Recent cases and the latest statistics from the regulator demonstrate that human error continues to be a key issue in data breaches, including where these human errors open up opportunity for hacking and other types of cyber-breaches.
Those in Not-for-Profits often suffer some financial impact, but also the issue of damaged reputations.
Victorian hospitals, Commonwealth Superannuation Corporation, online gaming company Zynga, online ticket company Get, PayID and food delivery company DoorDash – there has been no shortage of recent data breaches which have recently affected a wide range of organisations.
These high profile data breaches demonstrate the variety of different types of data breaches, from malicious activity to human error. They also demonstrate that data breaches can be operationally, reputationally and financially damaging.
The recent data breaches provide a key lesson for all organisations that data breaches are a very real risk for which many organisations still remain under-prepared.
Recent data breaches
Hospital data breach
In late September 2019, several hospitals in western Victoria suffered a data breach. This included Gippsland Hospital, Barwon Hospital, Geelong’s University Hospital and hospitals in Warrnambool, Colac, Warragul, Sale and Bairnsdale.
The attack was a malicious criminal attack that forced several hospitals to quarantine and disconnect a number of their systems including the internet, patient records and booking and management systems.
This meant some medical procedures had to be delayed and Premier Daniel Andrews stated that it would take weeks to secure the affected networks and clear out the virus. Currently, there is no evidence to suggest any personal information was released.
The attack comes after a warning from Victoria’s Auditor-General who stated in May that Victoria’s health databases had serious weaknesses which put patient data at risk. This aligns with the Office of the Australian Information Commissioner (OAIC), which consistently reports health service providers as the sector that suffers the most notifiable data breaches.
So, whilst the breaches were caused by malicious activity, the suggestion is the human-created environment enabled the attacks.
PayID
PayID allows account holders across all major financial institutions to make instantaneous payments using mobile phone numbers or emails. It was launched in 2018 by the New Payments Platform, an alliance of 13 banks and has been used to process 90 million transactions totalling more than $75 billion. However, since its release, PayID has been plagued with privacy concerns and data breaches. In particular, it was criticised that when a phone number is typed in, the name associated with the phone number automatically pops up (to confirm the identity). Therefore, anyone typing in a string of numbers will automatically know the name of the person holding that phone number.
In June 2019, 98,000 PayID details were obtained by hackers who were able to access the personal information of 600,000 PayID users. In August 2019, a further 92,000 PayIDs were exposed, leading to the reveal of users’ full name and mobile phone numbers. This was then used to send phishing messages to clients claiming to be from banks.
In this case, some of the user-friendly functions wanted for human interaction inadvertently led to technical vulnerabilities.
Commonwealth Superannuation Corporation
On 24 September 2019, an ABC staff member was sent a document containing the full names and addresses of customers and the amounts they had transferred into their superfunds. The ABC staff member was sent her own information as well as the additional documents with the personal information of other customers.
CSC has admitted that 18 customers were affected and they are investigating urgently. It is expected that the incident was due to human error.
We again see here the factor of human error laying the groundwork for a data breach which later occurs electronically.
Impact of data breaches on organisations
The significant media coverage regarding recent data breaches demonstrates the broad impact data breaches can have on organisations.
For not-for-profits, this can also impact their reputation as a trusted organisation. In 2017, the accidental release of personal information from 550,000 blood donors impacted Australian Red Cross Blood Service’s reputation as a trusted organisation. In the two weeks that followed, they received 3,700 calls and emails regarding the breach. Luckily, Red Cross’ rapid response and honesty helped preserve their reputation. They were however required to enter enforceable undertakings with the OAIC.
Data breaches for organisations can also cause significant financial loss. In 2018, Save the Children lost $1 million when a cyber-attack gained access to an employee’s email account and then used that to create fake invoices. Furthermore, we are seeing increased amounts of law suits against organisations that fail to protect the privacy of individuals. For example, Yahoo recently settled a data breach class action for $117 million.
Not-for-profits that are bound by the Privacy Act 1988 (Cth) should also be aware of the penalties under the Act, especially in light of announcements in March 2019 that the Government intends to increase penalties to $10 million, three times the value of the benefit obtained through the misuse of information or 10% of an organisation’s annual domestic turnover.
Key lessons and next steps for your organisation
It is important that organisations are doing what they can to both prevent data breaches and also ensure that they are equipped to respond efficiently to any breaches that do occur.
We recommend that organisations prioritise the following:
- Put in place / review your data breach response plan – then educate your staff and follow it: if your organisation does not currently have a data breach response plan (DBRP) in place, it should ensure it does so urgently. This should help step you through how to respond to breaches in accordance with your legal obligations. If you already have one, consider if it needs to be reviewed in light of recent developments in law and best practice. As stated by the OAIC in its report regarding the Red Cross data breach, “data breaches can still happen in the best organisations” and it is how an organisation responds that can be defining.
- Review your third party contracts – outsource the job, not the privacy compliance: the Red Cross breach demonstrates the importance of ensuring organisations that store data with third parties must make sure that privacy compliance is embedded in these agreements. The OAIC has consistently stated that organisations cannot outsource compliance with their legal obligations and ultimately will be responsible for the data that they collect and use.
- Train your staff: it is a consistent theme in many data breaches that they are either a result of or caused by human error, such as in the Commonwealth Superannuation Corporation example. While some mistakes are inevitable, often human error occurs due to a lack of understanding regarding suspicious emails, proper protocols and safeguards. Furthermore, your staff should be trained on how to respond to data breaches quickly to mitigate any harm or further disclosure such as recalling emails and assessing the impact of breaches.
- Understand your vulnerabilities and prepare accordingly: the recent data breaches demonstrate that different sectors and different types of data will have different vulnerabilities and risks. It is important that organisations understand these so that they can prioritise preventive action and resources. For example, the PayID data breach might have seemed like a breach where no harm would eventuate but the use of the clients’ contact details to send phishing emails allegedly from a bank could have led to significant financial loss. Similarly, health organisations should be considering their vulnerabilities. An organisation’s policies and procedures should be tailored accordingly to ensure that they are as effective as they can be to both prevent data breaches and rapidly respond.
Privacy Training Sessions
Moores is currently taking bookings for privacy training sessions. Contact us below if you’d like to hear more about out engaging and entertaining privacy training sessions for staff, and our in depth sessions for boards.
About Moores’ Privacy Practice
Our privacy team has worked with a large number of corporates and Not-For-Profits regarding their privacy compliance including:
- Policy and compliance;
- Assisting with responding to privacy breaches or suspected breaches;
- Privacy audits and compliance reports;
- Developing data breach response plans;
- Privacy framework design; and
- Training boards and staff
If you need any assistance with Privacy practices for your organization, please do not hesitate to contact us.