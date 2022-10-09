The theft of personal data from 11 million Optus customers last week has exposed the soft underbelly of Australia’s online security.

Cyber ​​Security Minister Claire O’Neal called the breach at the country’s second largest telco ‘a fundamental hack’, although Optus denied this, claiming the data was ‘encrypted’ and had ‘multiple firewalls’.

A number of experts were not convinced, but this is just the start of vulnerabilities in Australia’s online security, with one technology analyst saying major sectors ‘have no idea’ they are leaving millions of Australians to hackers.

Tech futurist Shara Evans has identified some of the weaknesses in Australian practices that make the country highly vulnerable to cybercriminals

Tech futurist and keynote speaker Shara Evans says Australia is an easy target for international hackers.

A particularly glaring weakness is the widespread habit of sending sensitive data in unencrypted email.

Evans said Australian businesses seem to have ‘no idea’ of the risk this poses.

“I can’t tell you how many times healthcare providers will send you information unencrypted,” she said.

‘If your doctor says they will email a prescription to your pharmacy, they will do so in plain text, including your date of birth and Medicare number.’

The Optus hacker was able to steal personal addresses, dates of birth, phone numbers, driving licenses and passport details

Evans, who has worked as a director for US telecommunications companies Alcatel, Sprint, Telenet and GTE, identified another high-risk area where sensitive data is sent.

“Each policy renewal has an address, policy number and date of birth sent by email,” she said.

‘Unless it’s encrypted, you’re trusting the client to have started some security protocol – SSL or TLS – that people haven’t even heard of.

‘You’re relying on people configuring each of their devices that receive email to a certain specification, and the center has to have their email to that specification as well.

‘If someone has spoofed your email or managed to access your email, everything about you is there.’

About 11 million Optus customers had their personal information stolen by a hacker in the data breach

SSL stands for Secure Sockets Layer encryption and TLS (Transport Layer Security) is its more modern and secure replacement.

Email spoofing is when a hacker sends an email that looks like it’s from a trusted source.

The fake email may ask a respondent to send back personal information, including financial details, or open malware or spyware on your device.

Director of the UNSW Institute for Cyber-Security Nigel Phair agrees that Australia is vulnerable online – and the threat is only growing.

“We need to do a lot better in Australia when it comes to cybercrime,” he told Daily Mail Australia.

Inside sources say Australian companies are not following best practices to secure their data from hackers

‘The Australian Cyber-Security Center said they had about 63,000 reports last year, I reckon that’s about a fifth of what the actual number is.

‘The ACCC had about $2 billion in reported losses from fraud.

‘I don’t think it’s anywhere near the right amount.

‘We have a long way to go before we collectively get out of the online hygiene that is happening in this country.’

Phair agreed with the cyber security minister that the Optus hack ‘was a breach we shouldn’t expect to see at a major telco’.

“No, it certainly shouldn’t have happened,” Mr Phair said.

‘I hope if we can take one ray of sunshine out of this, it’s that other companies in the ASX top 200 and below really have a hard look at their risk practices in light of this.

Home Affairs Minister Clare O’Neil criticized Optus, saying the security breach was “fundamental”, but the telco has denied these claims

“They need to ask themselves, “Why are we collecting data?” “Who is going to assess it?” “Why is it being stored?” And how it is hopefully eventually deleted.

‘Why should companies be allowed to collect so much data when consumers are not really making an informed choice?’

Ms O’Neal said she had heard from internal sources about security breaches at major Australian companies.

These included unsecured servers in basements and not ‘siloed information’

Siloing means that the information about an individual is kept separate; so if a hacker breaks into one digital ‘silo’, they don’t have access to an entire data set that could be used to build an identity theft profile.

Evans said that personal information must be “stored separately with audit trails, multiple firewalls and encryption” by all companies.

Optus claims the stolen data was encrypted and had multiple firewalls (pictured, an Optus store in Sydney)

Evans and Mr Phair criticized the fines that could be imposed on Australian companies for major security breaches.

The maximum fine that can be imposed by the Australian Information Commissioner, otherwise known as the Privacy Commissioner, is $2 million, which Ms Evans described as a ‘slap on the wrist’.

Privacy legislation is much stricter in the EU and has been in place since 2016.

Under those laws, maximum fines for privacy breaches reach 20 million euros ($29 million) or 4 percent of a company’s global revenue from the previous year, whichever is higher.

Phair, who is a former AFP officer who helped establish the agency’s high-tech crime unit, agreed that Australia’s fines “are very low compared internationally for data breaches” but said perhaps more worryingly they are never been used.

“We’ve had data breach fines in place for three or four years and the Data Commissioner has yet to issue one,” Mr Phair said.

‘We can talk about “yes, we need bigger fines”, but what about using the fines we’ve got first?’

Many may not realize that the most sensitive piece of personal information hackers seek is a date of birth, according to Evans.

Once it falls into malicious hands, it could be years before it was used.

“If your date of birth is compromised, you are at risk of identity theft — period,” Evans said.

Shara’s 10 Tips for Staying Safe Online Shara Evans is a technology futurist and online security expert. Here are her tips for protecting yourself from hackers 1. Get basic IT security on devices including antivirus, malware check, ransomware check, VPN, firewalls. 2. Use different passwords for each website and app. Make them long and complex – uppercase plus lowercase letters, numbers, special characters. Store your passwords in an encrypted password box. 3. Use two-factor authentication whenever possible (ie: logging into a secure banking portal requires you to enter an authentication code sent to you via SMS or email or requires a SecureID token number) 4. Use multiple email addresses. If you own a domain, it’s easy to create an email alias (“forwarder”) that names a specific site or type of activity. If compromised, you can then disable an email alias address without affecting anything you do. And it will help you identify the source of the leak. 5. Check your credit reports for signs of fraudulent activity – or incorrect information. 6. Enroll in a credit/identity protection plan and institute credit freezes if you have reason to suspect your ID has been compromised. 7. NEVER click on text or email hyperlinks that you do not know are legitimate. Many people get into trouble this way. You can check a compressed link by copying it and entering it into the SEARCH BAG to see what comes up. If it’s malware, you may see a notification. At least check if the source domain looks suspicious, if so don’t click on it! 8. When uploading sensitive information to a website portal, check for the lock icon (https) – this means your data is encrypted ‘in transit’ when uploaded to the website. Company cybersecurity practices vary widely. 9. If someone calls you and says they are from Company X – NEVER give them any information unless you know them and are already expecting a call from a specific phone number or person. 10. NEVER publish your date of birth online! If you have it on social media DELETE it now. Unless you’re making an official financial transaction, there are very few good reasons for any party to know your real date of birth, much less store it.

‘Once your data is compromised, it often takes years for someone to do anything about you, so you have to be vigilant for the rest of your life.’

A hacker in possession of a date of birth and other personal information can open up credit in their victim’s name at any time.

“I would never know about it,” Evans said.

“Once your birth date is gone, the only thing you can do to fix it is die.”

Phair said the cyber threats were only increasing.

“People need to be hyper-vigilant online,” he said.

‘The length and breadth of fraudulent accounts is amazing.’

Sir. Phair said Optus would likely go “down as our biggest hack purely based on its potential impact”, but that was hardly the end of the story.

“This is a data breach like we’ve had many before,” he said.

‘You know what we’re going to have plenty of in the future. Expect to see that and more.’