One of the key assets of a business or institution is the information they collect. So it should be no surprise that data hacking has now escalated to the point where it is a potentially devasting threat to business and individuals. 32% of Australians have had their data exposed in the past year, compared to “only” 11.2% over the past 5 years having been the victim of serious crimes like burglary. What has changed? What can you do about it?
The war in Ukraine seems to be a convenient excuse for just about everything at the moment. But the fact is that both the hack against Optus and Medibank were by hostile Government backed and organised overseas crime networks. Just like when William Sutton was asked why he robbed banks and replied “Because that is where the money is”, it doesn’t take too much thinking to realise that it was only a matter of time before the vast data kept in the cloud and large databases became an easy and low risk criminal target.
The modus operandi seems to be to either install ransomware (and lock the users’ data down, only to be unlocked by paying a ransom), or to get in and steal data and threaten to release or on-sell the data. In the case of the Medibank hack exposing 9.7 million people, experts say that the hacker bought login credentials to gain access to the network from an online Russian criminal forum and did extensive reconnaissance lasting several months before collecting the data and finalising the “heist”. Medibank (using the Federal Government recommended course of action) are refusing to pay any ransom on the logic that you can’t trust a criminal, and that paying a ransom makes them and Australia a bigger target for future attacks. There would be no way of checking that the data wasn’t copied anyway, and usually the actual hack is the first step in a multi-step process where the user data is sold or used for further crimes such as identify theft or illegitimate purchases. Medibank’s stance is correct but has resulted in a 10% drop in the share price. There are huge flow on effects from these hacks, for instance the Optus hack caused queues around the corner of many Transport department branches as people changed drivers licences. These people then presumably also had to update the new details anywhere they had used driver’s licenses for identification purposes.
I’m personally not too worried about someone trawling through my medical history (pretty boring for most people I suspect) but understand people who are concerned. However, we should all be quite worried about the other data that these companies have been “forced” to keep. Names; dates of birth; phone numbers; home addresses; emails; partial passport, driver’s license, and Medicare numbers. It doesn’t seem like credit card or bank account information was stolen (this time). I’m not a criminal mastermind but can see that with this smorgasbord of information it doesn’t take much for even low level players to try to get in on the game. Which is why the arrest of the 19 year old in Sydney this week (caught trying to extort $2,000 from each of the 10,200 Optus customers on the list he bought) is probably just the start of the first of many trying a “get rich quick” scheme. Extortion is but one thing this data can be used for. Whilst it takes probably more effort and a longer “crime-cycle”, the information can easily be used to set up bank accounts or take out loans, or used for identity theft or crimes using impersonation (for instance there are reports of criminals selling other people’s houses).
The Australian Cyber Security Centre (ACSC) had 76,000 cybercrime reports in the year to June 2022 (a 75% jump in 2 years), which is before both the Optus and Medibank hacks. That’s one report every 7 minutes. This included 2 critical infrastructure businesses along with 28 state government agencies, academic institutions, or large companies. A report by corporate advisory firm McGrath Nicol found that companies often paid a ransom demand within 24 hours to avoid a reputational risk, and that the average payment was $1.28 million.
More than 1,500 businesses reported also being scammed using “email-style attacks”, with an average loss of $64,000. I suspect the number of affected businesses to be much higher, as many don’t report it for reasons including not wanting negative attention or simply embarrassment (not that anyone should be). A large portion pertained to intercepted emails where payment details are changed to the scammers bank account.
Australia is a logical target for cyber crime because of our widespread internet connectivity, per capita wealth and investment structures (such as movable superannuation accounts and widespread share ownership). Property transfer transactions are also an attractive target due to the high value.
So what can we do about it? Protecting yourself can be very difficult. For example, how often do you hand your credit card details over to someone over the phone or type it into a computer? You have no idea who can access that at the other end. Using our own experience, whilst our bank contacted us about suspicious transactions on our credit card, in the 1 hour it took the bank to lock the account the person who stole our credit card details managed to online shop at 2 venues plus go to KFC (in Sydney). With click and collect or delivery services now available, it’s not hard to receive just about any goods at a later date without having to be at the crime scene in person. Whilst our financial loss was not massive (and the bank covered it in the end), it can be significant. The inconvenience was worse, as it takes a couple of weeks to get a replacement card (making daily living more complicated than expected), plus you have to work out what all the automatic withdrawals are and change the card details. Another strategy they use is to test using a small amount, and if unnoticed start transferring more sizable amounts until the account balance is drained.
Some people are going old fashioned and stashing cash, but obviously we are hostage to more and more trade being across the internet. ACSC estimates that there are at least 150-200,000 routers in Australian businesses and homes that are vulnerable. These are the ones that are too old to be supported for security updates, and is a bit like leaving the front door open for even basic hackers to take what they want from your computers. Simply updating to a current router is a basic, low cost and essential action. Other steps include to activate multi-factor authentication as well as do patch updates regularly. And obviously use unpredictable passwords that you update frequently. As much of a pain as it is, try to use different passwords on different applications. In order to reduce the losses and enable a faster resumption to normal activity, do back ups regularly. IT experts will no doubt point out that the above is pretty much the basics, however doing something is better than nothing.
Sadly, as we continue to migrate more and more to relying on the internet, we can expect cybercrime to be a new tool of war. Not only against individuals and businesses, but a whole country can be compromised if for instance the power grid was shut down, or the banking system locked up. Expect the recent attacks to be just a precursor of future attempts and prepare accordingly.
Words from the wise
“Never trust a person that tries to sell you by how righteous they are. I’m telling you right now, it’s a scam.” – Richie Norton
“Money has no grey areas. You either make it or lose it.” – Kevin O’Leary
“The harder I work, the luckier I get.” – Samuel Goldwyn
As always, onwards and upwards!
Fred Carlsson
General Manager