Hackers Target Australian Businesses, Stealing Identity Information And More

Hackers have targeted Australian businesses, stealing identity information of their customers and much more. This has caused many individuals to suffer mentally, and in some cases, financially. The problem is only getting worse, as more and more hackers target these larger businesses. The best way to protect your business is to be aware of the risks and take steps to prevent hackers from accessing your system. Every year, like any other, the amount of hacks are increasing. The initial victims are large organisations that we all have come to trust with some of our most sensitive data.

While there is constantly speculation and suggestions as to who is involved and more importantly, who is to blame for any given hack. There is very little legislation in Australia to protect those who are ultimately affected. Lets have a look at these hacks, what they are and what you can do to protect yourself and your business.

What is a cyber attack

A cyber-attack is when someone gains unauthorised access to your computer systems, or attempts to gain such access. This could include accessing your files, stealing personal information, deleting or destroying data and even shutting down your computer system. Attacks can be carried out in many ways. Common methods are:

Hacking – gaining access to computer systems through unauthorised means. The most common method is by using viruses or worms to gain access to your system. However, the most common method of gaining access is through your own user name and password.

Phishing – the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card details.

Vishing – using the telephone to obtain sensitive information.

Smishing – using a mobile phone to obtain sensitive information.

DDOS – using a network of infected computers to attack your system, overloading it and making it impossible to use.

DoS – Denial of Service attack. Using a network of infected computers to attack your system, overloading it and making it impossible to use.

Pharming – redirecting you to a bogus website when you try to access a legitimate website.

Tailgating – using a false identity to gain access to a building or secure area.

Spoofing – pretending to be someone you are not, to obtain sensitive information or otherwise perpetrate fraud.

Spim – unsolicited bulk email from fake identities, often used for phishing.

Ransomware – a type of malware that prevents you from accessing your own files until you pay a ransom.

Who has suffered these types of attacks in 2022?

This year was a great start to one of Australia’s largest retailers, Bunnings. It had a Customer Data exposed in a breach via a third party software platform. Red Cross Australia was the next significant one where vulnerable people had sensitive data accessed and released. It was then News Corp’s turn, it had a cyber breach in February, this didn’t have consumers affected but none the less, it was a significant breach. NSW Government then had a breach which included sensitive addresses of 500,000 people leaked.

From there the list continues with Toyota, Samsung, Nvidia, Ubisoft, Microsoft, Panasonic, Coca-Cola, SA Government, Facebook, NDIS, AMD, Deakin University, Marriott, Woolworths, Victorian Government, WA Health, Facebook, Cisco, University of WA, Twitter, DoorDash, LastPass, TikTok, Uber, Optus, Woolworths MyDeal, Medibank & the AFP. You are probably thinking, “some of these companies are tech companies. They and probably should know better.” You are probably right, at the same token, it also shows that the attacks can often be more sofisticated and its no wonder they got hacked. The list also does show you that it is not just limited to the smaller mum and dad type businesses.

What this does tell us, is that doing over the small guy for sh#!s and giggles is not what the goal is of the individuals behind these attacks. Rather it is getting anyone and everyone they can. The ultimate goal is cash and the chances of them getting caught if the offenders are smart enough is next to zero. The things they find valuable is not always credit card details, rather it is identity information. This can be used to make a new identity, that can then be used in a way to make that new identity the escape goat. It also makes it hard to find the real person behind the attack.

Who ultimately suffers from cyber attacks?

The truth is that everyone suffers. The question is where does the money come from for these attacks, and what do they buy with it? In reality, it costs a lot of money to set up the infrastructure for these attacks. That can be done in two ways. Either you buy it or you do it yourself. If you do it yourself, then you need to have the knowledge, and a lot of time. If you buy it, then you have to pay for the time of the people who have the knowledge. You can also buy software that does it for you, but that is expensive and hard to get. The money has to come from somewhere. Most of it comes from businesses and governments that fall victim to these hacks.

How come Identity information that is sensitive is being stored by companies?

Well, for the most part, the very legislation that is designed to protect businesses and consumers. This though has a side effect where it can be used as a weapon against both of them. Lets look at the likes of Optus, since it has been deemed the most significant hack in recent Australian history. As we know it, it is reported almost all of their customers had their 100 points of ID taken from their system. Some of it was leaked out on forums to prove the hacker who was trying to ransom the information they took, was legitimately involved with the hack.

There has been multiple conversations we have been a part of with people who are not technically minded about the Optus hack. Most of them asking the question of how this could happen and why are Optus holding such critical pieces of information on file. What people may not realise is that there is a legal requirement for telco’s to store this information on file for the duration of you being an active customer as well as a further 2 years. Optus did claim a total of 6 years but everywhere documents 2 years.

