Payment Security 101
Learn about payment fraud and how to prevent it
Data breaches have become a major concern for organisations of all sizes and industries.
By ‘data breach,’ we’re referring to an incident in which confidential or sensitive information is accessed, stolen, or compromised by an unauthorised party. The impact of a data breach can be severe and long-lasting, affecting not only the organisation’s reputation but also its financial stability and legal liabilities.
Major data breaches include those at Optus in 2022 or the Latitude Financial breach in March 2023, which compromised the personal data of approximately 225,000 customers, including unauthorised access to just shy of 100,000 copies of driver’s licences.
Organisations must take proactive measures to protect their data, such as implementing strong cybersecurity measures and regularly training employees on data privacy. In the data breach statistics below, we’ll dive into the financial impacts of a breach, along with what type of data is most commonly targeted and the latest in data breaches that have affected thousands – sometimes millions – of Aussies.
Despite the increase in available cybersecurity solutions, successful data breaches still continue to grow annually. Several factors might explain why, but major contributors are likely poor data encryption policies and insufficient anti-malware solutions. And Australians face these costly attacks every eight minutes, according to the Annual Cyber Threat Report 2022 (ACSC).
According to a study in the 2022 Cost of a Data Breach Report by IBM, organisations are experiencing a greater frequency of data breaches – and each breach is getting more expensive. Reaching an all-time high, the cost of a data breach averaged USD 4.35 million in 2022, representing a 2.6% increase from 2021. Some of the types of breaches experienced by organisations were due to ransomware attacks, supply chain attacks, human error, IT failure and other malicious software attacks.
Despite an estimated $150 billion spent in 2022, with projections of $1.75 trillion by 2025 in cyber security, cyber threats continue to rise. Crucially, the healthcare industry isn’t even among the top five industries most targeted. After the pandemic, organisations have introduced remote and hybrid work environments. Many processes and security practices have not been designed for this new digital landscape, making it harder for organisations to effectively scale protections against new cyber threats.
Scams and fraud have increased since December 2022, which includes cyber-crime like hacking, identity theft, phishing and more. As technology advances, cyber-criminals come up with new ways to infiltrate your network and security systems. As a result, data breaches will probably remain a risk for individuals and organisations throughout 2023 and beyond.
The Notifiable Data Breaches Report 2022 highlights that several large-scale data breaches impacted millions of Australians’ personal information. There was also a 26% increase in breaches overall. This included information like individuals’ names, home addresses, phone numbers, email addresses and other sensitive data like passport details and driver’s licence details.
When it comes to mitigating the risk of harm stemming from a cyber attack, one of the most crucial factors is the time it takes for organisations to respond to a data breach. It’s best practice for organisations to monitor and promptly detect system faults, which can indicate hardware malfunctions or software settings errors.
Ransomware and associated extortion threats, espionage and fraud have become a significant threat to Australian organisations. Ransomware is one of the most common – and successful – types of attack, resulting in major risks to customer and business data.
Download your copy of the 2024 Cybersecurity Guide and prepare your organisation for the next generation of cyber-criminals.
Download GuideMalicious or criminal attacks were the main source of data breaches across all industries mentioned above, followed by human error and system faults.
A zero-trust model is a security framework that assumes that every user, device, or application that requests access to a company’s resources or data is a potential threat, and should not be automatically trusted. This model requires continuous verification of the identity and context of the user, device, or application before granting access, potentially protecting data and resources by limiting their accessibility and requiring context.
To combat data breaches caused by compromised login credentials, leaders can look to password policies that require complex passwords and regular updates, along with two-factor authentication (2FA) or multi factor authentication (MFA) to add an extra layer of security. Policies should also conduct regular audits for user accounts and account privileges.
Date of breach: 30 January 2023
Number of users affected: 10 million customers
In an official statement released on 30 January, JD Sports were hit with a cyber attack that leaked 10 million customers’ personal data, including individual names, order details and contact information. According to the sports giant, the attack involved “unauthorised access” to a network that contained billing addresses, delivery addresses, email addresses, phone numbers and more.
Chief financial officer Niel Greenhalgh said, “We want to apologise to those customers who may have been affected by this incident. We are continuing with a full review of our cybersecurity in partnership with external specialists following this incident.”
At this point, the root cause of the JD Sports breach isn’t yet publicly available.
