If your personal details were stolen or breached, would you want to know?
There is a debate going on in Australia at the moment regarding ‘Mandatory Breach Notification’. What this means is that if a business has it’s database compromised (hacked, leaked, stolen, etc) then it has the legal obligation to notify it’s customers so they can do something.
Some argue that the negative publicity of having to tell your customers you were “hacked” could ruin a business. Aon Insurance has estimated the damage of a data breach is approximately AUD$125 per record stolen. What does that translate to for your business?
Others argue that we should be focused on protecting the customers private information and that businesses need to act responsibly, including responding quickly with an announcement that ensures everyone possibly affected is aware, irrespective of the negative PR it may cause.
You probably have your own view on this, but let me put the question another way: If your personal details were leaked, would you want to know?
With just a little bit of information, someone can steal your identity, apply for finance and run up huge bills; or cross borders they are otherwise prohibited to cross (think terrorists, people smugglers, etc).
By being notified that your details have been compromised you have the ability to proactively contact your bank, the ATO and any other relevant organisation to let them know your details may have been stolen, to have the old details cancelled if necessary and new credentials issue – including credit cards, tax file numbers, etc.
Many years ago my girlfriend at the time worked on a ‘Ben-Hur’ stage show in Sydney. It turned out that nearly everyone on that show had their tax details compromised and someone lodged fake tax returns. I know this because I opened the letter from an accountancy firm that processed the dodgy tax return lodged against her!
On Wednesday of this week (30th September 2015), Kmart Australia’s online service was hacked. Whilst they’ve announced that no credit card data was stolen during the breach, they have announced that “data stolen was limited to “name, email address, delivery and billing address, telephone number and product purchase details”.
These details are still sufficient to start a very targeted phishing attack, which could lead to someone inadvertently giving their credit card details. Something as simple as sending out a fake email advising the person that payment for the product they tried to purchase has failed and they need to log back into the Kmart Online website and enter new payment details would probably be enough to trick some people.
Kmart has at least responded and let customers know. Was it fast enough? Was it public enough? Either way, it’s certainly in the media now!
Laws already exist to fine businesses up to $1.7 million dollars for a breach of The Privacy Principles. Although we haven’t seen any fines issued yet, it is only a matter of time till we all get a wake up call.
With Mandatory Breach Notification on the cards, it’s time businesses stepped up to the plate and started taking the protection of their customer data more seriously, or risk massive fines, negative publicity and possible business foreclosure.
So what should you do?
Number one, accept there’s a problem and start educating yourself and your team instead of burying your head in the sand.
By learning about the cyber-criminal underground and types of tricks these people are using to hack, phish and otherwise steal data and money, you have a much better chance of protecting yourself, your staff and most importantly your customers from a breach.
Number two, realise it’s time to increase your budget for IT, particularly in the case of protecting your network.
This may sound like a sales pitch, but it’s really not acceptable for someone like a medical practice who store thousands of patients confidential data (the #1 target for identity thieves) to be self managing their IT, or getting some inexperienced one man band or relative to try and protect the systems.
Number three, start putting proper security policies in place.
Work computers are for work, not pleasure. Security restrictions on the work computer aren’t meant to stop you from doing your job, they’re to help limit the chance that a breach occurs. Let’s accept that and move on. Any employee who isn’t willing to accept that is probably doing things they shouldn’t be doing anyway!
If you don’t have a computer usage policy and internet access policy which clearly states that the computers and internet are for business use, that you ‘own’ the systems and have the right to inspect emails, internet traffic, and if necessary terminate an employee for violating these terms, you could get yourself into a big legal issue. See a lawyer and get it sorted NOW!
Number four, get an independent assessment of your IT systems.
Doesn’t matter how happy you are with your IT Guy (or Gal!). You may have worked with them for 20 years, went to school together, and were the best man at their wedding. If they aren’t doing their job properly and you get breached, how’s that “relationship” going to look?