This is a prime example of what data is being stored and the requirements for its storage is not easily or clearly defined. It is no wonder why none of these companies want to admit if they had been compromised as the side effects can be devistating for most people. The other issue is, the larger companies who have such details, tend to be a little too relaxed in securing it from every account shown to date. Our local legislation doesn’t protect consumers enough as a result. Optus, in the example about may only cop a tiny fine of $2M AUD. There have been calls to make it $50M but honestly it is too low. Other countries have legislation where it can go in to the hundreds of millions of dollars. This however is a totally separate discussion and article.

Our Opinion on storing sensitive information like this

The organisations only need to use the information to identify the person, enough to establish that it is infact the person in question signing up for a service etc. Copies of the ID and the entire details of each piece of ID do not need to be stored on file. There are various platforms and solutions that could be used to simplify the ID process and maintain integrity of those involved. Sure taking a scan of the license and keeping that on file could be an option but that is all that would be needed. (Just to note that this point is purely our opinion and nothing else, we don’t claim to be experts or have access to the latest research but based on what we know and from our experience in the field, it seems like a fairly reasonable suggestion. )

What steps can you take to protect accounts online?

When it comes to working with accounts online, there is a long list of great practices you should deploy. The following are just a 10 things you should consider as a standard practice for yourself. If you own a business or are in a position where you can encourage and/or deploy some or all of these practices, we recommend that you do.

1) You need to make sure each and every site has a different password.

2) Enforce a strong password policy that includes a combination of upper and lowercase letters, numbers and symbols.

3) Change passwords on a frequent basis and make sure they are not easily guessable.

4) Use two-factor authentication on all accounts (e.g., Google Authenticator).

5) If you use the same password across multiple accounts, change them all at once.

6) Dont use simple passwords like ‘password’ or ‘abcd1234’.

7) Avoid using the same username on multiple sites (e.g. email address or Facebook username)

8) Don’t save passwords on your computer.

9) Enable 2-factor authentication on your email account (where possible)

10) Use a VPN and/or Tor to mask your IP address.

How do you keep track of so many passwords?

One of the best ways to keep a track of so many passwords is to store them in a password manager. This is an app that stores your passwords securely and then automatically fills them into the login form when you visit a website. There are many good apps available for storing passwords, e.g. LastPass, KeePass, and 1Password. We suggest going with one of these apps if you don’t already have one. Use a password manager to store all your passwords, including the ones for each site that you log into with your Facebook account.

They key to doing this though is making sure that the password you choose for your password manager needs to be equally as complicated. For example, it should be something that you can’t guess easily, such as a random combination of numbers and letters. Its estimated a complex password that is over 12 characters long. With a combination of letters (upper and lower case), numbers, special characters. Will take a computer approximately 400 years to crack. You should also consider using two-factor authentication with your password manager.

Why do we suggest a password manager?

Having your passwords stored in one place, of course it is a security risk. What makes a password manager great is the fact that it will generate a unique password for every site you use. It doesn’t matter if a hacker gets access to your password manager, they won’t be able to log in to your accounts. Your passwords are encrypted and stored on the secure cloud server. What to Look for in a Password Manager?

If you are looking for a great password manager, look for the following:

Free – There is no need to spend money on a password manager. The best ones out there have a free teir to try with.

Cross-platform support If you use more than one device, make sure your password manager supports it.

Sharing capabilities – handy in a work environment, the passwords still remain encrypted but access can be granted to people you know.

Passwordless Logins – very handy as they use another device to help authenticate you. Microsoft has also got this and it is very effective.

Evaluate your data retention policies as a deterance for hackers

There is nothing worse than making yourself a hacking magnet. Organisations like the ATO are hacking magnets. Why do we bring this up? It is a real issue being a hacking magnet. The ATO announced recently that they battle upwards of 3 million hack attempts a month. You may think “why?!?” but the answer is above… Hackers, if successful would potentially get access to every ATO customer’s/your details. If that is not a hacker magnet, we don’t know what is. The best way to avoid attracting hackers is by not giving them a reason to. One of the best ways is to evaluate your data retention policies.

Do you have data that is no longer required? If so, delete it as soon as possible or at the end of the month. When it is required but has a short-term use, archive it in a secure place. If it is required for a long-term use, encrypt it. This way you are reducing the likelihood of your data being hacked by a criminal or an employee who feels they can make some extra cash. If you have any questions about your data retention policies; or if you would like to know more about how to protect your business from cyber threats and vulnerabilities, you should reach out to a cyber security consultancy firm.

The key message is to pay attention to your data retention policies. The last thing you want is to suffer a data breach and then have to deal with the aftermath as well as potential legal ramifications.

Where to from here?

It is important that you, your staff and your business, employs a great IT Security and Data Retention policy. This will help ensure that your network, your accounts and your data is as secure as possible. More importantly it can save you from hours of heartache. Outside of that, it is always a great way to keep you and everyone else around you safe from potentially falling victim to a hack. Particularly if they know about some safety steps they can take to protect themselves. We have seen many customers ‘go through the ringer’ over the years with this sort of thing. It is never fun to watch or see. We hope that you can get one piece of helpful advice or even tip from this article, that it will help protect your or a loved one online going forward.