Date of breach: 3 February 2023
Number of users affected: To be confirmed
Hitachi Energy has confirmed that it suffered a data breach after the famous Clop ransomware group stole sensitive data using a GoAnywhere vulnerability. In a press statement, Hitachi revealed that the company “recently learned that a third-party software provider, Fortra’s GoAnywhere MFT (managed file transfer), was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorised access to employee data in some countries.”
GoAnywhere is a file-transferring platform used by organisations across Australia. Recently, a zero-day vulnerability was discovered in this software. This means that there is a security hole in the software that nobody knew about before – not even the developers who made the software.
This security vulnerability could allow cyber-criminals to access sensitive information transferred through the software, like passwords or financial data.
Date of breach: 23 February 2023
Number of users affected: 1.5 million customers
The Good Guys has said it only recently became aware of the data breach, which is believed to have occurred back in August 2021. The February breach stems from the third-party provider Pegasus Group Australia, also known as My Rewards.
Since the breach, The Good Guys emphasised that it no longer uses the services of Pegasus Group. They revealed that 1.5 million “Concierge” members – who were part of The Good Guys rewards systems – had their data exposed, including names, addresses, phone numbers and email addresses.
Date of breach: 16 March 2023
Number of users affected: 14 million customers
The Australian financial services giant Latitude Financial suffered a large-scale data breach that affected more than 14 million customers. The breach occurred after a malicious attack originating from a vendor used by Latitude Financial. Malicious actors have stolen the confidential information of 328,000 customers, including confirmed copies of passports, passport numbers and Medicare numbers.
Latitude first discovered the breach when they detected unusual activity on the company’s network systems. This malicious intrusion resulted in data theft affecting past and present customers across Australia and New Zealand. The cyber attack was reported and investigated by the Australian Federal Police (AFP), though details about the extent of the attack are still being revealed as of the publication of this article.
In April 2023, the business received a ransom demand but has stated it will not pay due to a lack of assurances and a reticence toward incentivising future ransomware attacks.
Date of breach: 20 March 2023
Number of users affected: 3,700 customers
Service NSW experienced technical issues that led to the unintentional exposure of users’ data. The software bug resulted in the “My Services” dashboard temporarily allowing users to view confidential data, such as driver’s licences, vehicle registration, various vouchers, senior cards and conveyancing licences. A Service NSW spokesperson said, “We believe that any personal information available through your linked services was only available to other logged-in users for a short period and was not searchable.”
Software bugs can occur for several reasons such as human error from software developers, miscommunication from programmers, and hardware or environmental issues. This type of breach illustrates that not all data exposure comes from coordinated malicious attacks – even old-fashioned human error can compromise data confidentiality.
Date of the breach: 23 March 2023
Number of users affected: Estimated 1,000,000 employees
Much like the Hitachi Energy data breach, the Rio Tinto stolen data incident relates to an attack on GoAnywhere, a managed file transfer (MFT) software. And, similar to the Optus and Medibank data breaches, cyber-criminals are known to use data theft of these organisations to continue to conduct further criminal activities.
The information stolen from Rio Tinto included payroll information like payslips and overpayment letters of a small amount of staff affected. According to Rio Tinto, their secure cyber networks were breached via a cloud-based supplier.
As we’ve seen from recent cyber-crime statistics, ransomware attacks have been growing in scale and frequency. One of the most noteworthy types of malicious software in recent years has been the Clop ransomware. This ransomware was responsible for the cyberattack on the Accellion file transfer application, which had a far-reaching impact across the world. It affected organisations such as NSW Health, the Australian Securities and Investments Commission, the law firm Allens, and the Reserve Bank of New Zealand.
Date of the breach: 13 March 2023
Number of users affected: Small portion of individuals
IPH Limited, an international intellectual property services group, announced on Monday that it had discovered unauthorized access to a segment of its IT environment. The exposed documents contained data pertaining to a limited number of clients of Spruson & Ferguson Lawyers, as well as some historical financial and corporate information.
A thorough forensic investigation, carried out by cybersecurity and forensic IT advisors, revealed that the data breach occurred when scammers gained entry into the document management system via third-party systems. These systems involved Spruson & Ferguson (Australia) and Griffith Hack, along with the practice management systems (PMS).
As a result of this incident, the Sydney-based firm estimates incurring non-underlying costs of approximately A$2 million to A$2.5 million for the year 2023. Since the occurrence of the breach on April 17, 2023, the company has implemented new network infrastructure following a meticulous restoration process.
