Another year, another scam. While data driven crime is more sophisticated and difficult to address than ever, human error and judgement remains one of the major problems.
The latest data breach report from the Office of the Australian Information Commissioner (OAIC) is surprising for the simplicity of the problems – 37% of data beaches resulted from human error not malicious attack. In over 20% of reported cases, personal information was simply sent to the wrong recipient. Another 6% of complaints were attributed to system faults.
Since 22 February 2018, businesses covered by the Privacy Act need to report unauthorised access to or disclosure of personal information or loss of personal information that your business holds under the Data Breach Scheme. The rules impact organisations with an annual turnover of $3 million or more, businesses ‘related to’ another business covered by the Privacy Act, or if your business, regardless of size, deals with health records (including gyms, child care centres, natural health providers, etc.,), is a credit provider, or holds Tax File Number information (see the list).
Organisations are required to take all reasonable steps to prevent a breach occurring, put in place the systems and procedures to identify and assess a breach, and issue a notification if a breach is likely to cause ‘serious harm’.
What the statistics from the OAIC demonstrate is that procedural integrity in your business is paramount – train your team to not only be wary of scams but ingrain best practice for the day to day management of personal data. Privacy protection is not just an ‘IT’ issue.
While not the only factor, protecting your systems remains a priority as Marriot Hotels discovered when the Starwood guest reservation database was breached. According to the latest announcement, up to 383 million records were potentially impacted. Of those, there were approximately 5.25 million unique unencrypted passport numbers. On 30 November 2018, the company announced that unauthorised access to the database may have been occurring since 2014.
Similarly, Cathay Pacific released a statement notifying that up to 9.4 million members of their Marco Polo Club, Asia Miles or a Registered Account holder have potentially had their data breached including passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information.
Remember, hackers can gain access to your business’s data simply by a staff member clicking on a link.
While not impacting personal data, according to the ScamWatch, a common scam is where hackers gain access to a business’ email accounts, or ‘spoof’ a business’ email so their emails appear to come from the company. The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of the business’s official email accounts. Payments then start to flow into the hacker’s account. The average loss from these scams is around $30,000.
A variation is where the hacker sends an email internally to a business’ accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.
In 2018, these scams cost Australian business $30 million in 2018.
Simple measures you can take:
- Have strong and enforced processes in place for the management of personal client information.
- Strong authorising procedures for payments – two-step authority.
- Change passwords often and use two-step authentication where available.
- If a client’s bank details have changed, phone them and check the details.
- Train your team on cyber security:
- Check requests for payments that arrive electronically from other team members and management.
- Check email addresses are legitimate – look for slight variations.
- Be suspicious of poorly written emails.
- Don’t click on links from email – always use your account with the supplier or Government department to check details.
If contacted by the ATO, contact us to verify the information if you are concerned.