Why Australian small businesses need to prepare for a Privacy Data Breach – it’s not a matter of ‘if’, it’s a matter of ‘when

Recently, several large organisations have reluctantly grab the headlines due to Privacy data breaches.

However, small business owners need to be aware, these breaches are not only occurring at the top end of town.

Some interesting facts :

Since the introduction of the Mandatory Notifiable Data Breach Scheme in Australia in February 2018,

  • The number of breaches reported is trending at over eight times greater than before
  • Of those breaches, 23% impacted one individual, 48% involved less than 10 individuals, and 67% were less than 100.

In Australia during 2017,

  • 43% of all cyber attacks were directed at small businesses
  • Even more disturbing, 22% of those businesses have closed down.

Unfortunately, many small businesses face an uphill battle to spend sufficient time to build up and sustain privacy policies and practices to meet their obligations. With the introduction of the mandatory notification scheme, this has become a greater climb.

Privacy Proactive helps businesses manage and protect their Privacy risks by preparing them as best as possible.

We provide very cost-effective solutions to enable businesses to meet their obligations. Our approach allows management and staff more time to focus on core business activities.

Why your small business should consider Privacy Proactive

  1. These days, with greater visibility of privacy breaches, there is a far greater expectation from the community for businesses to protect personal information.
  2. GDPR’s impact on countries outside the EU will be more than simply needing to comply. The rising community expectations will demand governments to strengthen their privacy laws. Countries such as South Korea, Japan and Brazil are already considering going down this path. It is very likely more will follow, including Australia.
  3. Small businesses need to be proactive. It will minimise (never eliminate) the possibility of a breach and the impact on your business, your clients and employees, and potentially your lifestyle.
  4. With sustainable privacy policies and practices in place, it provides an opportunity for your business to get ahead of the game and gain a competitive edge.
  5. Your business will be judged not so much on whether you have a breach but how prepared you are for a breach.

If you would like to know more about how Privacy Proactive could help your business, please contact me.



Does Commonwealth Bank’s massive data loss put you at risk?

AFTER it emerged that Commonwealth Bank lost customer statements linked to 20 million accounts, the institution has spent the night assuring people they are not at risk.

The bank has admitted it lost financial statements spanning 15 years in 2016, after the story was uncovered by Buzzfeed News.

But the bank says the lost data did not include customers’ passwords or PINs and there was no evidence the information had been compromised.

However, customers have vented their fury at the bank for not informing them of the data breach at all.

When the data stored on tape drives was lost by a subcontractor in 2016, CBA launched an investigation to find out what happened, but the documents were never found.

One theory suggested by a forensic team from accounting firm KPMG was that the tapes might have fallen off the back of a truck taking the data to be destroyed.

But the data was never located — either on the road or on the dark web — and it was decided that had most probably been disposed of as planned.

However, one Western Australian farmer living with bone cancer claims he was the victim of identity theft after his CBA documents were found in a gutter in Victoria.

Commonwealth Bank lost bank statements linked to 20 million accounts in 2016, but chose not to tell customers. Picture: AAP Image/Brendan Esposito

Commonwealth Bank lost bank statements linked to 20 million accounts in 2016, but chose not to tell customers. Picture: AAP Image/Brendan EspositoSource:AAP


Barry Lakeman said he ended up in debt after criminals used his identity to borrow money and buy goods and services.

He approached Geoff Shannon from Unhappy Banking, who told news.com.au he had been dealing with the Lakemans’ “many loans and credit issues” resulting from the fraud ever since.

Mr Lakeman said CBA told him in 2014 that his statements had been found in a gutter in Victoria, a state he and his wife hadn’t visited for three years. He said the bank suggested his wife must have taken the statements there and left them behind.

Police then called Mr Lakeman in August last year to say they had found his gun licence — only the membership number was wrong, the 59-year-old told The Conversation.

“It was a forgery,” he told Sydney University Adjunct Associate Professor Michael West, who wrote about the issue in September. “The number at the top of the card was different from the number on my card.”

And there have been other incidents too, Mr Lakeman claimed. “In 2015, a company in Victoria rang me and said, ‘We have finished the canvas for your caravan’ … I don’t even own a caravan.”

Northam Police began investigating the identity theft with the help of Mr Shannon, who took the case to the bank-funded Financial Ombudsman Service set up to handle customer complaints.

But Mr Lakeman still doesn’t know what really happened, telling Prof West: “It really hurt us because when we tried to move and buy a house there was a black mark against us. It affected our credit rating.”

View Full Article


Svitzer employee details stolen in data breach affecting almost half of its Australian employees

The shipping company Svitzer has suffered a significant data breach affecting almost half its Australian employees.

It is among the first incidents to be disclosed under Australia’s new notifiable data breaches scheme.

For almost 11 months, emails from three Australian employee email accounts were secretly auto-forwarded outside the company. The perpetrator has not yet been identified.

The hack, which began May 27 last year, affected accounts in finance, payroll and operations.

Svitzer’s head of communications, Nicole Holyer, said the company stopped the email theft after being alerted on March 1 this year.

Forensic IT experts have been called in to investigate.

The sensitive personal information of around 500 employees was affected. Svitzer employs about 1,000 people in Australia.

