Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Health
national science, technology and environment reporter Michael Slezak, and the Specialist Reporting Team's Marty Smiley

Medibank, Optus, Woolworths data hacks show how a 'decade of anti-security policy' is putting Australia at risk, experts say

Millions of Australians have had a bad run with their personal data lately.

Whether it's telecommunications companies like Optus, private health insurers like Medibank, massive online retailers like MyDeal, or smaller online wine sellers like Vinomofo — hackers are getting hold of our data regularly.

With all this going on, you might be left wondering what exactly the hackers are doing with your data and how it could affect you.

Is Australia particularly exposed to data breaches? And is there anything that can be done about it?

We spoke to a few experts to break it down.

Going Phishing

For the people who hacked your data, it's all about money.

And in most cases, they are probably going to sell your data to others who'll use it in various ways like identity theft or extortion, and — or — try to extort the company they stole it from.

There's a lot of talk about those sales of people's data happening on the so-called dark web — sites the average person can't access, without using anonymising software like Tor.

But internet security expert Troy Hunt, who runs the website haveibeenpwned.com said the data was often sold on the "clear web": websites accessible to anyone.

He said data like what was taken in the Optus breach, would often first be used in mass automated phishing attempts.

Since the hackers have your email, they know you are an Optus customer, and they have some other personal information — maybe it's your name and address — they can quickly create thousands or millions of relatively convincing emails that look like they are coming from Optus, said Mr Hunt.

An email might address you by name, note that you are an Optus customer, and have other information obtained through the breach that attempts to demonstrate the legitimacy of the email.

It could then ask you to enter your credit card number or ask you for further information.

"Imagine targeting 10 million people, you're going to get maybe one in a thousand," he said.

"But that's like 10,000 people that have fallen for the scam."

Highly targeted scams

The data can also be used in more targeted ways, according to Professor Vanessa Teague, a cryptographer from the Australian National University.

"In the Optus breach, what it seems to have primarily involved is identity documentation," she said.

"And the thing that a person with malice might use it for, is exactly what you might use it for — and exactly the (reason) Optus had it for — which is identifying as that person in an online setting," she said.

The information held by Optus was gathered to initially set up mobile phone accounts. Telecommunications providers conduct full identity checks, usually requiring 100 points of ID, before they'll grant you a phone contract.

In Australia, getting a "burner phone" — a phone not attached to your real name — is difficult, and criminals could use your 100 points of ID to get a phone attached to your name to use as a burner phone.

Professor Teague said the same information you might provide to your mobile provider is often used to get lines of credit, which could allow someone to spend a lot of money in your name too.

In the case of the Medibank breach, details are still emerging about what exactly was stolen. It's possible identity information was breached in that too.

Also concerning is the suggestion that medical records were stolen, which could be used to extort money from the victims.

"On the one hand, [medical data] isn't as useful for fraud," Professor Teague said.

"On the other hand, it potentially gives you much more power over some people, because it might reveal very intimate details about the person." 

Bad policy 'contributes directly to the current situation'

With all the breaches happening in Australia, you might be wondering whether the country is particularly vulnerable?

Professor Teague was scathing of Australia's approach to security, which she said left the door open to attacks and hacks.

"We've had a decade of anti-security policy," she said.

"We've had laws that required the acquisition of data that didn't need to be acquired, laws that demand the retention of data that didn't need to be retained."

In addition, she said other laws were in place that undermine some encryption and authentication that would provide security for that information.

Professor Teague said amendments to the Telecommunications Act that required the retention of metadata should be scrapped, along with the Assistance and Access Act and the Identify and Disrupt Bill, which she said undermined security, encryption and authentication.
 
She said the previous government saw encryption as a tool used by criminals, and as a result, made it harder for legitimate organisations to use encryption to keep personal data safe.

"It's surprising that we haven't had more serious data breaches more often," said Professor Teague.

"I think this bad policy contributes directly to the current situation and it has to be reversed."

Australia not using good privacy technology

Mr Hunt said Australians were more vulnerable than they needed to be.

He said when someone went to a pub to prove they were over 18, they would generally show their drivers licence.

But when they did that, they were also handing over a photo, licence number and home address, exposing all that to potential theft or misuse.

Mr Hunt said digital drivers licences could show only the information that is required at the time. Like the fact you are over 18.

And he said it was "crazy" that we still use things as simple as licence numbers as identification.

"That sort of thing is absolutely crazy, particularly in an era where we've got cryptographic devices in our pockets." 

Professor Teague agreed, and said Belgium and Estonia now use cryptographic identifying tools, which are easy to use and much harder to steal.

Is there anything you can do to improve your security?

The short answer from Mr Hunt and Professor Teague is simple: not much.

After a breach like Optus, measures can be taken to minimise the impact, said Mr Hunt, like replacing your licence and passport.

The Australian Cyber Security Centre and Home Affairs Minister Clare O'Neil have emphasised checking and improving the security of all your important accounts: turning on two-factor authentication where possible, making sure your passwords are secure and unique, and guard against phishing attempts.

Experts also recommend checking how much of your information is already available online — like contact details on LinkedIn, or dates of birth on Facebook — which criminals could use in addition to anything they've retrieved through a hack, to steal your identity. 

But there's not much you can do to change your health records, if it emerges those were stolen in the Medibank breach, said Professor Teague.

Once you've handed over data, it's rarely up to you what happens to it after that.

"So really, the only thing you can do is refuse to hand it over, except in situations where it's absolutely unavoidable, which unfortunately are increasingly common," she said. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.