Is your business thinking like a cybercriminal?

Stolen employee credentials are one of the most common tools to gain access into a company’s systems and it is proving an effective way for threat actors to compromise data security.

The latest Office of the Australian Information Commissioner (OAIC) Notifiable Data Breaches report highlighted this growing problem – 59 per cent of cyber incidents reported in the six months to December 2022 involved compromised or stolen credentials.

We’ve seen it again today, with the news that financial services firm Latitude Financial has been hit with a “sophisticated and malicious cyberattack” that has reportedly compromised 103,000 identification documents and 225,000 customer records.

While it is still early in the investigation, Latitude believes the attackers stole employee login credentials from service providers it uses.

Latitude is a publicly listed finance organisation specialising in consumer payments and lending, best known for providing services to businesses such as Harvey Norman, JB Hi-Fi, The Good Guys, Apple and David Jones.

In its statement to the ASX, Latitude said it was doing everything in its power to contain the incident  and prevent the theft of further data, and its actions included isolating and removing access to some customer-facing and internal systems.

The company is working with the Australian Cyber Security Centre and said it has alerted law enforcement agencies and engaged cyber specialists to assist with its response.

Mitigation measures that can be taken for people potentially affected include checking bank and financial accounts for any unusual purchases and activity, and banning access to your credit report.

Keeping the supply chain secure

In today’s highly connected world, it’s not just the security of their own organisation that needs protecting. Good data governance is ensuring other businesses that you share information with are also vigilant about keeping it secure.

Information is shared up and down with contractors, third-party platforms and external service providers and while this collaboration is vital for business to operate effectively, cyber criminals also seek to expose weaknesses in these channels.

High profile attacks on big organisations get the headlines, but often these strikes start with small businesses, which are easy targets in that their cyber security is often less robust and opens up connections with more lucrative business.

So what do cyber criminals want?

Personal information is highly valuable, and that is reflected in sectors that experienced the greatest exposure in terms of notifiable data breaches in the second half of last year.

According to the OAIC, health service providers had 71 notifiable breaches, or 14% of the total reported in the second half of 2022.

Health was followed by finance, including superannuation organisations, with 68 notifications. In fact, health and finance have consistently reported the most data breaches of all sectors since the start of the Notifiable Data Breach program.

Together, the five sectors made up just over half the total number of reports in the last half.

The OAIC report found that contact information is the most common type of personal information involved in breaches – that might include mobile phone numbers or email addresses, information that leaves people vulnerable to scams and phishing attacks.

Can the crooks be beaten?

People and businesses must remain vigilant against attacks and compromising their credentials because it’s not just their own security that could be at risk.

Credential stuffing is the automated injection of breached username and password combinations to fraudulently gain access to user accounts. If criminals can access login details, their job of breaking in is much easier.

Defenders need to think a little more like a cybercriminal, who have more in common with car thieves and opportunist burglars seeking easy targets than many people realise.

Recycling passwords should be avoided – over 15 billion stolen account credentials stemming from over 100,000 data breaches are available in the black markets.

As one of the primary targets for threat actors, financial institutions may need more robust strategies, which includes knowing where data is held and how it is protected.

Preparation is both the key to reducing the risk and dealing quickly with incidents when they arise.

Speaking earlier this month, Optus CEO Kelly Bayer Rosmarin suggested that her company could have done a better job of communicating with customers in the wake of the cyberattack last year.

She told The Australian Financial Review Business Summit: “We sent out 16 million customer communications [with] 110 different bespoke messages for the different cohorts.

“There were a couple of messages that, when you read them, you thought: ‘Oh, this looks like it’s been written by someone who hasn’t slept in four days’. So I wish every single one of those 110 communications had been to our usual level of quality.”

Under the Notifiable Data Breach scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.

Since 2018, any organisation or government agency covered by the Privacy Act must disclose a data breach if personal information has been lost, accessed or disclosed without authorisation, there is the likelihood of serious harm to one or more people, and the organisation has not been able to prevent the likely risk of serious harm with remedial action.

If the worst should happen, clear and fast communication is vital – without it, clients and stakeholders may quickly lose confidence and the reputational damage already occurring will be compounded.