How Recent Cyberattacks are Shaping Personal Data Security in Australia

How Recent Cyberattacks are Shaping Personal Data Security in Australia?

We seem to be constantly hearing about the breaches of vast amounts of data these days, what's probably more worrying are the fact you only hear about the big ones. The smaller ones that don't get a lot of press or public fanfare can be just as significant.

In this article we will run through a few things to consider, covering personal and businesses with some solutions and considerations to beef up your defenses.

But first, how are recent data breaches actually affecting Australia? This is a worldwide problem but picking a country can help illustrate the dangers. Australia has not been as targeted when compared to Europe or the USA but that is changing. Cyble (cyble.com) has reported a 9% increase in cyber attacks in Australia between January and June in 2024 with numbers in 2025 likely to increase. This was 527 data breaches during this period which is significant, the scale of each of these will vary but the amount of incidents is concerning. This will affect Australia more and more as time goes on, worldwide Cyber Attacks are on the increase and countries such as Australia and New Zealand are quite behind with preparing to deal with this threat.

This means that Australia (and New Zealand) will need to take a more proactive approach to Cyber Security in both business and personal settings, this will lead to significant changes in habits and potentially having to purchase tools to help you keep safe. We will run through Personal and Business options on considerations and start pointing you the direction of tools out there that can help.

In this article we will not go into depth about breaches specifically, the information here is going to be brief so if you want more detail I would recommend checking out our other posts for more detail and keeping an eye on future posts where we will explain the nitty gritty.

What are the impacts?

Personal:

So what are the impacts of these breaches to yourself, your family, friends and the rest of the general publics daily lives? These can be significant or simply annoying but usually need dealing with, lets start with what data can be leaked that may affect you:

1. Personally Identifiable Information (PII) is held by companies with varying levels of information on you and your family.

   1. Personal details (Name, Date of Birth, Address, Phone number etc.)

   2. Medical information (Allergies, Medications and more)

   3. Financial information (Bank accounts, income, tax details, assets, payment cards)

   4. Passwords and Security questions

      1. Passwords can be stolen from sites during large breaches

      2. If you set up recovery questions - these are also targeted

      3. Recovery email addresses/contacts

2. Purchase history

3. Hobbies and Interests

4. Vehicle details

5. Employment details

There may be more, but we will focus on these as understanding this range will help you understand what could happen if this data falls into the hands of malicious actors.

PII

With the PII that may be stolen, most of the implications are as you would expect for this type of data:

• Identity fraud

• Payment fraud

• Prescription fraud

But some things you may not have considered include the recovery questions or emails/contacts. What some malicious actors may do is contact whoever is listed in the recovery section with the aims of getting them to help 'you' get logged back in - then they have access to whatever it may be (Social media accounts, company accounts etc.). With the recovery questions they can also try to pretend they are the victim (you) and reset the access to an account.

What you may also not be aware of, passwords can often be stored in plaintext if a company is not taking care of their security - so a breach of these means that users get your email address and password very easily and everywhere you use that combination is at risk of being taken over.

Also passwords that are encrypted but are simple to break pose the same risk.

Purchase history:

If your purchase history is leaked, most people think that is not a big deal. However think back to a conversation with your bank, a lot of them ask you to confirm recent purchases as a form of verification. This can absolutely be used by a malicious actor to great effect.

It can also help someone create a targeted attack via email or social media as they know you have an interest in a subject, then they send you a legitimate looking email with a malicious link included.

Hobbies and Interests:

As per the purchase history element above, this can be used to target you more cleverly and get you to click something you shouldn't.

Vehicle details:

As per the last two emails, this can also be used to craft emails that may tempt you to click on a link and give them access. Further to this there are also ways that this information can be used - there is an internet based way of targeting people known as SWATTING where someone calls the Police with a serious sounding report and the target finds Police descending on their address with expectations of active shooters - this poses risks to life of everyone involved and can also extend to cars and false reports being called in. When a Police agency looks up a rego and the description of the vehicle matches the records, it is likely to increase the credibility of the report.

This can also be used to fraudulently transfer ownership of vehicles into someone elses name, this can usually be sorted out however also runs a risk of the victim being arrested and will cause a lot of headaches.

Employment details:

If you look at recent events with the Charlie Kirk shooting, you will see how employment details can be used (see our other article for a more in-depth discussion on this subject specifically). However, this is nothing new, malicious actors however can use this information as leverage to get into the companies systems. They can also learn all about you then contact the company and pretend to be you or know you, then with that credibility they can coerce someone to click something or divulge information that may be useful to them in other ways.

