’ former customers that, like many other projects, may divert resources from growth and innovation opportunities, a more resilient sector and economy should emerge from this investment.

The reforms also propose increased powers for the Australian information commissioner and a strengthening of the Notifiable Data Breaches scheme to provide the privacy watchdog with more visibility of what has been compromised in a breach.

Similar, industry regulators are entering the fray, with banking regulator APRA informing Medibank to set aside A$250 million for penalties, citing weaknesses identified in its information security after the personal information of 9.7 million current and former customers was stolen by hackers.

Naturally, it follows that New Zealand directors should pay attention to what is happening as it often follows Australia’s lead. While New Zealand overhauled its privacy legislation in 2020, critics have said its NZ$10,000 fines are too weak.

While financial consequences in the form of penalties may act as a deterrent, there is still an apparent lack of understanding by many businesses of the true cost.

Optus, for example, had a customer base of 10 million – more than one-third of Australia’s population. Had their risk assessment taken into the account the detriment a major leak would have caused? Had they factored in who would shoulder the administrative burden of replacing up to 10 million passports and drivers’ licences at short notice, if they fell into the wrong hands?

Class actions from those who suffered identity theft or fraud because of the breaches further compound the financial and brand damage. Directors would do well to ensure their organisations are adequately protecting the data they hold.

Boards should be asking their executive teams whether they fully understand what information is collected on customers, the nature of it, and whether the necessity to retain it outweighs the risk if you lose it. Tertiary impacts to entities who also rely on the personal information you handle need to be reflected in your risk posture.

In the Latitude Finance cyber-attack that saw 14 million Australian and New Zealand records exposed, former customer data including identity documents dating back to 2005 was caught up in the breach, raising questions as to why the company still retained such a broad range of personal details. This highlights the risk an organisation carries if it doesn’t regular clean and delete data that it no longer needs for legal or relationship reasons.

Finally, treat information security as a risk mitigation exercise, not just a series of task for IT teams to manage. Consider the wider impact to your customers, business, and the environment you operate in. If your organisation were to suffer a catastrophic breach then apply suitable, effective mitigations to address this risk commensurate to your relative footprint in the consumer market.

When cyber criminals steal data, it’s not just the victims that are hurt. As they increase in magnitude, cyber breaches are eroding the very foundation of how we trust and validate information.