Passport, tax, bank data stolen as millions hacked
EXCLUSIVE: Cyber criminals have stolen the private details of millions of Australians, with new data revealing Aussies have been hit by more than 800 data breaches that could cause "serious harm" in the past year.
Passport numbers, bank details, credit card or tax file numbers, drivers licences, health information and contact details were lost or stolen in breaches that are occurring at a rate of at least two per day, Office of the Australian Information Commissioner figures show.
A staggering number of people - between one to 10 million - were exposed to serious harm in a single data breach in late 2018, while a whopping 64 per cent of the 262 data breaches in the December quarter were the result of hackers conducting "malicious or criminal attacks".
Phishing, malware, ransomware and "brute-force" attacks were some of the key tactics hackers used, along with using compromised or stolen credentials, social engineering or impersonation.
Rogue employees or an "insider threat" were responsible in 12 per cent of criminal data breach cases.
The number of data breaches in 2018 was a massive seven times higher than in 2017, when only 114 breaches were reported, thanks to the government introducing mandatory reporting in February.
But experts are calling for the law to be reviewed now the extent of the problem has been revealed, including considering whether Australia should adopt fines for companies which allow a data breach to occur through carelessness.
Under the scheme, companies or government agencies face fines of up to $2.1 million if they do not report within 30 days when customers' personal information is lost, stolen or accessed by an unauthorised third party.
Even then, companies are only required to report if the customer could be exposed to "serious harm" through the breach.
Shadow Attorney-General Mark Dreyfus stopped short of saying Labor would launch a review but told News Corp Australia the party would "scrutinise" the legislation if it won government to "ensure it is working as intended".
He said it was encouraging data breaches were being reported but added "the sheer volume is obviously concerning".
Digital security expert Troy Hunt, founder of the globally-renowned website Have I Been Pwned?, said a full review was needed, particularly of the 30-day period companies have to report, the requirement that there must be a risk of serious harm, and that mandatory reporting is required only of companies with turnovers of more than $3 million annually.
Companies in the European Union have just 72 hours to report.
Mr Hunt also said fines should also be launched for companies which allowed breaches to occur through carelessness, like in the UK where authorities slapped telco TalkTalk with a £400,000 (AU$728,000) fine after an investigation found hackers were able to access systems "with ease" and take advantage of "technical weaknesses"
"There needs to be some sort of disincentive for organisations to have these incidents," Mr Hunt said.
"Without some sort of regulatory penalty, it's hard to see where that is, other than their own fear of reputation damage."
University of NSW cyber director Nigel Phair also called for a review to examine the current laws as well as the OAIC's resources and capacity to investigate breaches.
"This should include trends with breach notification, what organisations are doing to fulfil the spirit of the legislation and is the reporting template sufficiently granular to enable accurate reporting," he said.
"We also need more granular reporting from the OAIC regarding industry sectors where breaches occur, the number of investigations commenced and the outcomes, including any fines and/or enforceable undertakings."