Beware the dangers of data breach fatigue
2024-05-27T08:55:00+10:00
麻豆社madou cybersecurity expert Professor Sanjay Jha says companies and the public should remain on high alert in the face of continual cyber attacks.
Cybersecurity expert Professor Sanjay Jha has urged the public to remain vigilant and not become complacent to ever-increasing cyber attacks.
The most (OAIC)聽 recorded 483 breaches in the period from July to December 2023. That was up 19 per cent from the six months previous.
Two-thirds (67%) of those breaches were caused by malicious or criminal attacks, with the other third made up of human error (30%) and system faults (3%).
Although 312 of the 483 breaches affected 100 or fewer people worldwide, there were also four separate incidents where 250,000 or more Australians had their data improperly accessed.
Media enquiries
For enquiries about this story and interview requests please contact聽Neil Martin.
贰尘补颈濒:听n.martin@unsw.edu.au
Prof. Jha, 麻豆社madou Lead of the聽聽(CSCRC), hopes that the public will not start to tune out and ignore such data breaches as they become more and more prevalent 鈥 especially given the dangers of not taking steps to protect personal information which may have been compromised.
鈥淚 understand that it鈥檚 human nature that you start to just get used to certain things, but I think it's important to keep raising awareness about trying to protect your personal information and even if we reach only a small percentage of people who listen, then it's worth it,鈥 he says.
鈥淚t鈥檚 obviously a big danger if your bank account is compromised, for example, and lots of money is stolen from you.
鈥淏ut there are other private details you probably don鈥檛 want random people to know about 鈥 such as your health or medical records, which can also get broken into.鈥
Data as a commodity
Prof. Jha says that when malicious cyber-attacks on companies and organisations result in breaches, it can take some time for that personal information to make its way to professional hackers or others who try to make money from the stolen data.
鈥淧ersonal data is a valuable commodity. Even if credentials aren鈥檛 stolen, then it can still be sold as marketing information,鈥 he says.
鈥淏ut if there is a specific piece of identity then that can kick-start cybercrime because it helps bad actors create your profile and maybe use social engineering to try to get the full information they need to log into your banking system or compromise your medical records.
鈥淓ven just knowing your mobile phone number and whether you are a male or female can be enough for criminals to start getting to work.
鈥淎 lot of this information when it is obtained by a cyber-attack is then sold on the Darkweb and maybe it then gets bought by hackers who are building phishing sites designed to get the additional credentials they need to get into bank accounts and steal money.鈥
Phishing for personal information
The problem is so widespread that even a cybersecurity expert such as Prof. Jha himself is targeted regularly by those he believes have obtained some of his personal information.
Many of these attempts come via phishing scams to his mobile phone, where fraudulent messages purportedly from large reputable companies are actually being sent by cybercriminals attempting to get even more valuable information such as online banking logins, credit card details or passwords.
But Prof. Jha acknowledges that it鈥檚 sometimes hard for the general public to know what communications they can trust.
鈥淧hishing attacks continue. They aren鈥檛 stopping and in fact they are getting ever more innovative,鈥 the academic from the School of Computer Science and Engineering says.
鈥淓ven I get those types of messages which say something like, 鈥楾his is Coles and your reward points are about to expire鈥. The cybercriminals know that almost every Australian is buying their groceries from Coles or Woolworths, so they have a good chance of getting your attention.
鈥淧eople can then fall into the trap of clicking on the link and giving out their information. More and more education is always needed about this, but it鈥檚 also hard to know what is real and what is fake.
鈥淚 also get legitimate messages from Australia Post when I have a parcel delivery and they send a URL for me to click on. But they use a tiny-URL system which just shows a series of random scrambled numbers and, as a cybersecurity expert, that makes me very afraid to click on a link where I can鈥檛 see the full address.
鈥淎nd that creates a problem because it is the same technology being used for a legitimate purpose, but it鈥檚 lost its trustworthiness and should make you wary of clicking.鈥
Anyone who says they can secure an entire system where no attack is possible is not being very truthful. What we need to do is to ensure we are trying our best to minimise the attacks, and if they happen make sure we are resilient enough to deal with them and recover.
Prof. Jha says companies should be doing more to keep personal data safe from hackers, but admits that as information and communications technology systems get more and more complicated, that means that points of weakness are always likely to exist.
And attacks are unlikely to decrease while there is a lucrative market for stolen credentials.
鈥淭he problem is that ICT systems are very complex and every day new applications are deployed and new information is stored and exchanged,鈥 he says.
鈥淚t is a very dynamic field 鈥 and anyone who says they can secure an entire system where no attack is possible is not being very truthful.
鈥淲hat we need to do is to ensure we are trying our best to minimise the attacks, and if they happen make sure we are resilient enough to deal with them and recover.
鈥淏ut some systems need to be more secure than others. If you take down the power grid then you could take down the whole country, and the banking system is another.
鈥淚 do think that companies in general can do a lot more to protect people鈥檚 privacy. If a new system is deployed then do proper testing and check integration with other systems in case it causes a possible vulnerability in terms of security.
鈥淚n addition, keep track of any vulnerabilities that are reported. And monitor cyber threat intelligence from reliable sources to check if your system is at risk.
鈥淎nother good measure is regularly scanning and sanitizing the system 鈥 all of these are protocols that build up strong security.鈥