Beware the dangers of data breach fatigue

Prof. Jha, UNSW Lead of the Cybersecurity Cooperative Research Centre (CSCRC), hopes that the public will not start to tune out and ignore such data breaches as they become more and more prevalent – especially given the dangers of not taking steps to protect personal information which may have been compromised.

“I understand that it’s human nature that you start to just get used to certain things, but I think it's important to keep raising awareness about trying to protect your personal information and even if we reach only a small percentage of people who listen, then it's worth it,” he says.

“It’s obviously a big danger if your bank account is compromised, for example, and lots of money is stolen from you.

“But there are other private details you probably don’t want random people to know about – such as your health or medical records, which can also get broken into.”

Data as a commodity

Prof. Jha says that when malicious cyber-attacks on companies and organisations result in breaches, it can take some time for that personal information to make its way to professional hackers or others who try to make money from the stolen data.

“Personal data is a valuable commodity. Even if credentials aren’t stolen, then it can still be sold as marketing information,” he says.

“But if there is a specific piece of identity then that can kick-start cybercrime because it helps bad actors create your profile and maybe use social engineering to try to get the full information they need to log into your banking system or compromise your medical records.

“Even just knowing your mobile phone number and whether you are a male or female can be enough for criminals to start getting to work.

“A lot of this information when it is obtained by a cyber-attack is then sold on the Darkweb and maybe it then gets bought by hackers who are building phishing sites designed to get the additional credentials they need to get into bank accounts and steal money.”

Phishing for personal information

The problem is so widespread that even a cybersecurity expert such as Prof. Jha himself is targeted regularly by those he believes have obtained some of his personal information.

Many of these attempts come via phishing scams to his mobile phone, where fraudulent messages purportedly from large reputable companies are actually being sent by cybercriminals attempting to get even more valuable information such as online banking logins, credit card details or passwords.

But Prof. Jha acknowledges that it’s sometimes hard for the general public to know what communications they can trust.

“Phishing attacks continue. They aren’t stopping and in fact they are getting ever more innovative,” the academic from the School of Computer Science and Engineering says.

“Even I get those types of messages which say something like, ‘This is Coles and your reward points are about to expire’. The cybercriminals know that almost every Australian is buying their groceries from Coles or Woolworths, so they have a good chance of getting your attention.

“People can then fall into the trap of clicking on the link and giving out their information. More and more education is always needed about this, but it’s also hard to know what is real and what is fake.

“I also get legitimate messages from Australia Post when I have a parcel delivery and they send a URL for me to click on. But they use a tiny-URL system which just shows a series of random scrambled numbers and, as a cybersecurity expert, that makes me very afraid to click on a link where I can’t see the full address.

“And that creates a problem because it is the same technology being used for a legitimate purpose, but it’s lost its trustworthiness and should make you wary of clicking.”

Prof. Jha says companies should be doing more to keep personal data safe from hackers, but admits that as information and communications technology systems get more and more complicated, that means that points of weakness are always likely to exist.

And attacks are unlikely to decrease while there is a lucrative market for stolen credentials.

“The problem is that ICT systems are very complex and every day new applications are deployed and new information is stored and exchanged,” he says.

“It is a very dynamic field – and anyone who says they can secure an entire system where no attack is possible is not being very truthful.

“What we need to do is to ensure we are trying our best to minimise the attacks, and if they happen make sure we are resilient enough to deal with them and recover.

“But some systems need to be more secure than others. If you take down the power grid then you could take down the whole country, and the banking system is another.

“I do think that companies in general can do a lot more to protect people’s privacy. If a new system is deployed then do proper testing and check integration with other systems in case it causes a possible vulnerability in terms of security.

“In addition, keep track of any vulnerabilities that are reported. And monitor cyber threat intelligence from reliable sources to check if your system is at risk.

“Another good measure is regularly scanning and sanitizing the system – all of these are protocols that build up strong security.”