Lost details may have included tax file numbers, superannuation account numbers and the names of next of kin.

Staff are being informed of the breach today.

“Our absolute priority is our employees. We are offering the highest levels of support to those affected,” Steffen Risager, managing director of Svitzer Australia, said in a statement.

View Full Article:


Human error (not hackers) behind most data breaches in Australia

In just six weeks, there were 63 data breach notifications to the Office of the Australian Information Commissioner since the mandatory Notifiable Data Breaches (NDB) scheme came into force in February this year.

The OAIC’s first NDB report, published on Wednesday, also included 114 earlier breaches from the 2016-17 financial year that were voluntarily provided.

The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said the reports will, over time, support improved understanding of the trends in data breaches (where eligible for reporting) and promote proactive approach to addressing security risks.

“A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.

“Just over half of the eligible data breach notifications we received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.

“This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessmentsinformation security risk assessments, and training for any staff responsible for handling personal information.”

Key statistics from the first quarterly report include:

  • Top five sectors that notified the OAIC of eligible data breaches included health service providers (24% of notifications), legal, accounting and management services (16%), finance (13%), private education (10%), and charities (6%);
  • 78% of eligible data breaches were reported to involve individual’s contact information, 33% were reported to involve health information and 30% to involve financial details;
  • 51% of the eligible data breach notifications received indicated that the cause of the breach was human error. Another 44% of breaches were reported to be the result of malicious or criminal attack, and 3% the result of system faults; and
  • 59% of data breach notifications reported that the personal information of between one and nine individuals was affected, and 90% of data breach notifications related to breaches involving the personal information of less than 1000 individuals.

This article was first published by The Mandarin.

View Full Article

OAIC sees 63 data breach notifications in first six weeks

Majority the result of “human error”.

Australian organisations reported 63 data breaches in the first six weeks of mandatory notification rules coming into effect, with human error listed as the most common cause.

By contrast, when organisations only had to voluntarily reveal breaches, they only self-reported 114 instances for the entire 2016–17 financial year.

The Office of the Australian Information Commissioner (OAIC) today released the first quarterly report since the mandatory data breach notification scheme came into effect on February 22. [pdf]

The report notes that eight breach notifications were received in the six days in which the scheme operated in its launch month.

A further 55 data breach notifications were received by the OAIC in March.

Health services providers were responsible for the single largest number of notifications (15), followed by businesses that supply “legal, accounting and management services”.

Organisations in the finance, education and not-for-profit sectors were also implicated.

“The majority of data breaches reported to the OAIC involved ‘contact information’, such as an individual’s name, email address, home address or phone number,” the OAIC said.

“This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as driver licence numbers and passport numbers.

“Entities also reported data breaches that involved individuals’ tax file numbers, financial details, such as bank account or credit card numbers, as well as health information.”

The OAIC said 78 percent of notifications it received impacted “contact information”, compared to 24 percent that exposed “identity information”.

“Health information” was exposed in 33 percent of the cases and “financial details” in 30 percent of cases.

The majority of notified breaches – 50 percent – were the result of human error, although malicious or criminal actors are believed to have been behind a further 44 percent of incidents.

Just under three-quarters of eligible data breaches (73 percent) “involved the personal information of under 100 individuals”.

Acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said in a statement that “the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.”

“Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks,” Falk said.

View Full Article


Data breaches: If a company has lost your personal info, they now have to tell you

ber, Ashley Madison, Equifax: these brands are known for ride hailing, infidelity and credit scores respectively, but also for the exposure of customer information.

As of today, many businesses that operate in Australia are subject to the country’s new notifiable data breaches scheme.

Lose a hard drive? Give an unauthorised person patient files? In certain circumstances, companies will have to tell the Office of the Australian Information Commissioner (OAIC) and any individual affected if personal data are lost, stolen or leaked.

If you use any services that collect details about you — from your birth date to your shoe size — here is what you need to know.

When is it personal?

Certain companies or government agencies must disclose a breach if the data includes personal information that is likely to result in serious harm.

So, what is “personal information”? Think of it as any information about a person that would identify them or allow them to be reasonably identifiable.

“It covers a broad range of information that exceed name, address — the really obvious ones,” explained Australian Privacy Commissioner Timothy Pilgrim.

This term is purposefully flexible, agreed Anna Johnston, the director of consultancy firm Salinger Privacy.

Flexibility is important because new technologies, such as machine learning algorithms, are increasingly able to re-identify data that may appear anonymous.

For example, something as simple as an IP address — essentially, your computer’s internet street address — could be used to identify you if combined with another data set that included your birthdate and internet habits.

Is the breach ‘likely to result in serious harm’?

If a data breach involves personal information, it must be disclosed if the breach is likely to result in “serious harm” to any affected individual.

This is not simply the annoyance of getting a new credit card if your number is stolen — “serious physical, psychological, emotional, financial, or reputational harm” are all included.

Consider the situation of a domestic violence survivor or a family court judge, for instance.

“There are lots of different people … who would be placed at much greater risk of harm if their home address or their history of movement — geolocation data — was exposed versus simply a credit card number,” Ms Johnston explained.

View Full Article