The fallacy about data breaches
Kordia regional cyber security business manager Peter Bailey explains why we can’t accept large-scale data breaches as inevitable. In a data-driven world, our personal information is everything. When we hand […]
Kordia regional cyber security business manager Peter Bailey explains why we can’t accept large-scale data breaches as inevitable.
In a data-driven world, our personal information is everything. When we hand over our credentials and ID to businesses, we are trusting them. We need to have the assurance that they have measures in place to keep our data safe.
Latitude Finance, the parent company of Gem and Genoapay, recently suffered a major cyber breach which saw 14 million customers impacted across both sides of the Tasman. Personal data was stolen, including drivers’ licences, dates of birth, passport numbers, photos and more. Latitude has confirmed it will not be paying a ransom to retrieve the data – it is yet to be seen whether the cybercriminals responsible will start selling it on the dark web.
This is significant for Kiwis. The Office of the Privacy Commissioner says the theft is the largest privacy failure in our country’s history, with estimates that around 13% of the 7.9 million driver’s licenses compromised belonged to New Zealanders – equating to around 20% of our population.
What’s even more concerning is that according to some reports, this wasn’t an overly sophisticated attack. The threat actor simply leveraged an employee’s credentials and logged into not one, but two of the company’s service providers. So how did this happen? How did Latitude’s defences fail to stop this attack? And why was the exfiltration of such a large amount of data not registered until it was too late?
A fallacy
It’s a fallacy to believe that data breaches like this one are inevitable. Yes, it’s true that stopping cybercriminals in their tracks is difficult. But I can assure you, there is a lot that organisations can do to mitigate the impacts of a cyber-attack. They can, and should, be taking every possible step to minimise the amount of personal data a cybercriminal can access. This is a basic responsibility for all businesses.
This incident raises questions about how Latitude and similar businesses store customer data. When we provide our information to businesses of Latitude’s scale, can we trust that they have the very best information security practices in place? Can we be confident that they are doing their very best to stop our data being stolen and exploited?
In my opinion, every business should adopt a best practice approach to data protection that sees a layering of various defensive controls – something we call “Defence in Depth”. This means that should one security measure fail, multiple other layers are in place, making it difficult for attackers to penetrate your data and systems. An attacker should never be able to simply log in and take what they want – the aim here is to close off any opportunities for attackers. The name of the game with security is risk mitigation – how many paths can you close off to the attacker to delay or stop them.
Similarly, regular monitoring and logging of the company’s networks and assets should be in place to pick up potentially malicious activity, such as large, unexpected downloads or unusual accessing of sensitive data. This in turn helps mitigate data exfiltration if an attacker does manage to gain a foothold in your systems.
The need to review
Speaking of data, the Latitude breach also highlights the need for businesses to regularly review and clean up what information they currently hold. Financial services are required to keep documentation for at least seven years, but with Latitude holding information from more than ten years ago, it has unnecessarily impacted a huge number of livelihoods. This is a lesson to remind businesses that any data should be promptly deleted once it is no longer needed.
Are businesses motivated enough to care?
What are the consequences of this breach for Latitude? Under New Zealand’s Privacy Laws, Latitude may be liable for an NZD$10,000 fine – but only if they fail to adequately disclose a notifiable breach within a sufficient timeframe.
Compare this to other legislation. If this breach had taken place in the jurisdiction of the European Union, under GDPR Latitude could have faced fines of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. With Latitude reporting a total revenue of AUD$927.8 million in 2022, that equates to approximately AUD$37 million (or NZD$40.3 million).
Enough consequences?
Sure, Latitude will suffer reputational damage, and they’ve offered to wear the cost of replacement licenses and passports for affected customers. There are also murmurings of a potential class action lawsuit. But one must wonder whether there are enough consequences to motivate big businesses to truly invest in cyber security to a level that matches the risk their customers face when handing their data over.
If the cost of appropriately securing your business against cyber breaches is significantly lower than the cost of dealing with the fallout of a breach, it’s easy to see how profit-driven businesses might simply wear the risk of an attack, rather than spend up large on cyber security.
The Latitude cyber-attack should be a wake-up call for businesses, and consumers need to send a clear message that this type of breach is not acceptable.
It’s imperative that any business that collects personal data understands that cyber security isn’t just a business cost – it’s a must do, for the sake of protecting all New Zealanders.
Peter Bailey pictured below.
Other Articles
Less a recession, more a perk-cession
