Catagory:Report & Surveys

1
Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on
2
Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia
3
Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents
4
Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report
5
REPORT FINDS MORE THAN HALF OF RANSOMWARE VICTIMS WOULD PAY THE RANSOM
6
Un-“tapped” Potential: Gen Z and transactions
7
Q4 NOTIFIABLE DATA BREACHES CONTINUE TO RISE
8
Android users beware the 21st century Trojan horse
9
Cybersecurity: location, location, location
10
Cyber-criminals outspend organisations more than 10 times in bid to find cybersecurity weaknesses – who says cyber-crime doesn’t pay?

Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Read More

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

Read More

Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents

By Cameron Abbott, Rob Pulham and Rebecca Gill

It’s Privacy Awareness Week and today’s topic is “data breaches”. With data breaches and responding to cyber attacks becoming an inevitable part of doing business, it’s a timely reminder about the importance of adequately resourcing your IT security areas, and of having comprehensive and well-tested data breach response plans in place, as illustrated by the Fourth Annual Study on The Cyber Resilient Organization (Study), conducted by the Ponemon Institute on behalf of IBM Resilient.

The Study surveyed 3,655 IT and IT security practitioners in 11 countries and regions, including Australia. The results of the Study indicate that a majority of Australian businesses are vulnerable to cyber-attacks due to a lack of skilled personnel and incident response plans.

Read More

Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report

By Cameron Abbott and Rebecca Gill

Australian businesses and consumers were duped into paying scammers with nearly half a billion dollars in 2018 according to the ACCC’s Targeting Scams: Report of the ACCC on scam activity 2018 (Report). The Report also highlights the use of sophisticated technology by scammers.

According to the Report, the most financially harmful scam affecting Australian businesses was the ‘business email compromise’ (BEC) scam. This involved a scammer gaining access to a business’s entire email or IT system. The scammer would then impersonate the business and send emails to suppliers and customers of the business, advising changes to payment details.

Read More

REPORT FINDS MORE THAN HALF OF RANSOMWARE VICTIMS WOULD PAY THE RANSOM

By Cameron Abbott, Rob Pulham and Rebecca Gill

Telstra’s 2019 Security Report has found that majority of the respondents who have been victims of ransomware attacks have paid the attackers to unlock files. Many of these respondents successfully retrieved their data after paying the ransom.

Of the 320 Australian respondents, 51 per cent said that they had paid ransomware attackers to regain access to encrypted files. Further, the Report found that 77 per cent of Australian businesses that had paid a ransom were able to retrieve their data after making the payment. Whilst this was the lowest rate of data retrieval post-payment out of the 13 countries in the survey, 79 per cent of the Australian respondents still said that they would pay the ransom again if they had no back-up files available.

Read More

Un-“tapped” Potential: Gen Z and transactions

By Cameron Abbott and Sara Zokaei Fard

Gen Z, those born between 1995 and 2005, are pushing innovation in the payment and transaction space with higher expectations from mobile experiences. Gone are the days that a credit card was swiped and bank transfers were used, transacting with an iPhone using Apple Pay and using PayPal is now taking the forefront.

American Express has released data showing that 68% of Gen Z’ers say they want instant person-to-person payments! This instantaneous requirement is also reflected in Gen Z’s use of membership programs. Membership cards are a thing of the past with digital rewards programs via apps now replacing cards.

The data also explores what factors would stop Gen Z from using a product or service in contrast to Gen Y. Interestingly, poor responsiveness on social media would stop 9% of Gen Y but more than double that figure, 21% for Gen Z. Even more stunningly four out of five Gen Z’ers are comfortable at openly conceding that they allow social media to influence their purchasing decisions!

The mobile phone is the ubiquitous device of this generation, try to drive their behaviour with yesterday’s technology and paradigms at your peril!

Q4 NOTIFIABLE DATA BREACHES CONTINUE TO RISE

By Cameron Abbott, Rob Pulham and Ella Richards.

The Office of the Australian Information Commissioner (OAIC) has released its fourth quarter report of notifiable data breaches between October – December 2018.

