Our identities are being kidnapped and held for ransom

August 10, 2020
Safety and Privacy

Our identities are being kidnapped and held for ransom

By Jason Bryce

Information kidnappers are taking over company, website, financial institution computer systems and holding customer data including financial, identity, personal and health information for a ransom.

33 data kidnaps in the last six months is up 150% from just 13 over previous the six months. This frightening trend can see companies and their threatened and intimidated by faceless online criminals.

This may be the tip of a large iceberg because many ransomware attacks may go unreported. Attackers threaten the reputation and customer confidence that companies enjoy by holding their data for ransom. Some businesses may pay the criminals to avoid the inevitable bad publicity and potential loss of customers if a data breach is revealed.

Some privacy and data breach notifications to the Information Commissioner in 2020 have involved millions of customers.

Health finance and insurance companies are the three big targets for these criminals according to the latest Australian data breach report from the Office of the Australian Information Commissioner (OAIC).

While data breaches resulting from email ‘phishing’ continues to be the leading source of malicious attacks, there is a growing risk of ransomware attacks in Australia said the OAIC.

Incredibly it seems some of the big companies that hold our financial details in their systems are using email programs to store our sensitive data. Or they are not deleting old emails that contain our sensitive data.

“The OAIC has continued to receive notifications where entities are storing sensitive personal information such as bank account details, superannuation account numbers and TFNs within email accounts.”

The Information Commissioner, Angelene Falk, is concerned that companies are not securing their systems adequately. But these seem like basic security measures for companies that want to collect our financial and identity information from us.

The OIAC has told companies to consider additional email security and to delete old emails that contain our information “from both the inbox and sent box.”

With increasing amounts of our personal information being collected and stored online, consumers need to have confidence when handing over their information.

While our companies are learning to delete old emails, there is a surge in brazen ransomware attacks. These serious criminal operations targeting companies that collect our personal information can leave company staff traumatised and customer information open to the cybergangs.

What is Ransomware?

Ransomware is a frightening trend in online crime.

software that attacks and encrypts data making it unusable or inaccessible.

The company may not even know they have been attacked. The criminal then demands a ransom - money - from the company for a ‘decryption key’ said the Privacy Commissioner.

Ransomware can enter a system through an email attachment, a software download, a malicious webpage, an unsecured public-facing server or a remote port.

Criminals seem to be targeting the health, finance and insurance sectors to attack. This chart is from the latest OAIC data breach report:

Ransomware attacks are inherently difficult to assess and investigate because the target entity can no longer access its own network,” said Privacy Commissioner Angelene Falk,

Ransom and straight out ID theft - impersonation – are the two big goals of the criminals. 518 reportable data breaches in the six months from January to June 2020 is 16 per cent more than the corresponding period last year.

“Malicious actors and criminals are responsible for three in five data breaches.”

25 companies notified the commissioner they had been attacked by a rogue employee or internal threat while human error data breaches are also up.

Organisations must address privacy impacts of changed business practices during the COVID-19 outbreak said Angelene Falk.

Do companies know when they have been hacked?

The finance, health or insurance company you have given your bank account, passport, DOB and address to may not realise it has lost your information to criminals. And if they do realise, they may not want to tell you they lost your data.

In the last six months, about 120 businesses did NOT detect that their systems had been breached in less than 30 days. 47 companies took between two months and one year to figure it out, while 14 Australian entities did not know for more than one year.

Some organisations also failed to identify all the types of personal information involved and did not provide advice to the people affected.

“In these cases, we required the organisation to re-issue the notification,” said Angelene Falk

“We’ll continue to closely monitor compliance with assessment and notification obligations as part of our system of oversight.”

Is my information safe online?

Some recent big Australian data breaches have involved millions of customers. Data breaches spiked in May reported the OIAC.

“The number of notifications per month [ranged] from 63 in January to 124 in May, the highest number of data breaches reported in a month since the Notifiable Data Breaches scheme began in February 2018.”

One third of data breaches involved the theft or loss of ID information like passport and drivers license numbers while just under one third involved the loss of personal financial information like bank accounts.

Contact information remains the most common type of personal information stolen according to the Commissioner with 34 per cent resulting from human error. 61 per cent are malicious attacks on Australian businesses, banks, health insurers and big entities.

All of the more than 500 data breaches reported in the last six months are “likely to result in serious harm to any of the individuals whose personal information was involved. 46 per cent of breaches involved the loss of up to ten people’s information. 64 per cent involved up to 100 people. Three breaches involved more than one million people.

Related posts