RI Advice hit with $750k penalty for poor cybersecurity
Financial services company RI Advice has been ordered to pay $750k after sustained failures in its cybersecurity, in a first for Australia. The organisation was found to have breached its license obligations by not having “adequate risk management systems”, according to the Australian Securities and Investments Commission (ASIC), which brought the case to the federal court.
The $750k will go towards ASIC’s legal costs, with RI Advice also required to bring in an external cybersecurity expert to assist its own team. RI Advice and its representatives suffered several cyber incidents between 2014 and 2020, including a brute force attack that gained access to confidential records over a five-month period. “Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services,” said judge Helen Rofe. “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”
RI Advice was found to have acted too slowly after discovering problems with its compliance system, and to have failed to audit compliance measures effectively. The message is clear: organisations must view breaches holistically, not as one-off incidents, and use their findings to build better cyber resilience.
Thousands of customers’ details taken from AA Traveller NZ
AA Traveller has announced a serious breach affecting hundreds of thousands of customers. Cyberattackers have taken details including names, contact details and expired credit card numbers used on the company’s website over 15 years. AA Traveller, which provides travel services and is affiliated with the New Zealand Automobile Association, said the data was taken in August 2021, with the attack being identified in March this year.
The breach affects customers who accessed AA Traveller’s now-defunct booking website between 2003 and 2018. The company announced that “a vulnerability in the application where the AA Traveller website information was stored” allowed an unauthorised party to access the information, and that they “immediately moved to remedy the vulnerability”.
Most affected customers have already been contacted, with the company advising people to change any passwords that they might use across multiple accounts. The incident is a reminder of the importance of having frequently updated, unique passwords. Scammers who already possess some of your personal data are a real risk, as they can use it to leverage more effective social engineering attacks.
Two-thirds of Australians say they have “no choice” but to share their personal data
Most Australians say they feel obliged to share their personal data in order to access online services, according to a recent YouGov poll. The survey found that 64% felt they did not have a choice about sharing their data online, with 66% saying they had no idea how many companies they shared personal information with.
The study also revealed the attitudes to data sharing across different sectors, with 43% saying they trusted financial services to keep their confidential information private. Retailers (6%), social media firms (9%) and messaging services such as WhatsApp (10%) were less trusted.
The results coincide with another survey which found that only a quarter of Australians vet companies on their data security before sharing information. However, 90% of people said they would stop spending money with a company that compromised their personal data. The surveys paint a mixed picture, but underline the importance of data privacy towards company reputation – proof, if it were needed, that cybersecurity is a business issue, not just an IT one.
Covid tracking app puts Western Australians’ data at risk
Western Australia's COVID-19 contact tracing system has significant security issues, putting the data of over half-a-million people at risk. Numerous issues were raised by an auditor-general report shared in parliament, including a lack of encryption, flawed logging, a lack of restrictions on malware, errors from manual data entry and poor communication with the public, while a former contractor was found to still have access to sensitive information.
WA Health’s cloud-based system, known as the Public Health COVID Unified System (PHOCUS), harvests medical information, SafeWA check-ins, SmartRiders, taxishare services and CCTV footage. Curtin University internet studies professor Tama Leaver said privacy laws were a major concern. “I don't think any of this data has been gathered illegally in the state,” she explained, “but that's because I think the state's laws are inefficient for looking after people's privacy.”
WA Health has said it welcomes the findings, and will work to undertake recommendations including improving transparency and making sure data is both secure and accessible. Government bodies are increasingly under threat from state-linked actors and – with WA’s parliament itself attacked last year – organisations must ensure their assets are protected.
Over 90k SA workers now affected by Frontier Software attack
Over 10,000 new victims of a 2021 ransomware attack that hit the South Australian government’s payroll have been discovered. The tax and bank account details of 80,000 workers were initially believed to have been exposed in the incident. But South Australia's Treasurer Stephen Mullighan says a report by accounting giant PriceWaterhouseCoopers shows an additional 13,088 current and former public servants had their personal data stolen in the attack on payroll provider Frontier Software.
Some data was briefly posted on the dark web, but little detail has emerged in the months since the breach. “There is no information regarding any ransom which may have been paid or how Frontier managed engagement with the overseas cybercriminals in relation to this attack,” said Mullighan. Frontier Software are believed to have strengthened their defences after the attack.
Ransomware gangs have been under the spotlight in recent months, especially after leaks revealed the strength – and some of the weaknesses – of the prominent Conti gang.
NZ investors caught up in crypto breach
Kiwis were among the investors affected by a breach at crypto exchange AlphaEx. The exchange, which had almost a million users worldwide, is now defunct – but that didn’t stop data including drivers’ licenses and passports being published on the dark web. Twenty-four New Zealanders were affected by the breach.
The news comes two years after thousands of New Zealanders were affected when exchange Cryptopia was hacked. International exchanges tend to offer lower fees than New Zealand-based companies, but may be less secure, with investments and personal data less likely to be safeguarded. AlphaEx was unauthorised and had already been flagged by regulators. People who have been affected are advised to contact the privacy commissioner.
Both the New Zealand and Australian governments have discussed issuing their own digital currencies, although any resulting launch would be a long way off. For the meantime, anyone investing in crypto should do their research, use a registered exchange ideally based in their home country – and remember that investments can go up as well as down.