An open letter to the Australian business community

Dear customers and partners,

Thanks to the widespread public and political cover that followed the data breach at Optus last month and Medibank following that, it has become clear that Australians have been let down by the trust they placed in companies to protect their personal data.

Recent data breaches at Woolworths, Telstra, NAB (National Australia Bank), MyDeal, Vinomofo, Australian Clinical Labs, and Energy Australia have further underlined that personal information is not as safely stored as many would like to believe it to be.

With the widespread news, you could be forgiven for thinking Australia is under a sudden cyber assault, but the reality is it has been escalating exponentially for years. What is different now is that:

• More people are paying serious attention to the privacy of their own information
• Mandatory requirements to report breaches have led to more breaches becoming public
• The scale and severity of the Optus and Medicare breaches required the companies to directly advise over 10 million customers that their data had been compromised

The result is that as Australians we have lost any cybersecurity “she’ll be right” innocence we had. That Australians are now paying greater attention to their data privacy is a positive aspect as it applies pressure on organisations to provide better data security. As a payment security company, Eftsure, in our day-to-day interactions with the market, is among the first to see the immediate impact of how this increased awareness and scrutiny is changing attitudes towards privacy and security of data. Businesses and their suppliers are taking extra precautions before sharing their data, and while that can slow us down operationally, we applaud this shift in mindset.

While the extra precautions suppliers are taking are welcomed by Eftsure, they can lead to slightly slower verifications. In addition, more suppliers may contact customers to check the legitimacy of the request from Eftsure; particularly for customers that do not have information on their website explaining that Eftsure has been engaged in this process.

When we founded Eftsure 8 years ago, our goal was to build a community network that formed a safe environment in which businesses could interact and trade securely. In service of that goal, we built our product to enable businesses to verify the bank account data they use to pay other businesses. This, in turn, required a highly secure database, software, and rigorous processes that our customers can trust and use easily. To that end, we have always had security, confidentiality, and privacy as the overriding requirement for everything we do. It is at the core of our business and manifests in never becoming complacent and continually implementing best practice security measures.

We are constantly reviewing and adding security systems and processes and regularly commissioning independent audits and reviews of our systems and processes. We built our procedures around secure verifications and provide mechanisms for businesses and their suppliers to verify our identity, procedures, and security standards. Through using Eftsure, our customers have been saved from numerous attempts to defraud them that would have succeeded if they were not using Eftsure.

It is our view that the breaches of this month can have devasting consequences for the victims in the future. In the same way that a bank robber does not run out and spend the cash stolen immediately but waits until the heat and attention subside before spending their stolen cash, the hackers do not always use the stolen data immediately. Often it gets used months or years later making it harder to trace the link between the stolen data and its exploitation of it. Often the data is taken to sell to fraud syndicates who will exploit it later. The stolen data improves their ability to impersonate both individuals and companies. They can use it to set up fake bank and other accounts in the impersonated company’s name and use these to significantly ramp up Business Email Compromise (BEC) and other payment redirection scams. The significant increase in BEC scams following the Global Microsoft Exchange Server Data breaches last year points to the same occurring in the coming years because of these recent local breaches.

In supporting data privacy requirements and verification processes of suppliers in this current cyber climate, we would like to provide the following information to current and prospective customers.

Two things are likely to be true; that these headline grabbing data breaches will not be the last and that companies will continue working with and sharing data with partners, be they cloud based accounting systems, ERP (Enterprise Resource Planning) software, payroll systems and other technology solutions. In that context we applaud the increased vigilance in regards the data you possess and share and encourage you to verify that all your partners have the policies and procedures in place to protect that data. Some of the questions you should ask: How is my data stored? Where is it stored? How is it transferred there? Who has access to my data? What data are we sharing and is that shared somewhere else as well? Who are the people behind the entity we are about to share this data with?

We are clear on our answers so if you have any questions about Eftsure’s stringent data privacy and security measures please reach out to your Eftsure contact.

If you are not a customer of Eftsure, I encourage you to exercise greater vigilance. If you are, I thank you for joining us in making the Australian Business community safer.

Mark Chazan
CEO – Eftsure