We’re more at risk than ever of having our personal data stolen, with so many businesses collecting and storing unnecessary amounts of personal information on their customers, a security expert has warned.
Professor Asha Rao, associate dean of mathematical sciences at RMIT University, says Australia needs new laws to prohibit companies from engaging in unnecessary data harvesting.
She says we also need “severe penalties” for companies that fail to protect customer data, similar to penalties for violations of money laundering and counterterrorism financing laws.
Her comments come in the wake of the huge breach of customer data from the telecommunications giant Optus.
Prime Minister Anthony Albanese has also flagged an intention for a legislative crackdown.
Data-harvesting needs to stop
Professor Rao teaches the maths behind cryptography, which is the core of cybersecurity.
Her students have gone on to work for Australia’s biggest banks, major accounting firms, and Coles and Woolworths, among other businesses.
Professor Rao told the ABC this week that, because of the ubiquity of the internet, we were living in the most “dangerous” time in history for peoples’ personal data.
She said the demand from businesses for customers to hand over increasingly detailed personal information, for no apparent reason, had to stop.
“It’s absolutely dreadful,” she said.
“It’s what we call data retention, and function creep. They are collecting data that they have absolutely no need to collect.”
The Optus data breach included customer names, dates of birth, email addresses, postal addresses, phone numbers, Medicare card numbers, passport numbers, and drivers licence numbers.
The data was typical of the kind of information some companies demand from customers to prove their identity when signing contracts.
Professor Rao said too many companies were collecting and keeping far too much unnecessary information on their customers, and many failed to understand how important it was to protect the data.
“We need to have severe penalties for data breaches involving personal information,” she said.
“They need to bring in new laws, and [to] give all the [regulatory] agencies some teeth.
“It’s the most dangerous time for humans’ personal data, and it’s getting worse, because everything is online,” she said.
In a recent paper, Professor Rao and her colleagues Tracy Tam and Joanne Hall found small businesses were also facing more problems, because they were increasingly becoming attractive targets for cyber-criminals but lacked the means to combat it.
“Our research found that small businesses tend to operate differently from large corporations due to their size,” their paper said.
“One phenomenon is the tendency to mix personal and business use in devices.
“The rising use of cloud services by small business also raises questions around liability and the control and visibility a small business actually has over its IT security,” it said.
Cyber threat a growing problem
Australian authorities have been aware of the problem of cybersecurity for a long time.
Between 1 July 2019 and 30 June 2020, the Australian Cyber Security Centre (ACSC) says it responded to 2266 cybersecurity incidents at a rate of almost six per day.
According to a study commissioned by Microsoft in 2018, cyber incidents targeting small, medium and large businesses were already potentially costing Australia’s economy up to $29 billion a year.
Australia’s Cyber Security Strategy 2020 also warned that Australians were being targeted online by a range of different groups.
“The barrier for entry into cyber criminal activity is very low,” it said.
“Underground online marketplaces offer cyber crime-as-a-service or access to high-end hacking tools that were once only available to nation states.
“Malicious actors with minimal technical expertise can purchase illicit tools and services to generate alternative income streams, launder the proceeds of traditional crimes or intrude into networks on behalf of more sophisticated adversaries.”
In a public submission to the strategy in 2019, Sapien Cyber warned that the consequences of attacks in Australia were “increasing in severity” as information systems become more central to business and society.
Prime minister flags intention to change law
On Wednesday, Prime Minister Anthony Albanese told parliament that Australian laws needed an overhaul.
“When customers hand over their data to companies in Australia, they expect that it will be kept safe and this kind of data breach should be an absolute wake-up call to corporate Australia,” he said, regarding the Optus data breach.
“Clearly, we need better national laws, after a decade of inaction, to manage the immense amount of data collected by companies about Australians, and clear consequences for when [companies] do not manage it well.
“We are committed to protecting Australians’ personal information and to strengthen privacy laws through the privacy act review.”
© 2020 Australian Broadcasting Corporation. All rights reserved.
ABC Content Disclaimer
