¶¶Ņõ¶ĢŹÓʵ

Beware the dangers of data breach fatigue

2024-05-27T08:55:00+10:00

Man holding smartphone with warning about virus attack at home, closeup

The public are being warned not to ignore ever-increasing data breaches.

Neil Martin
Neil Martin,

UNSW cybersecurity expert Professor Sanjay Jha says companies and the public should remain on high alert in the face of continual cyber attacks.

Cybersecurity expert Professor Sanjay Jha has urged the public to remain vigilant and not become complacent to ever-increasing cyber attacks.

The most (OAIC)Ā  recorded 483 breaches in the period from July to December 2023. That was up 19 per cent from the six months previous.

Two-thirds (67%) of those breaches were caused by malicious or criminal attacks, with the other third made up of human error (30%) and system faults (3%).

Although 312 of the 483 breaches affected 100 or fewer people worldwide, there were also four separate incidents where 250,000 or more Australians had their data improperly accessed.

Media enquiries

For enquiries about this story and interview requests please contactĀ Neil Martin.

·”³¾²¹¾±±ō:Ģżn.martin@unsw.edu.au


Phishing techniques are designed to obtain personal details such as credit card information. Adobe Stock

Prof. Jha, UNSW Lead of theĀ Ā (CSCRC), hopes that the public will not start to tune out and ignore such data breaches as they become more and more prevalent ā€“ especially given the dangers of not taking steps to protect personal information which may have been compromised.

ā€œI understand that itā€™s human nature that you start to just get used to certain things, but I think it's important to keep raising awareness about trying to protect your personal information and even if we reach only a small percentage of people who listen, then it's worth it,ā€ he says.

ā€œItā€™s obviously a big danger if your bank account is compromised, for example, and lots of money is stolen from you.

ā€œBut there are other private details you probably donā€™t want random people to know about ā€“ such as your health or medical records, which can also get broken into.ā€

Data as a commodity

Prof. Jha says that when malicious cyber-attacks on companies and organisations result in breaches, it can take some time for that personal information to make its way to professional hackers or others who try to make money from the stolen data.

ā€œPersonal data is a valuable commodity. Even if credentials arenā€™t stolen, then it can still be sold as marketing information,ā€ he says.

ā€œBut if there is a specific piece of identity then that can kick-start cybercrime because it helps bad actors create your profile and maybe use social engineering to try to get the full information they need to log into your banking system or compromise your medical records.

ā€œEven just knowing your mobile phone number and whether you are a male or female can be enough for criminals to start getting to work.

ā€œA lot of this information when it is obtained by a cyber-attack is then sold on the Darkweb and maybe it then gets bought by hackers who are building phishing sites designed to get the additional credentials they need to get into bank accounts and steal money.ā€

Phishing for personal information

The problem is so widespread that even a cybersecurity expert such as Prof. Jha himself is targeted regularly by those he believes have obtained some of his personal information.

Many of these attempts come via phishing scams to his mobile phone, where fraudulent messages purportedly from large reputable companies are actually being sent by cybercriminals attempting to get even more valuable information such as online banking logins, credit card details or passwords.

But Prof. Jha acknowledges that itā€™s sometimes hard for the general public to know what communications they can trust.

ā€œPhishing attacks continue. They arenā€™t stopping and in fact they are getting ever more innovative,ā€ the academic from the School of Computer Science and Engineering says.

ā€œEven I get those types of messages which say something like, ā€˜This is Coles and your reward points are about to expireā€™. The cybercriminals know that almost every Australian is buying their groceries from Coles or Woolworths, so they have a good chance of getting your attention.

ā€œPeople can then fall into the trap of clicking on the link and giving out their information. More and more education is always needed about this, but itā€™s also hard to know what is real and what is fake.

ā€œI also get legitimate messages from Australia Post when I have a parcel delivery and they send a URL for me to click on. But they use a tiny-URL system which just shows a series of random scrambled numbers and, as a cybersecurity expert, that makes me very afraid to click on a link where I canā€™t see the full address.

ā€œAnd that creates a problem because it is the same technology being used for a legitimate purpose, but itā€™s lost its trustworthiness and should make you wary of clicking.ā€

Anyone who says they can secure an entire system where no attack is possible is not being very truthful. What we need to do is to ensure we are trying our best to minimise the attacks, and if they happen make sure we are resilient enough to deal with them and recover.
Professor Sanjay Jha

Prof. Jha says companies should be doing more to keep personal data safe from hackers, but admits that as information and communications technology systems get more and more complicated, that means that points of weakness are always likely to exist.

And attacks are unlikely to decrease while there is a lucrative market for stolen credentials.

ā€œThe problem is that ICT systems are very complex and every day new applications are deployed and new information is stored and exchanged,ā€ he says.

ā€œIt is a very dynamic field ā€“ and anyone who says they can secure an entire system where no attack is possible is not being very truthful.

ā€œWhat we need to do is to ensure we are trying our best to minimise the attacks, and if they happen make sure we are resilient enough to deal with them and recover.

ā€œBut some systems need to be more secure than others. If you take down the power grid then you could take down the whole country, and the banking system is another.

ā€œI do think that companies in general can do a lot more to protect peopleā€™s privacy. If a new system is deployed then do proper testing and check integration with other systems in case it causes a possible vulnerability in terms of security.

ā€œIn addition, keep track of any vulnerabilities that are reported. And monitor cyber threat intelligence from reliable sources to check if your system is at risk.

ā€œAnother good measure is regularly scanning and sanitizing the system ā€“ all of these are protocols that build up strong security.ā€