So how can I reduce the risks of these incidents?

I would like to ensure readers look at the wording, the word 'reduce' rather than 'eliminate' is very deliberate as there are no guarantees. There is no way to be 100% safe on the internet especially with the data being in the hands of companies who may not be acting with honesty and integrity when it comes to your data.

There are companies that provide tools to help, below are some categories with related companies for you to look at - you should always make sure you look into the company and tools to see which one fits with your life and region.

• Password managers - these can create complex unique passwords for each logon and with the applications and extensions for browsers and phones, you never need to memorize these.

  • Keeper Security (We are partners for businesses not Personal editions, however I do use them in my personal life and they are great) : Keeper Security: Password Management and Privileged Access Management (PAM) Solution

  • NordPass is a good tool with a good security reputation : https://nordpass.com/

  • 1Password also has a good reputation and you may have seen Ryan Reynolds doing adverts for this: https://1password.com/

• Data Removal Services - it can be hard to keep track of where your data is these days, companies have seen this as a gap in the market and now offer their services to help tidy up your data.

  • Incogni - you have probably seen these guys sponsoring Youtube videos and they do a pretty good job: Data Broker Removal Service | Incogni

  • Optery are also a good option to look at: Remove Your Personal Information from Google - Optery

  • IDX - this is a US based company that also offers insurance to provide that peace of mind, if this is of interest but you are in a different part of the world then you may want to look for a local company that offers insurance : https://www.idx.us/

• MultiFactor Authentication (MFA or 2FA) should be setup for access to all your accounts, this provides that warning that your account has been breached and you need to change the password ASAP. There are multiple options out there for this, although this also depends on the company themselves:

  • Phone/SMS messages - you will get a text message or phone call to confirm access

  • Google/Microsoft/Other Authentication App - free to download on App stores

  • Email acknowledgements - This will email you to authorize access

These are some tools out there that can help, however you should also ensure you are following best practices:

• Do not provide more information than is needed

  • This also applies to applications on phones, this will be covered in a separate article.

• Check the legitimacy of a website/email first

  • We will provide a separate article on how to verify these in the near future

• Be wary of phone calls/emails asking for your information

• Do not reuse the same password and email for everything, if you can not afford a password manager then you may want to consider using a private email for sensitive accounts (Banks, Medical accounts) and then another email for shopping or blogs (including this one!) - and also ensure that you keep the passwords for sensitive accounts completely away from other sites.

• If you have a contact who has authority to recover your accounts, discuss with them how you will verify legitimate requests (phone call, text, water balloon)

There are other tips on how to stay safe online but this is already becoming a longer blog than intended! Have a read through our other entries and keep an eye out for more detailed entries as time goes on.

If you are not a company or business, then you can stop reading but it may be worth having a read of the next section for information as company security will directly affect you in the future.

Companies/Businesses:

The implications of security breaches for companies are not just an inconvenience, they can be subject to Civil or Criminal concequences depending on the severity. Some of these can be vast fines, if you look at the General Data Protection Regulation (EU and UK) you will see that they can range from the smaller €10M fines or 2% of the companies worldwide revenue (whichever is larger), to the more severe €20M or 4% of the companies worldwide revenue (whichever is larger).

Some examples of this are:

• Meta (Formerly Facebook) €1.2B for privacy violations with user data

• Google €50M fine for lack of transparency and issues with consent regarding ad personalization

• TikTok were fined €750,000 for not protecting the privacy of children

There are many more exampes on the internet, but companies cannot ignore the legal requirements when it comes to data. How many companies could whether this type of fine? Could yours?

Some responses when you mention these types of issues indicate they believe their insurance will cover it, this is not the case these days as most insurance companies have put so many clauses into the contracts they can usually get out of it by proving companies are negligent in how they are handling their Cyber Security. In my opinion this is fair as companies have been using the insurance argument to not spend money on securing the infrastructure or data, believing the company will be saved and that's all that matters rather than the implications to the public whose data has been entrusted to them.

So what are companies doing wrong?

Companies are struggling to keep up to date with security requirements, changes in the threat landscape, availability of trained personnel, lack of understanding of the threat in their company and also a general blasé approach to security.

