Mitigating the losses from data leaks

Australia has seen its fair share of high-profile data leaks in recent years, and 2023 began with another huge breach with consumer finance provider Latitude Finance confirming that details of 14 million of its customers had been stolen in what has gone down as one of Australia’s largest data breaches to date.

As fallout from the Latitude Finance hack continues to hit the headlines, and the Australian government looks to revise its cybersecurity frameworks and policies, we look at the increasing threat of data breaches, and how mobile intelligence data is being used to strengthen identity proofing that can help to mitigate the risks to consumers from stolen data being used by criminals. 

Australia’s data breaches:

1.    Optus data breach September 2022
Suspected state-sponsored cybercriminals breach Optus’ defences, compromising personal information of up to 9.8 million customers.

2.    Eastern Health data breach - March 2021
A suspected ransomware attack on Eastern Health leaves staff in 4 Melbourne hospitals unable to access critical patient data leading to a forced shutdown of IT systems. Investigations following the incident revealed that 200,000 files were stolen containing information on around 31,500 patients and 280 staff.

3.    ProctorU data breach July 2020
Online exam site ProctorU is targeted resulting in the user records and personal information of 444,000 students being compromised.

4.    Canva data breach May 2019
A hacker known as Ghosticplayers breaches Canva’s cybersecurity impacting 137 million of its users, accessing PII data, encrypted passwords, and partial payment data. 

5.    Australian National University data breach November 2018
Hackers deploy spear-phishing attacks in a highly sophisticated cyberattack on the Australian National University to access sensitive personal information including financial data that impacts 200,000 students.

The threat from data breaches

Data breaches are damaging to both the victims of lost data and the organisations at the centre of them. In 2022 IBM reported the average cost of a data breach was $4.35 million, with the long-term cost to reputation and brand value being incalculable, and sometimes catastrophic. Today business leaders consider cybersecurity as a direct threat to their business operations. 

Despite regulation and laws trying to keep up with the rapid pace of change in the digital sector and strengthening cybersecurity efforts, it is widely regarded that data breaches will remain a constant threat. In fact, when you consider that over 50% of cyberattacks are a result of human error, eliminating data breaches entirely is an unrealistic expectation.

Prevention

The first step towards preventing data breaches is understanding how and why they happen. 

Rather than high-tech hackers accessing data remotely, a great many data breaches start with social engineering, phishing emails and increasingly from criminals stealing phones, laptops, and storage devices. As workforces have become more mobile, devices not only provide access to an individual’s personal information but also as an access point to corporate networks from where criminals can orchestrate attacks. 

Not all data breaches start with malicious intent, data can be lost through leaving sensitive information exposed in unprotected spaces to individuals inadvertently sending emails to the wrong recipients.

As the threat landscape becomes increasingly complex the risk of data loss grows. For those that perpetrate data breaches the common goal is ultimately the harvesting of personal information which then becomes the fuel for identity theft.

Your identity is at risk

The greatest risk to consumers from stolen data is the risk of financial loss as cyber criminals use stolen data to perpetrate financial fraud. Personal information obtained through data breaches becomes a valuable commodity on the dark web where fraudsters and scammers use it to target victims with scams and circumvent cybersecurity efforts. This shady activity has been illustrated most recently with the shutdown of the Genesis Marketplace, one of world’s largest criminal marketplaces used by fraudsters to trade stolen data.  

Fraudsters use stolen data for all kinds of malicious activity including account takeovers, fraudulent purchases and conducting elaborate impersonation frauds. Identity is at the heart of fraud and cybercriminals know how to use even small amounts of personal information to their advantage. Authorised Push Payment fraud of which coercive bank fraud is a type is a prime example of how fraudsters use stolen data to target their victims. Having obtained a target’s name, mobile number and where they bank, fraudsters call them posing as their bank to coerce them through a scam that eventually results in the account holder transferring money into an account controlled by the criminals. This kind of scam has previously been difficult to spot as it coerces the legitimate account holder into taking the action themselves. Only recently have we been able to use our Mobile Intelligence data to help banks stop this kind of fraud. 

What can we do?
Stronger identity verification and authentication

While efforts to reduce data breaches must continue the more organisations focus on how they can better verify and authenticate the identity of customers the more difficult cybercriminals will find it to leverage stolen data. In recent years regulation has imposed strict verification requirements through a process called ‘Strong Customer Authentication’ or SCA, which is required to meet European Payment Services Directives (PSD2) and Australia's Consumer Data Right Act. Focussed on tackling online fraud, SCA saw the widespread adoption of 2-Factor Authentication (2FA) where consumers confirm their identity to login to accounts via a password followed by authenticating a code delivered to their smartphones. While 2FA isn’t full proof it has helped to significantly reduce accounts from being hacked.

The principle of using multiple data points to verify identity is a powerful strategy in the fight against fraud, and JT's Mobile Intelligence solutions bring a wealth of real-time, friction-free datasets from global Mobile Network Operators that they leverage to verify and authenticate identity, and protect consumers and businesses from the growing threat of fraud. Banks from the UK to Australia are adding mobile operator data into their cybersecurity workflows to protect their account holders from financial loss.

Rupert Goldie, Managing Director for JT Australasia says, “The greater the number of datasets an organisation can draw on to verify that a customer is who they say they are, the better it will be at preventing fraud. While data is a commodity for fraudsters, we can also use it against them by ensuring that organisations have access to multiple datasets to add extra layers of security to their identity verification procedures. The beauty of mobile operator data is that we provide it in real-time which minimises friction and improves customer experiences. Additionally, we’re able to use this data to spot the signs of coercive financial fraud, traditionally very hard to combat.’’