What is a data breach?
A data breach refers to the unauthorised viewing or sharing of personal information such as email addresses, tax file numbers and personal health information. Personal information can also include address, date of birth, phone number and financial details like credit card and bank accounts.
Which data breaches are notifiable?
The Office of the Australian Information Commissioner (OAIC) Notifiable Data Breaches (NDB) scheme makes reporting mandatory for data breaches meeting eligibility requirements. Before this scheme came into effect in February 2018, it was up to companies to decide for themselves whether to go public about certain data breaches.
Civil penalties can apply if organisations fail to report an eligible data breach to any third parties likely to be harmed. The OAIC must also be informed. Any organisation or agency covered by the Privacy Act is obliged to comply with the scheme, which includes most businesses with an annual turnover of $3 million or more.
A data breach is notifiable under the NDB scheme if it meets these criteria for eligibility:
- Personal information is lost or subject to unauthorised access or disclosure
- The data breach is likely to result in serious harm to one or more individuals
- Your remedial action hasn’t successfully prevented the potential risk of serious harm.
You may also want to ensure your suppliers, buyers, and stakeholders know their data protection reporting obligations. Cybercriminals may target smaller businesses as a conduit for breaking into larger organisations.
Companies doing business internationally are obligated to comply with additional regulations, such as Europe’s GDPR legislation and the United States data protection laws.
What causes a data breach?
A data breach can be caused by a criminal mounting a cyberattack to extract data for their own gain. Or it can be caused by human input error and weaknesses within a company’s data security, allowing an internal threat actor to gain unauthorised access to personal data.
Here’s an example of how a data breach might occur in your organisation:
For financial service providers to verify employment income as part of a mortgage, auto loan or another financial service application, the conventional practice has been to ask the borrower to send in their last three payslips. To access these payslips, employees usually contact their employer or payroll department. The payslips are then printed, scanned and emailed to the lender.
Without the proper data protection technical safeguards, this personal information is open to tampering or falsification. Human input error may even result in accidental disclosure of incorrect information. When this sensitive personal data is shared over email, there is also a significant risk that it will be compromised en route to the lender.
What are the most common data breaches?
Examples of some of the common ways data breaches can occur:
Phishing- Sensitive information is stolen when cybercriminals pose as a person or company you trust.
Example: You receive a business email from what looks like a trusted source, directing you to a fake login page where you are prompted to enter your email sign-in credentials. The attacker then copies and uses these credentials to access sensitive data.
Malware- Refers to malicious software that seeks to access a computer network via a vulnerability. Ransomware is a type of malware attack where cyber criminals demand a ransom in exchange for relinquishing their control over stolen data.
Example: You click on an online advert to download an application. The malware infects your computer and scans networks to steal confidential information without you even being aware.
Brute force attacks. A hacking method that uses different combinations of numbers, letters and symbol characters to guess your password and decode sensitive data.
Example: You use a generic password for a company account. A hacker tries different combinations until they guess the right one. As you have reused the same password for multiple accounts, the hacker can also break their way into these accounts.
What are the consequences of data breaches?
When sensitive information is compromised in a data breach, the consequences for your business can include:
- Reputational damage: failure to protect your customer’s data can impact the long-term reputation of your brand. When customers question the veracity of your security, their trust in your organisation also comes under question.
- Revenue loss: The financial costs of data breaches can add up quickly. There’s the cost of responding to the breach, including potential legal fees and the expense of upgrading your security to protect against future data breaches. If there is system downtime, this offline period can substantially impact revenue and productivity.
- Regulatory penalties: companies that fail to uphold their data privacy obligations can be reprimanded with substantial fines.
What is a data breach response plan?
The OAIC expects businesses to have a data breach response plan. This plan should set out the practices, procedures and systems your company has in place to comply with your information security obligations.
This preparedness aims to enable suspected breaches to be promptly identified, reported to relevant personnel, and assessed if necessary. While it’s impossible to foresee every possibility of a data breach, a clear plan can significantly reduce the potential damage.
Tasmanian Collection Service, through its business relationship with Equifax, can support clients by providing proactive and reactive digital solutions for becoming more cyber resilient and mitigating the impact of a data breach. Equifax combines differentiated data, innovative analytics and advanced technology to help businesses verify the identity of their customers, strengthen supply chain security, detect fraud and better prepare for and respond to data breaches.
The information contained in this article is general in nature and does not take into account your personal objectives, financial situation or needs. Therefore, you should consider whether the information is appropriate to your circumstance before acting on it, and where appropriate, seek professional advice from a finance professional such as an adviser