In a world of internet-connected data systems, more and more credit card details, personal information, messages and passwords are being exposed each year – despite continued warnings of the need for better security.
Updated 9 September 2016
In April 2011, personal data, including credit card details, was stolen from 77 million Sony PlayStation Network users. Reports estimate the online breach cost Sony US$250 million in clean-up and new security measures.
Then, in November 2014, a previously unknown organisation, the Guardians of Peace, allegedly hacked the company’s movie arm, Sony Pictures Entertainment (SPE). SPE was set to release The Interview, a Seth Rogen comedy making fun of North Korean leader Kim Jong-un.
The Guardians, according to the FBI, were probably linked to North Korea. The group found and then released embarrassing executive emails, issued threats that forced the company to delay the film’s release, and made public what should have been highly confidential information about 4000 staff.
And on Christmas Day 2014, another group of hackers, who called themselves the Lizard Squad, brought Sony’s PlayStation Network to its knees for four days.
Sony’s repeated woes, however, illustrate the ugly realities of doing business in 2016. It is now impossible to completely secure any internet-connected business. Data breaches can and will happen – whether initiated within the organisation or from outside.
And they are costly, as organisations which fail to take proper precautions learn all too swiftly. In its 2016 Global State of Information Security Survey, PricewaterhouseCoopers (PwC) stated that: "Not only are we facing the traditional cyber security risks but we expose ourselves to new cyber threats as we adopt new ways of working and innovate, such as the convergence of operational technology and information technology networks to improve efficiency and reduce operational costs".
An era of breaches
While data breaches can occur by accident, the more egregious examples involve organised crime gangs, “hacktivists”, rogue nation states and disgruntled employees. Some want to make a political point, but many are simply after a fast buck.
The laws of supply and demand apply in cyberspace. Once stolen by an organised gang, your credit card details will typically go up for sale on the online black market. The world has a glut of stolen credit card details and the banks are getting better at clamping down on abusers, so your credit card details will sell for just a couple of dollars.
A fully populated health record – a welcome mat for identity thieves – will sell for 10 to 20 times the value of a credit card. While Sony executives squirmed to see their private emails about Angelina Jolie’s acting abilities emerge in the mainstream media in 2014, it was actually the stolen health records of Sony employees and their families that had the greatest potential for fallout.
PwC’s 2016 Security Survey, the number of incidents detected and reported globally has risen markedly since its 2015 report.
"Each and every industry is facing an increased cyber security threat," this year's report states. "Businesses must invest to reduce their cyber risks to an acceptable level and protect client data effectively to remain competitive in challenging markets".
Of course, data breaches aren’t only an issue for giant multinationals. David Higgins, WatchGuard Technologies’ regional director for Australia and New Zealand, says that smaller companies can prove a soft target.
“The question I’m often asked is: ‘Am I a target?’. And the answer is ‘yes’, because you may hold valuable information or you do business with a larger organisation. So you can be a conduit.”
Higgins notes that the high-profile 2013 breach of US retailer Target began when staff at an air-conditioning supplier had their systems infected and unwittingly spread the malware to Target computers. The breach reportedly exposed 40 million credit card records, and Target was lumped with a US$200 million rectification bill.
According to Higgins, there’s a bit of an attitude that “it can’t happen to me”. But he warns that “it can and it will.”
Richard Bergman, a partner in the cyber practice at PwC, is willing to bet that every company on the ASX 200 has had a security incident in the past three years – “whether they know about it or not”.
Paying the price
Much of the public information about data breaches comes from the US and Europe, where laws require they be disclosed to affected customers. Some industries must pay penalties, too. In early April last year the US Federal Communications Commission slapped communications giant AT&T with a record US$25 million fine for data breaches from its call centres, after private data on 280,000 citizens was sold illegally.
In Australia and many other countries without mandatory data breach notification, the picture is very different. In March 2015, the Office of the Australian Information Commissioner (OAIC) reported receiving just 104 voluntary data breach notifications in the previous 12 months.
Among known recent data breaches in Australia:
Telstra admitted sending 220,000 letters with customers’ names and phone numbers to the wrong addresses in 2010. Then, in 2011, the telco owned up again when its online billing website became openly accessible, potentially compromising credit card details. About 60,000 customer passwords had to be reset.
Optus notified the Office of the Australian Information Commissioner (OAIC) of three data breaches in 2014: 122,000 customers who had elected to remain unlisted in the White Pages phonebook were listed in the online directory; 308,000 modems with default user names and passwords were sold to customers leaving them open to attack; and 100,000 customers’ voicemail accounts were open to abuse after an internal error caused password prompts to be removed.
The Department of Immigration and Border Protection came clean to the OAIC after an employee emailed the wrong people the names, passport and visa details of several world leaders attending the Brisbane G20 summit, illustrating that even an accidental security incident triggered unwittingly by an employee can be devastating.
Shining a light
But even if Australian companies know they’ve been breached – and it’s believed that worldwide more than seven in 10 breaches go undetected – they don’t have to tell anyone, yet.
It’s believed that in 2011, franchisees of a large Australian supermarket chain suffered a series of attacks from scammers. These attacks were enabled by poor decisions about hardware, software and IT service providers at individual stores. An Australian Federal Police officer reportedly called the systems “a disaster waiting to happen”. But the identities of the businesses affected by the attacks were never made public.
