Hacks, data leaks and data breaches are fast becoming a fact of the digital age.
A recent leak of names and email from leading Australian digital currency exchange BTC markets demonstrates the importance of both internal data breach and incident response practices for companies. In this situation, the use of a third party email system resulted in emails being sent in batches of 1,000 with all 1,000 addressees included in each batch. The response from BTC Markets has been swift and forthright, showing the maturity of the digital currency exchange space.
This is a reminder to companies but also to users to secure their own data and protect themselves from scams or impersonations by bad actors - but what's the best way to do this?
For a company
1. Understand your third party arrangements and their data practices
When using third party providers to handle your (or your client's) data (whether as a cloud provider storing data or a marketing provider distributing content on your behalf) it is important to have terms in place setting data standards.
Make sure that privacy standards are clearly defined, e.g. compliance with Australian privacy laws or compliance with your privacy policy and make sure these are reasonable to you.
2. Plan for a data breach
If an inevitable data breach does occur, have a plan. Additionally, have one that plans to help address your customers and their specific needs. Increasingly regulators are considering undetected and significant data breaches as a breach in their compliance obligations as a business, including in financial services where ASIC commenced proceedings against RI Advice Group earlier this year due to shortcomings in the handling of a data breach where malicious users gained access to servers for more than 155 hours and which went undetected for significant period of time.
ASIC alleges the failure to have adequate policies was a breach of their Australian Financial Service Licence (AFSL) requirements, and the loss of the AFSL would effectively close the business. Even defending such an action by ASIC is very costly.
3. Report quickly and transparently
If you are an "APP entity" under the Privacy Act you may have obligations to report a data breach and delays to do so could be a breach of your compliance. Make sure you are aware of how to report a data breach, where to report it and that your staff are trained to lodge reports.
As an individual
There are a few key steps individuals can take to protect themselves in the event of a data breach, when they are at the most risk of phishing attacks or an attacker trying to break into their online accounts.
1. Two factor authentication is critical
Leverage your devices for security. Using two factor authentication (2FA) - meaning using a method other than just a password for critical actions such as logging into a website. Usually a SMS or authenticator app (the second option is vastly superior security wise) protects you even if an attacker can use web credentials to get into an account.
2. Password generators
Using a password manager or generator, such as LastPass or 1Password can help generate strong passwords, store digital records and also provide alerts when your data is at risk. This is one of the simplest habits that all individuals should be getting into, with the master private key stored in a physically secure location (and potentially with your Will).
3. Better passwords
If nothing else, simply use better and stronger passwords. '123456' and 'password' remain some of the most common passwords according to NordPass' top 200 most common passwords of the year. The Australian Cyber Security Centre has released some comprehensive guidance for developing strong passphrases. A simple solution is to use a nonsensical phrase that is easy to remember but is hard for a brute force attack to defeat.
Ultimately, individuals and businesses must be proactive about cyber security and take steps in advance of a breach occurring, with an action plan for when (not if) some kind of data breaches occurs.