Repeated Hacks Highlight Australia’s Cyber Flaws
Inadequate privacy safeguards and the storage of sensitive customer information have made Australia a lucrative target for foreign hackers.
Inadequate privacy safeguards and the storage of sensitive customer information have made Australia a lucrative target for foreign hackers, cybersecurity experts have told AFP following a series of major breaches. of data.
Medibank, Australia’s largest private health insurer, recently confirmed that hackers accessed the data of 9.7 million current and former customers, including medical records related to drug addiction and pregnancy terminations.
Telecoms company Optus fell prey to a data breach of a similar scale in late September, in which the personal data of up to 9.8 million people was accessed.
Both incidents sit comfortably among the biggest data breaches in Australian history.
Thomas Haines, a cybersecurity expert from the Australian National University, said many companies had accumulated personal data they shouldn’t have hung onto.
“There was a famous phrase for a while: data is the new oil,” he told AFP.
“If data is the new oil, then we live in the era of the weekly oil spill.”
Haines contrasted Australia’s approach with that of the European Union, which in 2018 passed sweeping privacy reforms limiting how organizations collect, use and store personal data.
“There must be incentives in place to prevent companies from hoarding data they don’t need, or to penalize those companies for major leaks. Europe has done that,” he said. declared.
“Right now, the commercial incentives are basically like, let’s just keep a whole bunch of data.”
Haines said Medibank appeared to be an exception, as most of the sensitive information in its databases had been stored for a good reason.
– “For-profit” piracy –
Australia’s relatively weak safeguards against identity theft mean it’s also easier to exploit stolen personal information, Haines said.
“All they need to know is your passport, driver’s license and a few other things – and then I can start taking out loans on your behalf.”
Haines said European countries such as Norway have much stricter requirements for face-to-face contact.
Dennis Desmond, a former FBI agent and US Defense Intelligence Agency officer, said most hackers are looking for particular types of data.
“For-profit hackers are attacking health data, they are attacking identity data and credentials to access systems,” he told AFP.
“There’s a profit motive there, otherwise they wouldn’t risk jail and prosecution.”
Hackers at Medibank began leaking stolen data on a dark web forum this week after the company refused to pay a $9.7 million (A$15 million) ransom.
Optus’ breach resulted in the theft of customers’ names, dates of birth and passport numbers.
– Russia implicated –
On Friday, Australian Federal Police Commissioner Reece Kershaw blamed the Medibank cyberattack on a Russian-based hacker team.
“We believe those responsible for the breach are in Russia,” he told reporters.
“Our intelligence points to a loosely affiliated group of cybercriminals who are likely responsible for significant past breaches in countries around the world.”
So far, Medibank data leaked to the dark web has included hundreds of potentially compromising medical records related to drug addiction, alcohol abuse and sexually transmitted infections.
Home Secretary Clare O’Neil acknowledged on Friday that the country’s cyber defenses have not always been up to scratch.
University of Sydney data researcher Jane Andrew said a major flaw was that Australian companies were not always required to report data breaches.
“There are loads of data breaches happening all the time that we don’t hear about,” she told AFP.
“Companies have collected data because it is considered valuable, without fully understanding the potential risks.”