The following are some of the key failings I have seen in many companies:

• Lack of patching of vulnerabilities

  • Websites running on old frameworks and never updated

  • Computers out of date

  • Software never updated once installed

  • Firewalls and Network equipment running on old firmware

  • Servers running on old firmware

  • Aniquated hardware that is no longer supported still running as it has never broken

• Lack of training or awareness

  • Technical staff are not trained on latest threats and procedures

  • Non-technical staff do not understand their responsibilities with data and security

  • Current threats are not ever disseminated to the company as a whole

• Legacy code never updated

  • Legacy code is never updated and is using old/no encryption

  • There is a fear of changing the old code or infrastructure as the person who created it has left and no one is willing to risk the downtime if they make a mistake

• Backups are not kept correctly

  • Backups of data are not kept securely, sometimes in the clear on a server in the same network with no segmentation meaning that data could be accessed by a breach

  • Backups kept on the same site so no redundancy is built into the plan

  • Some companies are using old tape backups and then not storing the tapes securely

• No access control

  • This translates to physical as well as digital, companies do not control or monitor/log who has accessed items or data.

• Antiquated cameras or security systems

  • Old security systems may not capture information in a useful way so are just for show.

  • Cameras may be failing but are not replaced as they still give the appearance of security

  • No alerting functions set up so you are only reactive once a breach has been discovered

• Lack of monitoring

  • Monitoring is tricky when you don't have staff, so some companies accept the risk rather than pay people/companies.

  • Some companies cannot find the staff to monitor for breaches 24/7

• Tick box attitude - to avoid running this article on too long I will bunch a few into this category. Companies are doing the bare minimum to tick a box for audits or customer queries, however when you look into these subjects they are usually woeful at best.

  • Business Continuity Plans (BCPs) are there in name and consist of a phone call being planned rather than an actual BCP

  • Incident Response (IR) is vague, slow and undefined in any real terms

  • Recovery is basic and not tested or altered

  • Hired a Security person to tick a box, that person has no tools, budget, team, documentation or authority to do their job effectively

  • Old software that is out of date (various including Anti-Virus, VPNs etc.)

  • and much more

I have also consulted companies who hold vast amounts of PII and are not encrypting it at any stage, not working at improving or aware of the consequences.

How can we fix this in our company?

For companies and businesses, the first step will be understanding the problem. You will need to bring someone in who will assess the company at all levels and create a prioritized list of what needs to change. This person should absolutely sign an NDA before doing this work!

Once you have a report, you should act on the threats accordingly - you should not rest on your laurels as even showing you are making efforts to improve your security situation can buy you some leniency in the event something happens.

What tools/services are available to help me quickly?

There are many out there, we at SecuriKiwi do have several partners and cover the scope of everything covered in this article for businesses. Within a very short timeframe we can make a plan and start to provide a rapid uplift of your security stance and help you rest easily and gain the trust of the public (hopefully this will help you gain more customers too).

Our services and partners can be read about here: Solutions & Partners | SecuriKiwi

We can also do an in person or virtual assessment with you, just contact us by our booking form and we can discuss with you : Consultancy Services | SecuriKiwi

Impact if you don't do anything

If you choose to ignore problems and risks the results can be significant, financially we have discussed the GDPR - however we have not mentioned the criminal liability. This is a consideration as it can lead to major personal impact for high levels of companies (CEOs and Directors/Boards) and can lead to being imprisoned, this is obviously largely going to depend on where you are in the world and as I am not a lawyer it would be advisable to consult a legal team to confirm what your concequences could be. This should also include not only local laws, but international laws in countries you operate in as extradition is also on the cards for the most serious incidents.

Norton Rose Fulbright are a worldwide legal company and wrote the article below, it is worth a read and as they operate across the globe they may be worth having a chat with (Note: this is not sponsored - just a company I found with a very informative article).

Cyber risk and directors' liabilities: an international perspective | Australia | Global law firm | Norton Rose Fulbright

Summary

So the summary really boils down to know and understand the risks to yourselves either in your personal or work lives, do not get complacent with security as it can quickly have a negative effect on you, make use of tools that can help you stay safe and lastly, make sure you check out companies security considerations before signing with them (this applies to businesses too - you are only as strong as your weakest link).

SecuriKiwi can help you, if you have questions about your personal security then send us a message and we will get back to you with some advice - if you're a company wanting either one of our partner deals or our services to help build up your security stance then drop us a line!

Thank you for reading this far, stay safe out there!