Learnings from the biggest data breaches of 2017 

Living in the information age has a lot of perks – we are more mobile, more connected and use information and data better than ever, but it’s these advancements that also make us more vulnerable. What 2017 has taught us is that data breaches and the perpetrators behind them are getting more savvy with how they expose data and information, as the number of citizens and types of information affected grows.

Every year millions are affected by data breaches, but 2017 in particular set some new records. 2017 had a lot of close calls and within Australia a few caught widespread attention:

  1. Amazon s3 Contractor Breach
    One of the biggest breaches in 2017 was the contractor breach across both public and private sectors. A hired contractor misconfigured an Amazon s3 bucket which let slip the names, passwords, ID data, phone numbers, credit card details and finances and expenses of 50,000 employees. Companies like AMP were the most affected with 25,000 people alone having their records exposed by the mishap, with UGL closely following with 17,000 impacted. Once discovered, the Australian Cyber Security Centre (ACSC) worked with the contractor to remediate the situation and secure the leaked information. Although AMP maintains no customer data was compromised, the incident remains hush hush, and reforms on data standards are having to be reviewed and replaced by many of the companies affected.
  2. Australian Military Defence Projects
    Last year 30 gigabytes of commercially sensitive information on Australian Military Defence Projects was hacked, including from the $14 billion Joint Strike Fighter program (which has been coined as Australia’s next fleet of spy planes), as well as information on other defence projects. What is most worrisome is that hackers spent months inside the system and accessed the system through vulnerabilities 12 months old, related to the company’s inability to change their default passwords on its internet facing services.
  3. Medicare
    Another big data breach making headlines was the alleged sale of Medicare information by hackers through criminal channels across the ‘dark’ web for around $30 per Medicare number. This breach resulted in many firing shots at security for the $1 billion My Health Record scheme, with many even suggesting the project be boycotted. Despite assurance from the government and Health Minister, there are large concerns the information that was leaked could lead to hackers accessing everyone’s individual My Health Records.
  4. Uber Australia
    Last but not least, Uber. Not disclosed until 2017, Uber revealed a hack that took place in 2016, affecting people worldwide including 1.2 million Australians. This meant millions had their location history, credit cards, bank accounts and dates of births unintentionally disclosed. Uber did not notify any of the people who were affected by the hack as they reported they tracked the accounts affected and no fraudulent activity was detected. On top of this, Uber alleged they paid the hackers 100,000 USD to delete the stolen data. Hackers had gained access to the private Github repository of Uber software developers and used the credentials stored to access the data on the Amazon Web Services server.

With millions having been affected by breaches in 2017 alone, attacks have compromised data globally. With these increased threats, how companies have responded has been thrown firmly into the spotlight. In Australia, new mandatory data breach notification laws (Notifiable Data Breaches Act 2017) will come into effect from February 2018, meaning companies risk potential financial penalties if they fail to comply with the Act’s requirements.

New regulations are also emerging in other jurisdictions. The EU General Data Protection Regulation implements changes to an existing law, which is a uniform data protection law across all of Europe. Companies that hold personal information on European citizens are subject to the GDPR, regardless of where they operate from.

Across the world security and privacy has become an area of concern. Despite our extensive advancements in security, the rate technology is moving means the fundamentals of security and data privacy are harder to control.

Data breaches are here to stay, as human error, hackers and technological advancements remain in the mix. Get ready to see greater focus on protecting our physical infrastructure and even more about how companies are handling your digital information.

Erianne Bamba

Don’t miss any of the latest insights into the world of information and data – join our newsletter