A data breach is an incident where sensitive information which is private and confidential is accessed without prior authorisation.
There are plenty of data breaches in Australia each year. They affect businesses of all sizes, big and small. These data breaches can be either accidental or done deliberately. When a data breach involving personal information occurs, the affected organisation must notify the affected individuals. This is because the loss of personal information may lead to serious harm.
Famous Data Breaches
Yahoo
A group of hackers compromised yahoo in 2013 affecting 1 billion accounts. The breach caused a high risk of identity theft since security questions and answers were also compromised.
In 2017, yahoo changed the estimate from 1 billion accounts to 3 billion user accounts. Although payment card numbers, bank information, and clear text passwords were not stolen, this remains the largest breach.
To mitigate this breach, yahoo managed to make all affected users change their passwords and security questions which they would then encrypt.
This breach happened in April 2019 and affected about 540 million users. A certain percentage of Facebook app datasets were exposed to the internet. The datasets contained Facebook IDs, account names, likes, and comments. This information was revealed by the UpGuard Cyber Risk team. Such data is so confidential and there are different potential uses it holds which are harmful to the end-user.
Facebook also had another data breach in April 2021. Over 533 million user data was leaked online. What is still astonishing is that the founder’s data was also leaked. The leaked data was found on hackers’ websites.
This privacy breach took place in 2018 and affected about 330 million users. This breach made all user passwords accessible to the internal network. The passwords had been stored in an internal log and they had not been masked.
Twitter asked all the affected users to change their passwords but later on, declared that they had fixed the bug and there was no indication of misuse. They however encouraged their users to install the password update.
Although Twitter did not declare the exact number of users breached, their data also remained exposed for some months.
In June 2012, about 165 million were affected by a data breach, and their private information was exposed. 117 million passwords had also been compromised.
Due to the extent of this breach, other services were asked to force their users to change their passwords which matched their Linkedin accounts. This is why habits like password recycling are highly discouraged since attackers can have access to all user accounts when they compromise one.
Linkedin however did not inform its affected users, neither did they investigate the breach. This forces other institutions to investigate the incident and break down the report of the breach to the public.
Equifax
This is one of the largest data breaches up to this date. About 148 million people were affected in September 2017. This breach was fatal because the company organises, assimilates and analyses financial data like credit reports and scores which includes credit card numbers.
About 209,000 consumers were fatally affected since their credit card information was compromised. Such information included phone numbers, social security numbers, names, home addresses, and other confidential information.
Canva
The famous graphic design tool has also suffered a data breach. This can go a long way in showing all business owners that they are all targets of cyber breaches as long as they handle consumer data.
The attack which occurred in May 2019 affected around 137 million users. The attackers exposed user data which consisted of usernames, email addresses, names, the password stored in hashes, and other confidential information.
Canva later confirmed this incident and notified its users and encouraged them to change their passwords and reset their login tokens.
Microsoft
Australian corporations were hit by a Microsoft server hack in 2021. The servers hit affected calendars, corporate emails, and rostering products. Almost over 7000 servers were affected by this attack.
The hackers exploited a vulnerability in the calendar server and Microsoft exchange email. This vulnerability would be a potential threat to businesses that were relying on the solution. This is because attackers could wipe the computer then install backdoors or even ransomware which would enable the malware to be spread to the entire network.
This attack was targeted at public institutions and corporations but not individuals. When the malicious code would be run on the computer, the system would be compromised.
Tasmanian Ambulance
This breach happened in January 2021. This attack was horrific. Details of all Tasmanians who requested an ambulance since November 2020 were made public on the internet. This breach compromised private information of many people and very confidential information like HIV status was leaked. The web page that published this stolen data had about 26,000 pages.
The Australian Cyber Security Centre was ordered to take down the website. The government took this matter seriously and they did everything to protect the privacy of patients. The public was encouraged to continue using the ambulance services since the site that revealed user personal information had now been taken down.
OAIC
A government entity in Australia suffered a data breach after a brute-force attack. Most of the 33 data breaches it experienced were due to human error. Personal information which consisted of emails was sent to an incorrect recipient. Some emails were even physically mailed to different addresses. The Australian government entities blamed these attacks on human error.
Among these cyber incidents, OAIC (The Office of the Australian Information Commissioner) classified one as a brute-force attack. That attack compromised a form of access credentials. However, OAIC didn’t mention these attacks in their report.
Consequences of a Data Breach
Every human has a right to privacy. Data breaches can cause different kinds of harm including emotional, physical, financial, and reputational damage. Some of the consequences can be manifested as:
- Emotional distress
- Loss of business opportunities and employment
- Reputational damage
- Physical harm and intimidation.
- Unwanted spam emails.
- Disruption of services.
When Should You Report a Data Breach?
Many companies have experienced data breaches. A reportable data breach will occur under the following circumstances:
- There is an unauthorised disclosure of confidential information that an agency deals with or unauthorised disclosure.
- There is serious harm caused by the data breach, either to an individual or an organisation.
- The organisation has not been able to mitigate the likely risks.
When a business experiences a data breach, the business owners should ensure the incident is well investigated and assessed to ensure it doesn’t cause any harm to individuals.
Reporting a Data Breach
When the Privacy Act 1988 shows reasonable facts for the occurrence of a cyber attack, all individuals at risk should be notified. When reporting a data breach your business experienced, the notification should include;
- Basic description of the data breach.
- Type of information involved in the breach
- Your business’ name and contact details.
- Your recommended steps to handle the situation.
The Notifiable Data Breaches (NDB) scheme states that any organisation that experiences a data breach must notify the affected individuals and the OAIC.
It further on goes to define a data breach, which is a situation where a database holding personal information is leaked, a device holding users’ personal information is stolen or lost or personal information is wrongfully given to the wrong person.
Data breaches can affect any organisation or business. They can cause serious harm and losses even if you were not the target of the attack. This means that your business can be affected by an attack that was directed to a different organisation.
To avoid the consequences of data breaches and to protect customer and company data properly, all businesses should have proper measures to protect them against cyber attacks.
And in the event of a cyber-attack, companies should ensure they already have an incident response plan in place they can deploy immediately.
How cyber-secure is your business? Find out with our free cybersecurity health check.
It’s a 30 minute Zoom call that walks through a checklist to assess your current cybersecurity levels and provide a short report with some advice and recommendations.