In February 2015 the Australian Parliamentary Joint Committee on Intelligence and Security recommended that mandatory data breach notification be in place by the end of the year. Earlier this year, the Office of the Australian Information Commissioner again recommended mandatory data breach notification.
Australia’s two major political parties have agreed to the proposal in principle. New Zealand is among the countries looking at similar rules.
According to Clayton Utz partner David Gerber, mandatory notification is probably inevitable. “There is so much data out there and people are concerned about what is being done with it,” he says. “The flip side is that if data is not being held or handled appropriately we should also know about it.”
Bergman agrees. “If our personal information is breached, we should know,” he says.
The Australian Securities & Investments Commission’s (ASIC) Cyber Resilience: Health Check report has brought the issue into even sharper focus, says Gerber.
“ASIC is essentially saying this requires a whole-of-business approach, which I think is correct. You can’t just say that you have IT looking after security. How is this managed in terms of operational training, policies, procedure, governance and managed with insurance?” he asks.
ASIC couches the issue in terms of “cyber resilience”, which amounts to an organisation’s ability to prepare for, respond to and recover from a cyber attack.
It also warns that entities regulated by ASIC have legal and compliance obligations that may require a review and update of cyber-risk management practices.
Stemming the damage
“We’ve reached the era where we advise boards and companies to assume a position of compromise,” says Bergman.
“They may have made a big investment in a hard perimeter, but at some time that will be breached and they will be compromised. That shifts the thinking to early detection and remediation.”
Bergman believes that Australian company boards have become more attuned to the issue, as high-profile international breaches illustrate not only the corporate cost, but the individual risk as well. Sony Pictures Entertainment’s co-chairman Amy Pascal, for instance, stepped down after her emails were released.
The issue will become even more acute if mandatory breach notification comes in for Australian businesses.
Gerber expects that serious data breaches will need to be reported to both the OAIC and significantly affected customers. As the OAIC can secure enforceable undertakings and apply for civil penalties in some cases, he expects mandatory breach notification will also bring an increase in regulatory action and corporate costs.
As Gerber notes, corporations can insure themselves against some of the pain. A few already are. Former Aon Australia client manager, Eric Lowenstein, says that in 2014 local businesses spent A$12.5 million on cyber insurance premiums. While he expects that to at least double, it’s a tiny fraction of the US$2 billion worth of cyber insurance premiums taken out by US businesses in 2014. Indeed, Allianz Global Corporate & Specialty (AGCS) forecasts that the global annual tab for cyber insurance will grow to US$20 billion by 2025.
CSO magazine reported that Sony had US$60 million worth of cyber insurance in place at the time of its last major hack.
Lowenstein says that companies with revenues of less than A$50 million could probably buy A$1 million worth of cover for less than A$2000. Depending on the policy that could deliver financial recompense for business interruption, but also access to specialist IT experts, lawyers and PR consultants “to triage the situation”.
The hidden breach
Part of the problem is not knowing you have a problem. Bergman recalls a recent cyber audit of a client company that uncovered a three-month-old breach, still active and undetected. And Dick Bussiere, Singapore-based principal architect of Tenable Network Security, says that on average it takes an organisation 200 days to find out it has been compromised. While companies invest in firewalls and intrusion detection – so-called “perimeter security” – they have been slower to spend on systems to test their vulnerability and monitor their networks.
Bussiere claims most organisations perform vulnerability assessments only once a quarter or less, yet an average week in 2014 saw 135 vulnerabilities.
“It’s a recipe for disaster,” he says. “You are helping the attackers get in.”
Many Australian companies also seem lackadaisical about fixing problems even when they are identified. Security company Venafi has estimated that a year after an attack with the Heartbleed OpenSSL bug, which allows information normally protected by encryption to be stolen, only 16 per cent of the Australian organisations it analysed had fully remediated their systems to protect against it.
Bussiere is also scathing about the lack of configuration testing that’s conducted.
“The JPMorgan Chase case in 2014 was caused by two things: a stolen systems administrator credential and a misconfigured server which did not need two-factor authentication … The breach was possible with just the system admin credential,” he says.
While perimeter security remains important, systems continue to leak as staff access social media from work, and use their personal devices to access work applications. As Lowenstein points out, new wearable technologies and “Internet of Things” networks that give internet access to everything from power poles to baby alarms also create huge new opportunities for data breaches. By some estimates there will be 25 billion devices connected to the internet by 2020. That’s a lot more potential holes in networks’ defences.
Corporates, some already battered and bruised by data breaches, should prepare for a future of even greater data vigilance.
To boost your organisation’s resilience in the face of data breaches:
- Conduct an assessment of your cyber preparedness.
- Ensure the latest versions of software are used and properly patched.
- Have up-to-date firewalls and intrusion detection systems.
- Audit your environment for any lurking malware.
- Run regular configuration assessments and perform vulnerability tests after major changes to key elements of the environment.
- Review the enterprise risk management framework.
- Develop and test incident management procedures.
- Educate staff about data-breach risks, especially so-called “spear-phishing” attacks arriving via email. These attacks encourage people to click on a link that infects computers with malware, such as the notorious Cryptolocker, which encrypts all corporate data until a ransom is paid.
- Review your insurance portfolio and price cyber insurance cover.