Juha Saarinen: Internet data leaks set to become even costlier

With record fines incoming, companies should ignore information security at your peril. Photo / 123RF

OPINION:

A slew of disastrous data leaks across the Tasman has made for a busy time in the world of information security.

Singtel-owned telco Optus kicked off the recent spate of data breaches. The telco insists it suffered a sophisticated attack despite signs suggesting the hackers got lucky and found an open door into its systems.

Nevertheless, some 10 million customer records with sensitive data were taken and it's now causing big problems for some people who are being blackmailed, scammers trying to abuse the information, and worries about identity theft and other fraud.

One data breach that made anyone with a passing interest in information security facepalm involved the online wine shop Vinomofo. After the breach, the company suggested that it was "in line with industry practice" to use a customer database to test its newly upgraded digital platform.

You don't need technical nous to understand that using production data to test a new system is a terrible idea.

Others include Woolworths' online Mydealservice having the login details for its customer relations management system compromised. Now, 2.2 million or so records are going cheaply on hacker forums, costing just a few hundred dollars for the whole set.

The worst one looks like what appears to be a ransomware attack on private health insurer Medibank, which saw 200 gigabytes of sensitive personal information being snatched by hackers for extortion purposes.

They're the obvious ones that have attracted media attention. It's a safe bet more data leaks have happened, as the attackers decided that it was Australia's turn to cop it.

The thing is, though, modern technology can be more secure than it used to be in the past.

Take those old-fashioned little grey telco "mushrooms" outside houses and buildings for example: it was pretty easy to eavesdrop on voice communications traversing phone lines. No encryption and no alarms that picked up line tampering saw to that.

Doing the same with optical fibre lines is much harder, but the difference nowadays is that there is lots of information - and much of it due to regulatory and business requirements - stored everywhere. It's easy to collect almost any amount of data now, and there are efficiency and insight incentives for businesses, governments and almost any organisation you can think of to do so.

However, managing data on an internet scale, even knowing where it is let alone securing it requires a high degree of technical competence and, of course, investment in people and systems.

Hackers don't have those constraints. At the low end of the scale, they don't have to be particularly skilled, just lucky. A cheap computer with an internet connection that provides access to dodgy web forums is pretty much the only tool they need.

Even for the professionals, preventing accidental data leaks can be hard. It only takes one mistake as Microsoft learnt this month, after being told that security researchers SOCRadar had found misconfigured cloud servers with loads of sensitive business-to-business information.

As a service to the claimed 150,000 companies in 123 countries with sensitive data exposed, SOCRadar built the "BlueBleed" search engine so that people could check if they were affected.

The Australian government is now signaling that it has given up on the infosec carrot and unveiled a much bigger stick than before to make organisations sit up and pay attention.

As a direct consequence of the recent serious data breaches, Australia now wants to increase data breach fines from AU$2.2 million (NZ$2.44m) to AU$50m (NZ$55.4m); or three times the value of any benefit that the misuse of hacked data brings; or 30 per cent of a company's adjusted turnover in the relevant period.

More stringent criteria for mandatory data breach reporting look likely to be introduced. Here's hoping they'll be clearer as well, as the recently legislated criteria are vague and confusing.

Needless to say, the Aussie rules will apply to New Zealand companies operating across the ditch as well. New Zealand could also look at "harmonising" its rules with the ones in Australia, especially if we go through a similar wave of data breaches.

Now would be a good time for businesses and other organisations to take stock of what's stored on their networks and servers, as getting hacked is expensive and damaging enough without being slapped with huge fines for negligence resulting in privacy breaches.