Published on the 20/04/2023 | Written by Heather Wright
Penalty increase may spark ‘perverse’ outcomes…
Australia’s increased privacy breach penalties have been lambasted by a government backed identity and cyber support service, which says the moves could fuel even more attacks.
In a submission to the federal government’s review of the Privacy Act, Australian and New Zealand not for profit IDCare, says increased penalties could encourage companies to pay the ransom, and in doing so spur even more hacking, or drive attacks ‘even further underground’.
“A significant reason why Australian governments and businesses are increasingly targeted by ransomware attacks, the likes of which have breached almost half the Australian population in the last 24 months, is because we pay,” IDCare says.
“In terms of ransomware attacks, Australia is open for business.”
Australia has experienced a spate of high-profile and large-scale data thefts in recent months, including last September’s Optus breach which saw 10 million accounts exposed and prompted reforms. It was quickly followed by Medibank Private announcing 9.7 million accounts had been compromised. More recently, last month’s Latitude Financial Services breach saw around 14 million Australian and Kiwi customer records stolen.
Both Australia and New Zealand have legislated requirements to notify regulators and the impacted parties when the breach could cause ‘serious’ harm.
Late last year, Australia increased its penalties from $2.2 million to up to AU$50 million for a serious privacy breach, 30 percent of a company’s adjusted turnover or three times any financial benefit obtained through data misuse.
But IDCare says those increases and an absence of laws prohibiting or providing disincentives against ransom payments, may actually have ‘perverse’ unintended consequences, reducing future reporting of attacks.
Its submission says breach frameworks ‘seem less about informing and supporting a person to take action and more about a need for tick a box reporting’ to regulators and to protect other interests, and leave Australian businesses vulnerable to ongoing attacks.
IDCare is funded by ‘subscriber organisations’ who include Australian federal and state government, New Zealand’s Internal Affairs, several state police departments and corporates including Air New Zealand, Qantas, Kiwibank, BNZ, Australia Post, Telstra, and Woolworths Group.
It works with organisations after cyberattacks, providing specialist identity and cyber security case managers to work with affected customers. Latitude Financial Services (which publicly declared it wouldn’t pay a ransom) is just one company to call on IDCare’s services following a breach. IDCare, which is based in Queensland’s Caloundra and Napier in New Zealand, also supported those affected by both the Optus and Medibank breaches and New Zealand’s Pinnacle Health and Te Whatu Ora/Health NZ breachs.
It also recently announced a partnership with the WA Government, which includes providing pop-up support and education centres across regional WA.
Founded in 2013, its team includes 55 identity and cyber security case managers, counsellors, community education officers, computer and data scientists, lawyers, project managers and developers. As well as a team working one on one with affected individuals and organisations, it has a monitoring unit and works with industries and agencies to improve best practice.
It is reportedly planning to increase staff numbers this year, along with launching a ‘reserve’ program training teams across government and corporates utilising the time allowed by some corporates for staff to work with charities, in order to cope with ever increasing workloads. Demand for its services was up 45 percent last year.
IDCare’s submission notes that in January 2023, Australia was the fifth most targeted country for data theft.
“Business is booming for ransomware attackers, because there is little disincentive and Australia has form in paying and not necessarily notifying,” IDCare says in its submission.
“Put simply, in terms of ransomware attacks, Australia is open for business.”
It says some companies are receiving legal advice to pay up, in order to not report the incident to regulators.
“Some law firms over the years have advised payment as a means to lean on the remediation exemption – that is, the criminal has said they have destroyed all copies and haven’t shared, therefore the breach is contained and there is no serious risk of harm.”IDcare says in its experience data ‘re-emerges’ from previously met ransom demands.
“The reality is that data remains accessible even today. It is foolish to believe the payment of a ransom leads to the data being deleted and not shared. To lean on this as an exemption to notify is a legal furphy.”
It has seen an increase in the number of darknet offerings available to advance the exploitation of breached data, including data aggregation services where breached data, including data subject to ransom payments, were offered as ‘mega breached person packages’.
“This counters the argument that paying a ransom actually lessens the risk of sharing and subsequent exploitation. An absence of this direct issue being addressed in the Privacy Act Review is a significant shortfall in the reform agenda. It may in fact be a symptom of bureaucratic organisation, where cyber, privacy and corporate regulation diverge into ministerial responsibilities, but it is a key gap.”
The submission includes examples from companies which IDCare has supported following ransomware attacks, highlighting the complexity of regulations.
In discussion on making it an offence to pay ransoms, it cites a Sunshine Coast business that had no way of recovering customer and employee files, couldn’t process orders and had no way of meeting payroll obligations following an attack.
“Their insurer pushed them to a specific law firm and a cyber forensics provider that quoted around $15,000 a day to assist due to policy coverage shortfalls.
“The ransom payment was less than the amount they were looking at paying to remediate per day. There was no technical assistance available from government and no prospect that the criminals responsible would be brough to account.
“In our estimation, the drawing into the Privacy Act of small business is likely to see these scenarios amplify.”
The Privacy Act Review began in 2020 following recommendations by the ACCC in its Digital Platforms Inquiry – Final Report. Public feedback on the Privacy Act Review Report closed last month.