The report exposed that the OAIC received 262 notifications of data breaches, which has increased from the 245 notifications that were reported the previous quarter. Below are the key findings from their report:

  • The OAIC report identified the top five sectors who reported data breaches. Private health service providers reported 54 breaches, the finance sector reported 40 breaches, professional services reported 23 breaches, private education providers reported 21 breaches and the mining and manufacturing industry has made its first appearance with a reported 12 breaches.
  • 85% of data breaches involved individual’s contact details, 47% involved financial details, 36% involved identity details, 27% involved health details, 18% involved tax file numbers, and 9% involved other types of personal information.
  • The sources of breach varied, with 64% of data breaches due to malicious or criminal attack, 33% due to human error, and 3% due to system faults.
  • The report also breaks down the breach types per industry. Interestingly, the finance sector experienced the most malicious cyber attacks, and human error dominated the healthcare sector.

Even though 60% of the total breaches involved personal information of 100 individuals or fewer, there were a couple of notifications affecting a significantly higher number of individuals (including one that affected more than 1 million individuals). Human error breaches resulting in the unauthorised disclosure of personal information (via unintended release or publication) impacted an average of more than 17,000 individuals per breach (though this average seems likely to have been skewed by some particularly large breaches), and the failure to securely dispose of personal information affected an average of 300 individuals per breach.

Most data breaches resulted from malicious attacks which gain access through compromised credentials (such as phishing emails or stolen username and passwords). So, if you believe that the email from your CEO requesting your bank details for your exorbitant raise is legitimate, think again!

Android users beware the 21st century Trojan horse

By Cameron Abbott and Sara Zokaei Fard

Here’s one to keep and eye out for – research from ESET has discovered an Android Trojan that attempts to steal funds from PayPal accounts. The malware is distributed by third-party apps rather than the Google Playstore. Once the app is launched, no functionality is provided. Instead, the app terminates and the icon is hidden. When the victim launches their PayPal App, the malware attempts to steal funds.

The interesting thing about this malware is that unlike most, it does not focus on phishing. This malware attacks the victim and attempts to instantly transfer money to the attacker’s account, when the user launches their PayPal App. The malware is able to hijack the legitimate PayPal App through the malware downloaded through the third-party app. This raises concerns of what applications on Android mobile devices will be attacked next.

Cybersecurity: location, location, location

Authors: Cameron Abbott and Sara Zokaei Fard

According to a report published by BitSight on 4 December 2018, “Are the New European Cybersecurity Regulations Working?”, Europe is one of the only exceptions to a global decline in security performance. There are regular occurrences of cybersecurity compromises around the world, with some sectors such as Technology consistently performing weaker than others. Companies in the Finance sector continue to be the world’s strongest cybersecurity performers, due to their high regulative overlay. While “continental cybersecurity performance continues to decline”, in Europe, cybersecurity performance is improving to an extent unlike any other continent in the world.

The General Data Protection Regulation (GDPR) officially went into effect in the European Union in May 2018. The GDPR is a landmark European Union law, that sets significant punitive fines at up to 4% of global revenue if organisations do not implement a broad set of cybersecurity requirements in certain circumstances. In the months following the implementation of the GDPR, European security performance has consistently improved and now significantly surpasses all other continents. In this same time frame, Oceania’s cybersecurity performance has spiralled downwards.

BitSight states “the chorus for GDPR-style regulation is growing internationally”. The statistics certainly support this.  However others argue that countries like the US demonstrate significant competitive advantage in developing highly valuable big data and social media intellectual property because of the lower regulatory environment encouraging innovators.  The value to economies of these industry segments is significant.

Cyber-criminals outspend organisations more than 10 times in bid to find cybersecurity weaknesses – who says cyber-crime doesn’t pay?

By Cameron AbbottRob Pulham and Colette Légeret

Cyber attackers are able to search for that one weak link in corporations defences whereas corporates have to create a completely strong chain of defence against every possible scenario.  This asymmetrical fight would you think mean organisations would have to outspend attackers by many multiples.

However, according to software company, Carbon Black, the situation is worse than that because it appears that cyber criminals are outspending corporation!  Cyber-crime is big business, and as such, cyber-criminals are spending an estimated $1 trillion each year on finding weaknesses in the cyber defences of organisations and developing new ways of attacking them, in comparison to the $96 billion spent by organisations in an attempt to secure themselves from these cyber-attacks.

Read More

Copyright © 2024, K&L Gates LLP. All Rights Reserved.