Date of breach: 2 April 2023
Number of users affected: Yet to be confirmed
On Good Friday of 2023, the Tasmanian government reported 16,000 documents had been compromised online after cyber-criminals gained access to data from the Department of Education, Children and Young People through the third-party file transfer service GoAnywhere MFT.
Much like the Hitachi Energy data breach, the cyber attack happened through the same vector. The information revealed included the names of children, addresses, invoices, bank account numbers and service providers. Unfortunately, the documents were revealed on the dark web, according to The Guardian.
Madeleine Oglivie, Minister for Science and Technology continues to provide further updates on the cyber investigation.
Date of breach: 4 April 2023
Number of users affected: 2,224 students
TAFE SA has revealed a data breach that was discovered when SA police found scanned copies of student identification forms in an unrelated operation. A total of 2,224 records were exposed, including the TAFE SA student ID number, course details, full names, date of birth, physical addresses and copies of driver’s licences and passports.
It is still unclear who is behind the data breach. After the breach occurred, TAFE SA emailed all impacted students to notify them of the incident and advised the support available. For more information about the breach, visit the TAFE SA data breach webpage.
Date of the breach: 28 April 2023
Number of users affected: Four terabytes of information stolen
The HWL Ebsworth data breach stands out among other data breach incidents as a notable event. The responsible party behind this breach was the AlphV ransomware group, also known as Blackcat, which has ties to Russia. As a result of the breach, sensitive information has been exposed.
The exact nature of the leaked information remains unclear. However, it has been confirmed that the hackers gained access to various company data, including client documents, financial reports, accounting data, credit card information, and employee CVs and IDs.
Following the incident, HWL Ebsworth promptly reported the cybersecurity breach to the Australian Cyber Security Centre (ACSC), as required by the Security of Critical Infrastructure Act 2018.
While the claims made by AlphV are yet to be substantiated, it is known that this ransomware group employs multiple methods to infiltrate organisations, such as phishing emails or the use of malicious software.
Date of the breach: 12 May 2023
Number of users affected: 2.15 million customers
Toyota issued a statement on May 12, acknowledging that a configuration error in a cloud-based database had led to the inadvertent public accessibility of vehicle data belonging to certain users in Japan.
While the incident primarily occurred in Japan, Toyota has stated that a number of its Australian customers may have been affected as well. However, the company has not discovered any evidence indicating unauthorized access to the data. The compromised information includes vehicle location data, time data, in-vehicle GPS navigation terminal ID numbers, and chassis numbers.
Date of the breach: 24 May 2023
Number of users affected: Yet to be announced
The ACT Government initiated investigations into a security breach affecting Barracuda Networks, an email gate system that supports certain ACT Government ICT systems. The ACT Government identified a vulnerability in their email security gateway and publicly notified the vulnerability on May 24th.
Bettina Konti, the Chief Digital Officer, clarified that “this incident is not an attack directly targeting the ACT Government but rather an attack on Barracuda systems”. She emphasised that “it is not a virus or malware, but rather a vulnerability that exposed information to a threat actor”.
Currently, the ACT Government has no knowledge of any accessed information on their systems. In response to the breach, the government has committed to strengthening its cybersecurity measures and will provide weekly updates on the incident through Access Canberra.
Date of the breach: 10 June 2023
Number of users affected: Yet to be announced
Eftpos provider SmartPay has reported a breach of customer data in a recent ransomware attack. In a statement released to the New Zealand Exchange (NZX), SmartPay confirmed that on June 10th, they discovered a ransomware cyber incident impacting certain systems in New Zealand.
The exact nature of the exposed data remains uncertain; however, SmartPay assures that it does not store “individual cardholder information.” Following the breach, the company has engaged with Cyber CX, a cybersecurity firm, for assistance and is collaborating with government authorities.
Currently, the identity of the responsible group behind the attack remains unknown. SmartPay has not disclosed information regarding the ransom amount demanded or whether negotiations are taking place. The extent of the customer base affected is still under investigation.
Date of the breach: 25 July 2023
Number of users affected: 50 small businesses
The Department of Home Affairs has recently inadvertently exposed more than fifty small business survey participants who were sought for their views on cybersecurity according to the Guardian.
The Guardian further states that the information exposed were names, business names, phone numbers and emails of the participants in the survey. The cybersecurity report was put together by a consultancy firm 89 Degrees East. The initiative was designed to educate small businesses about the recent cyber threats.
