We frequently blog here about incidents where companies, government agencies or public have suffered data or security breaches at the hands of hackers. They’re often incidents that come to light because they affect the public in some way – by shutting down hospitals, exposing sensitive personal information, or threatening government security. But what about hacks that, while not having wide-reaching public implications, go to the core of a business’ operations?Read More
Until recently, a security vulnerability in the social media platform Instagram, allowed Hyp3r to illicitly harvest millions of Instagram users’ data and track their locations.
In a similar manner to the Cambridge Analytica scandal that plagued Facebook following the 2016 US presidential election, this latest example of Hyp3r’s mass data collection was discovered through a journalistic investigation and was not uncovered by the social media platform.Read More
By Cameron Abbott and Alyssia Totham
Thirty years’ worth of student data from the University of Western Australia (UWA) has been stolen. Archaic and unconventional in the world of cyber security and data protection, this data breach resulted from the theft of laptops from the University. The number of laptops stolen and the number of students affected remains undisclosed by the University.Read More
We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.
Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.Read More
It’s been a chilly start to winter for three Australian organisations, who’ve this week reported major privacy and security breaches.
Up to 100,000 Australians’ personal information has been exposed in a hack affecting Westpac Bank. Westpac confirmed on Monday that details of Australian bank customers (not just those of Westpac) were exposed in a cyberattack on real time payments platform PayID. The banking giant says it noted a high volume of PayID lookups in 2019 on a semi-daily basis, which was a result of attackers trying to guess phone numbers, which, if guessed correctly, would give them the name of the account holder to which the number is linked. Despite the hack, Westpac says that no customer bank account details were compromised as a result of this cyberattack. Nevertheless, experts warn that the details accessed could still be used to commit fraud.Read More
Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.
This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.Read More
By Cameron Abbott and Wendy Mansell
A recent report released by Moody’s Investors Services has shed some light on which business sectors are most at risk for cyberattacks.
After assessing 35 broad sectors it was concluded that banks, hospitals, security firms and market infrastructure providers face the highest risk. This was based on levels of vulnerability and the potential impact an attack would have.
The key determinative factor for these sectors is that they all rely strongly on technology and the vital role of confidential information in their operations.
The financial repercussions following a cyberattack in each of these sectors is extremely significant when considering the costs of insurance, penalties, consumer impact, potential litigation costs, R&D and technological impact to name a few.
The financial market is so high risk because of the financial and commercial data it holds and ever increasing fact that its services are being offered digitally, across multiple platforms i.e banking mobile/smart watch apps.
On a similar note because medical records are primarily collected and held in electronic form hospitals are very attractive to hackers given the sensitive nature of the data.
While the industries should not be a shock to the reader, it is important for participants in those industries and for suppliers to those participants to realise the risk profile that attaches to them and have procedures in place reflective of those risk levels. How one manages these risks in now likely to have indirect cost implications when you see ratings agencies like Moody’s assessing these sorts of areas.
By Cameron Abbott, Max Evans and Wendy Mansell
A recent Wall Street Journal Report has detailed how America’s utility grid was hacked. The Department of Homeland Security has named Russia as responsible for the overwhelmingly complex and threatening campaign.
The scheme targeted energy companies affiliated with the government and was carried out in a sophisticated manner by initially focusing on small firms within the utility supply chain.
Early techniques involved planting malware on the websites of online publications likely to be read by employees of companies within the energy sector. The hackers would lace the online publications with malicious content allowing them to steal usernames, passwords and infiltrate company systems.
A number of small firms fell victim to these tactics giving the hackers broad access to company networks. Fake emails were subsequently sent out on behalf of the affected firms containing forged and malicious Dropbox links which captured usernames, passwords and other credentials. Further they used fake personas to send emails and pretended to be job seekers, by sending resumes containing tainted attachments to energy companies.
The hackers continued this technique of sending malware emails on behalf of firms until they reached the top of the supply chain. It was reported that on at least 8 occasions the hackers infiltrated companies who had access to the industrial control systems that run the grid.
An alarming aspect was the number of affected companies that remained oblivious of the penetration. The report is a useful description of the variety of methods used to tempt employees to expose their credentials. All too easy to do. These same techniques are regularly used by more pedestrian hackers. Two factor authentication and regular password resets remain measures to limit these threats but so many organisations do not use them.
We repeatedly counsel that employees are the last line of defence for your organisation. Circulating the Report may make an interesting read to remind them of the variety of ways they can be seduced to click an incorrect link.
A 20 year old German man orchestrated a serious and sophisticated data breach which affected more than 1000 people.
The attack was focused on German and European politicians at all levels including German Chancellor Angela Merkel, President Frank Walter Steinmeier and hundreds of public figures and celebrities.
The 20 year old hacker took to Twitter to drip feed the information depicted as an advent calendar by releasing new data each day in December. Information exposed included contact details, credit card and financial information, chat records, photographs and other personal information.
Reuters’ reported that the hacker is a student who lives at home with his parents, has no formal computer education and was motivated by irritation over statements made by politicians and public figures.
The widespread nature of this attack has resulted in a number of government officials calling for tighter laws.
It is clear that no-one is safe from a data breach – even those elected representatives who enact the laws designed to protect against them.
The Office of the Australian Information Commissioner (OAIC) has released its third quarterly report of notifiable data breaches. This is the second OAIC report to be released covering a full quarter.
The report revealed that OAIC received 245 notifications of data breaches, marginally up from 242 notifications in the second quarterly report.
Some interesting figures from the OAIC’s report are as follows:
- 18% of notifications were from health service providers, 14% were from the finance sector; 14% were from the legal, accounting and management services sector; 7% were from the private education sector, and 5% were from the personal services sector;
- 85% of data breaches involved individual’s contact details, 45% involved financial details, 35% involved identity details, 22% involved health details, 22% involved tax file numbers, and 7% involved other types of personal information; and
- 57% of data breaches were due to malicious or criminal attack, with 37% due to human error, and 6% due to system faults, with cyber incidents, namely compromised credentials or phishing being the main the cause of
Of the 245 data breaches, 58 affected only one individual – however, 7 affected more than 10,000 individuals.
These figures are a clear reminder of the need to ensure that your business is equipped to deal with data breaches. To learn more about this, take a look at this 60-second video by Cameron Abbott. With professional services ranking a solid third, we’ll take some of our own advice too!