Another year, another scam. While data driven crime is more sophisticated and difficult to address than ever, human error and judgement remains one of the major problems.
The latest data breach report from the Office of the Australian Information Commissioner (OAIC) is surprising for the simplicity of the problems - 37% of data beaches resulted from human error not malicious attack. In over 20% of reported cases, personal information was simply sent to the wrong recipient. Another 6% of complaints were attributed to system faults.
Since 22 February 2018, businesses covered by the Privacy Act need to report unauthorised access to or disclosure of personal information or loss of personal information that your business holds under the Data Breach Scheme. The rules impact organisations with an annual turnover of $3 million or more, businesses ‘related to’ another business covered by the Privacy Act, or if your business, regardless of size, deals with health records (including gyms, child care centres, natural health providers, etc.,), is a credit provider, or holds Tax File Number information (see the list).
Organisations are required to take all reasonable steps to prevent a breach occurring, put in place the systems and procedures to identify and assess a breach, and issue a notification if a breach is likely to cause ‘serious harm’.
What the statistics from the OAIC demonstrate is that procedural integrity in your business is paramount – train your team to not only be wary of scams but ingrain best practice for the day to day management of personal data. Privacy protection is not just an ‘IT’ issue.
While not the only factor, protecting your systems remains a priority as Marriot Hotels discovered when the Starwood guest reservation database was breached. According to the latest announcement, up to 383 million records were potentially impacted. Of those, there were approximately 5.25 million unique unencrypted passport numbers. On 30 November 2018, the company announced that unauthorised access to the database may have been occurring since 2014.
Similarly, Cathay Pacific released a statement notifying that up to 9.4 million members of their Marco Polo Club, Asia Miles or a Registered Account holder have potentially had their data breached including passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information.
Remember, hackers can gain access to your business’s data simply by a staff member clicking on a link.
While not impacting personal data, according to the ScamWatch, a common scam is where hackers gain access to a business’ email accounts, or ‘spoof’ a business’ email so their emails appear to come from the company. The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of the business’s official email accounts. Payments then start to flow into the hacker’s account. The average loss from these scams is around $30,000.
A variation is where the hacker sends an email internally to a business’ accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.
In 2018, these scams cost Australian business $30 million in 2018.
Simple measures you can take:
· Have strong and enforced processes in place for the management of personal client information.
· Strong authorising procedures for payments – two-step authority.
· Change passwords often and use two-step authentication where available.
· If a client’s bank details have changed, phone them and check the details.
· Train your team on cyber security:
o Check requests for payments that arrive electronically from other team members and management.
o Check email addresses are legitimate – look for slight variations.
o Be suspicious of poorly written emails.
o Don’t click on links from email – always use your account with the supplier or Government department to check details.
· If contacted by the ATO, contact us to verify the information if you are concerned.
The Australian Taxation Office (ATO) has warned about the emergence of a scam where “…scammers are using an ATO number to send fraudulent SMS messages to taxpayers asking them to click on a link and hand over their personal details in order to obtain a refund.”
The refund scam follows a more sinister four phase scam stating there is a warrant out for your arrest for unpaid taxes in prior years. The scam starts with a text message purportedly from the Australian Federal Police (AFP). Within minutes, your mobile rings and the caller identifies themselves as being from the AFP and working with the ATO. They then ask for your accountant’s details. You then receive a call purportedly from your ‘accounting firm’ asking you to verify the AFP/ATO claims. Finally, you are provided with a way, if you act quickly, to make the AFP go away by paying a fee before your ‘imminent arrest’.
The ATO states that it will not:
- · send you an email or SMS asking you to click on a link to provide login, personal or financial information, or to download a file or open an attachment;
- · use aggressive or rude behaviour, or threaten you with arrest, jail or deportation;
- · request payment of a debt via iTunes or Google Play cards, pre-paid Visa cards, cryptocurrency or direct credit to a personal bank account; or
- · request a fee in order to release a refund owed to you.
A new phishing scam sent text messages purportedly from Medicare advising the recipient that they are owed a $200 rebate from Medicare. Once the person clicks on the reclaim link, they are asked to provide their personal details including bank account details for the ‘rebate.’