Australians’ data and critical infrastructure are threatened by careless disposal of e-waste, which could have “catastrophic” consequences for national security, an expert says.
Thousands of tons of old phones and other devices are thrown away from Australian workplaces every year, with some ending up shipped abroad, recycled or resold, consultancy PwC said.
However, much of the e-waste is not properly “sanitized”, leaving a lot of information that criminals could make a fortune selling on the dark web.
Two devices, a tablet and a mobile phone, were purchased for less than $50 from a popular second-hand retailer in ACT for the purpose of a PwC Australia report.
The tablet still had corporate stickers attached and contained a note with credentials to access a database containing up to 20 million sensitive personal records, the firm found.
More than 60 pieces of personally identifiable information were also recovered from the phone through basic analysis.
The information included personal documents and photographs, and both devices could be worth a significant sum on the black market, the firm said.
PwC lobbied to amend the Critical Infrastructure Security Act 2018 or its guidance to explicitly require organizations to safely dispose of e-waste.
The organizations also faced fines of at least $50 million for serious or repeat privacy violations under new sanctions introduced last year.
“The data stored on these devices and their components may contain sensitive information related to an organization’s operations and intellectual property, as well as personally identifiable information,” said Rob Di Pietro, PwC’s digital trust and cybersecurity leader.
“If they end up in the hands of a malicious actor, the results could be catastrophic.”
There was an urgent need to ensure that Australia’s critical infrastructure entities, including healthcare, transport, energy and defense, were required to safely dispose of e-waste, Di Pietro said.
Global e-waste is expected to exceed 70 million tons by 2030.
Australia remains the number one target for ransomware groups in the Asia Pacific region, according to a report by global cybersecurity firm Palo Alto Networks.
Attacks on school systems by groups like the Vice Society demonstrated that cybercriminals were willing to lower themselves for a payday, the Palo Alto Networks report found.
Data theft was the most common extortion tactic deployed by ransomware groups, and the median ransom payment was $350,000 ($521,000) in 2022, less than the median demand of $650,000.