In Australia, two critical cyber security incidents?have occurred recently, and more than 10 million Australians have had their personal information compromised.
Information exposed includes Optus customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ABNs, ACNs, and ID document numbers such as driver license, Proof of age cards, Medicare cards or passport numbers.
Also, files containing stolen data from Medibank Private Limited have been released on a dark web forum containing customer data. The stolen data include names and addresses, dates of birth, Medicare card numbers, policy numbers, phone numbers and some claims data.
Typically, such a breach is due to multiple security control flaws, human errors, negligence, social engineering, and shouldering. In Australia, those critical cyber security incidents will not be the last.
More than ever, Australia needs to determine its own course in safeguarding Personal Identifiable Information (PII) to prevent our community becoming a soft target for cyber criminals.
- Enterprises must deploy adequate safeguards that can prevent unauthorized access, protect the confidentiality of data, especially at rest, detect and respond to any attack vector, when a vulnerability is exploited, and, ultimately, stop these kind of incidents on critical infrastructures from happening. (For example, enabling a Two-Factor authentication (2FA) is one of the most effective measures to combat credential theft. It requires a second piece of information beyond username and password. This can be a knowledge factor (something the user knows e.g. a PIN), a possession factor (something the user has e.g. a security token, a mobile device or smartphone app) or a biometric factor (e.g. fingerprints, facial and voice recognition). In EU, the Europass Login and two-factor authentication has been compulsory since 11 October 2022.)
- Improve the Australian regulatory requirement regarding identity, access management, protection of data (information at rest and in transfer) and data retention:?there should be a unified cyber security standard or best practice that Australian enterprises must comply with.
- Introduce harsher penalties for a breach of data. Penalties should be commensurate with the records and the impact of the data breach, and with fines of up to a considerable proportion of the company annual revenue. For example, Australia should adopt and enforce the EU GDPR, as the Australian law does not protect privacy in a way that is comparable to many other developed nations.? (Also, Australian companies and consumers need to be mindful of the fact that Australia was not a party to the EU-US Privacy Shield, and it also does not have EU adequacy status.)
Join our 10th Anniversary at B2B Global Conference on 25th of October at Parramatta | Up to 50 exibitors | 10 plus sponsor | 200+ Attendees
1 年David, thanks for sharing!
ANZ Sales @ Qualys | Sales and Channel Strategy
1 年All of the above. Data at rest and in transit. Tokenization, not just encryption.
Award-Winning B2B Tech PR + Marketing Leader, AZK Media | Executive Board, Global AI Ethics Institute | Former Journalist | Amplify your message to prospects and press|
2 年Great insights
Founder, Philanthropist & CEO
2 年yes well, I heard the FBI told the Aus government to stop talking about it so much.. its kind of like saying "Hey look, were vulnerable, come and get us"
Adj. Prof. UNSW, SVP Rakuten
2 年Sally A Illingworth Azadeh Williams Tony Brown Jeremy Mitchell Mark Gregory Kate Jones Giuseppe Porcelli Edward Zia Ian Oppermann Carl Gough ? Australian Information Security Association (AISA) ACS (Australian Computer Society) Tim Herring Guy Rowson