Cyber Security Lessons from Real Data Breaches

How interconnected is Australia? 

• 25.21 million internet users  
• 94.9% Internet penetration rate 
• 33.59 million mobile connections  
• 20.80 million active social media users 

These numbers from Digital 2024: Australia, however, do not reveal the online risks that come with the acceleration of technology and connectivity. Let’s delve into the digital threats that loom over businesses and draw insights from real incidents.  

Cyber Risks are Escalating

Breaches are spreading extensively and are becoming harder to contain or prevent.  

• The Australian Signals Directorate (ASD) said cyber-crime reports surged by 23% in 2023, with nearly 94,000 incidents reported.  
• The cost of cyber-crime worldwide is projected to reach $14.27 trillion AUD in 2024. 
• Global data breaches increased 5 times from the last quarter of 2023 to the first quarter of 2024. 

The Anatomy of Cyber Breaches

A cyber security breach happens when unauthorised individuals gain access to data, applications, or networks by bypassing security protocols. Sensitive or personal information can then be disclosed or exposed to the public.  

Breaches can happen by accident or intentionally. Their top two causes are: 

• Malware: Malicious programs aim to harm a computer, network, or server. This includes ransomware, trojans, spyware, viruses, worms, keyloggers, bots, and cryptojacking. With ransomware, your critical data is encrypted, with a demand for a hefty ransom to unlock it. 
• Phishing Scams: Hundreds of millions of phishing emails are sent daily. Attackers relentlessly send emails, instant messages, or websites that mimic organisations or individuals. They want to trick users into clicking on malicious links and/or sharing sensitive data, such as login credentials, credit card numbers, or personal details.  

If you’re interested in learning more about other forms of cyber security breaches, please check out our article on the trends you should watch out for. 

Vulnerabilities Exploited by Cyber Attackers

Breaches can also happen when an attacker finds and exploits your weak spots, such as: 

• Misconfigurations 
• Unsecured APIs 
• Outdated or Unpatched Software 
• Zero-day Vulnerabilities 
• Weak or Stolen User Credentials 
• Access Control or Unauthorised Access 
• Cross-Site Scripting (XSS) 
• Information Disclosure 
• Improper Access Control 
• Specific Software Vulnerabilities 

Potential Cyber Breach Consequences

When they succeed, cyber breaches can result in: 

1. Business disruption, downtime, and loss of productivity 
2. Financial costs of investigating the breach, implementing security improvements, legal fees, and potential fines 
3. Reputation damage, loss of trust, customers, and revenue 
4. Legal exposure or legal action from customers or regulatory bodies 
5. Loss of competitive advantage 
6. Increase in insurance premiums, because of a higher risk for future breaches 
7. Reduction in credit rating 

How can you avoid those? First, let’s look at some breach cases. 

Lessons from Real-World Data Breaches 

Below are some real examples of data breaches. Let’s take a look and see what we can learn from them.

Latitude’s Data Debacle

In 2023, personal loan provider Latitude Financial Services suffered a breach, considered one of the largest on a financial institution in Australia. Here are the facts: 

• The breach affected up to 14 million customers.  
• The data included 7.9 million drivers’ license numbers, 53,000 passport numbers, 6.1 million records dating back to at least 2005; names, addresses, phone numbers, dates of birth, financial records, and monthly financial statements. 
• Hackers accessed the data of at least 333,000 applicants and current and former customers via at least one third-party provider. (Latitude expressed that it was not its system that was breached, but those of third-party vendors.) 
• The financial cost of the breach to Latitude was estimated at $76 million. 

The company took steps to rectify the platforms impacted in the attack and implemented additional security monitoring. They apologised and offered to reimburse customers who chose to replace their stolen ID document. Latitude also advised customers to be vigilant with all online communications and transactions, and to stay alert for phishing fraud. 

Canva: A Cautionary Tale

Canva faced a monumental data breach when cyber actors accessed personal information in May 2019. Here’s what we know: 

• The breach affected around 139 million people.  
• The stolen data included customer usernames, real names, email addresses, and city and country information.  
• Hash-protected passwords of 61 million users were also in the database. 
• The credentials of almost 4 million Canva users were made available online by the hackers, seven months after the attack. 

Upon detecting the breach, Canva closed their database server. They stated that they securely store all passwords using the highest standards and had no evidence that any of their users’ credentials had been compromised. Canva still encouraged its community to change their passwords. 

Lessons from the Canva and Latitude Cyber Incidents

What can we learn from these breaches? 

1. Communicate clearly, directly, and immediately.  
2. Report to the authorities as soon as you detect a breach.  
3. Respond quickly! We recommend you consult a Managed IT provider and cyber security specialist to help you come up with a plan.  
4. Securely store your data, with strong encryption.  
5. Provide users with timely notifications and guidance on next steps.  
6. Address all risks involving third-party vendors. 
7. Securely “retire” information that’s no longer needed.  

The Way Forward: Prepare Your Cyber Defences

To minimise the risks of a data breach, here are some initial cyber security solutions Cairns businesses can implement proactively. 

1. Education: Regularly train your employees to recognise threats and adopt secure practices. 
2. Regular Audits: Do periodic security audits to spot and address vulnerabilities. 
3. Collaboration: Share threat intelligence with industry peers, as part of a collective effort to strengthen our defences.

Stay Informed, Stay Vigilant

Cyber threats do not discriminate. Every business in Cairns, Queensland or anywhere else in Australia will potentially experience a data breach, so it’s about how you best prepare for it and minimise your risks. 

At Future IT Services, we recommend adopting the Australian Cyber Security Centre’s (ACSC) Essential Eight mitigation strategies. We explain these strategies in our new eBook, 8 Cyber Essentials to Safeguard Your Business. You can download it for free!