A Home Affairs spokesperson said that the department was “aware of a potentially unintentional data release”.
Date of the breach: 25 August 2023
Number of users affected: 45,000 clients
Perpetual Group a global financial services organisation released a statement on Friday, August 25, 2023, about an IT security incident. The financial services organisation was recently made aware that a cyber-criminal had gained unauthorised access to its IT third-party provider.
As a result, Perpetual states that a limited amount of personal information has been compromised including contact details like first names, surnames, addresses and bank account details (which are not linked to the compromised personal information).
Perpetual says in a statement “Core systems have been restored and we will begin processing transactions and payment requests that we have received”.
Fully deployed security AI and automation refers to using advanced technology to improve the security measures of a company. This includes using algorithms and automation to analyse large amounts of data and identify potential security threats. By doing this, IT teams can focus on more complex issues, which ultimately helps the company respond more quickly and effectively to security incidents.
According to the IBM study, it took organisations with XDR technologies 29 days to identify and contain a data breach, faster than those without XDR. XDR, known as extended detection and response, is a SaaS-based security threat detection and incident response solution that collects threat data from previously siloed security tools across an organisation’s technology stack.
In the 2023 Cybersecurity Outlook research, more than half of organisation leaders in industries that provide or make heavy use of technology services reported they have the skills needed today. In contrast, those that were missing critical people and skills noted that they were lacking specialised skills in critical infrastructure.
It’s critical to the organisation’s success in cybersecurity that senior leaders take a proactive approach to cyber disruption. Taking a proactive approach allows organisations to protect themselves against financial loss, maintain business continuity and enhance their cybersecurity posture. By continually identifying and mitigating cyber risks, businesses are much more efficient in mitigating the risk.
Globally, organisations have started to pay more attention to their cybersecurity due to the significant growth in cybercrime. The rise of cyber-crime has led to an increase in the frequency and severity of cyber attacks, which can cause significant financial losses, disrupt business operations, and damage the reputation of the organisation.
One of the primary responsibilities of a Chief Information Security Officer (CISO) is to effectively communicate the potential business impact of a security breach and emphasise the importance of prioritising cybersecurity throughout the organisation. This requires strong communication skills and the ability to convey complex technical information in a way that’s easily understood by stakeholders.
Both Australia and South Korea excel in providing training to all employees within their organisations, surpassing the global average. However, since cyber-criminals are constantly seeking new ways to infiltrate targeted organisations, it’s important that every employee participates in ongoing, periodic security awareness programs.
Download the Business Email Compromise (BEC) Incident Response Guide today to strengthen the odds of recovering your funds following a BEC attack.
Download GuideTwo third-party Facebook app developers found the records sitting in Amazon Web Services and posted them on a hacker site. These records were stored by Facebook partners and didn’t contain any sensitive information.
Yahoo affirmed that two major data breaches revealed in 2016 exposed sensitive information such as phone numbers, security question answers and hashed passwords. Yahoo faced a number of class action lawsuits and Congressional investigations following these data breaches.
Equifax was slammed for an allegedly poor security posture and incident response following the breach. They also faced heavy criticism and accusations after a number of executives sold Equifax stock.
A sample of the data was posted on an unnamed internet forum with a price of $5,000 for the full dataset. The company said, “this was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed”. Data-impacting incidents still, however, pose a real and serious risk. Stolen data can be used to commit further fraudulent activities from cyber-criminals.
As one of the top hotel providers for the US government and military, Marriott’s data breach posed considerable security risks – customer movements around the world could be tracked for criminal activity. While the breach occurred in 2014, it wasn’t discovered until 2018 and resulted in Marriott getting slapped with a $24 million fine.
Personal information such as email addresses, names and passwords were all compromised. Passwords stolen were all hashed with the BCrypt Algorithm, widely considered to be the most secure hashing algorithm. However, Canva still encouraged all users to reset their passwords as a precaution.
Two hackers accessed a private coding site used by Uber software engineers and used it to obtain login credentials, allowing them to find an archive of driver and rider data. After the information was stolen, the hackers then asked Uber for a ransom to which $100,000 was paid.
Marketed as an “extramarital” website, the consequences of Ashley Madison’s breach were catastrophic. Details of US military and government personnel were among those that were leaked on the dark web. Suicides were also reported.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.