Latitude breach raises data governance ‘red flags’

With the recent cyber attack on Latitude representing just one of the many prominent security breaches this year, more needs to be done to address this ever-increasing issue, experts have warned.

The financial group revealed the full extent of the cyber breach earlier this week, announcing that 14 million customer details had been stolen by cyber criminals.

The details stolen included Australian and New Zealand driver’s licence numbers, passport numbers, as well as 6.1 million records dating back to 2005 that included names, addresses, dates of birth and phone numbers.  

UNSW associate professor Rob Nicholls said data theft is an attractive crime for criminals with the cost of acquiring data from poorly protected sites low and the value of what you can acquire relatively high.

“The risk of getting caught is also relatively low,” said the associate professor of regulation and governance at the UNSW Business School.

One of the biggest issues facing businesses — such as Latitude — in relation to data breaches is that it’s cheaper to keep records rather than cleanse them.

“Rather than going back and saying, ‘Well, why are we keeping information about prospective customers from 2005 when there’s no value in that?’ businesses are just keeping that data because its a cost to get rid of it,” he said.

“If you did a risk analysis on Latitude in August last year, the risk of a cyber attack was low and the cost of doing data cleansing would have been relatively high. Therefore, just keeping that data meant no additional cost for the business.

“In effect, there’s a data governance problem where laziness is the cheapest option.”

In practice, businesses can go in two ways in terms of keeping their data safer.

“If you’re keeping loads of data, but you don’t actually use it, then keep it cold. Don’t have it on active systems but archive it” he said.

“That way, it’s not available on your networks and therefore not available to be hacked by others.”

Businesses will also need to enforce this in their supply chain.

“Part of the problem with Latitude was that there was two outsource service providers that had breaches,” he said.

For the data that’s live and that needs to be accessed for day to day operations, including real customers with real accounts, Mr Nicholls said businesses need to ensure the data is encrypted.

“If I’m a cyber criminal and I’ve breached your system and I’ve got a choice between a pile of encrypted data and a pile of data that’s held in the clear, well I’ll choose the data that’s in the clear,” he said.

The safer option is still to review the data the business is holding and cleanse it.

“It may be more expensive to cleanse than to keep that data but not if you take repetitional risk as a potential outcome,” he said.

“Even if it’s an unlikely risk, the consequence of that risk is so great that it’s almost certainly not worth keeping records that are not being used in the daily operation of the business.”

In the case of the Latitude cyber attack, the financial group had been holding the records of 14 million past, prospective and current customers when it only had 3 million actual customers.

“That should have been a governance red flag,” said Mr Nicholls.

“Keep the information that you absolutely need to keep on customers. Most of the time, that certainly isn’t the information that you collected as part of your Know Your Customer check.

“You don’t need to know my driver’s licence number in order to send me a monthly credit card bill. You don’t need my driver’s licence number in order to chase up a late payment. You actually don’t need those details at all once you’ve met the Know Your Customer requirements.”

Cyber security training company SafeStack said that regulations within finance and tech systems which require businesses to keep large amounts of information for very long periods is another issue in this area.

Chief executive and founder Laura Bell Main said that often the guidance within financial or taxation rules is to keep records for seven years.

“For some organisations, that’s a lot of data for a very long time,” she said.

“I think it would be very pragmatic for governments to review their requirements on data collection and retention to ensure that what needs to be be kept is explicit and that it’s really accurate.”

Ms Bell Main said the regulations in this area need to be explicit on whether businesses actually need to keep copies of people’s driver’s licences and passports for seven years, for example, or whether the law is intending something else.

“Do we only need evidence that we checked for seven years rather than the actual data itself? Clarifying this would make things a lot easier because the data we don’t store is the most secure data,” she said.

One of the other policies that the national cabinet has started to explore in recent weeks is the idea of having an additional ID, similar to a MyGov ID.

“If you want to be the director of a business, you need to have a director identification number and you can’t do that without providing your identity to the Commonwealth,” said Mr Nicholls.

The additional ID could be used by organisations to identify individuals by allowing them to request an identity check from the Commonwealth.

Mr Nicholls gave an example of someone applying for a credit card from the bank.

“The bank would send an identity check to the Commonwealth and an app on your phone would then ping you and request you to log into your phone with a biometrics face ID, a thumb print or four digit code,” Mr Nicholls said.

Once the person had confirmed their identity and confirmed that they had applied credit card and the bank at which they applied, they would then enter a four-digit code.

“The bank would then get a notification back confirming that the person is who they said they were,” he said.

“This would reduce business costs and the need to store a lot of this personal information.

“It’s technology that we already have in place to do things like the director identification number. So this is a very logical next step.”

Impacts for accountants

Fraud detection and payment protection company Eftsure said that where these large data breaches occur, it can give greater ammunition to scammers.

Scammers may use this stolen data to target accounts payable staff and attempt to trick them into either making fraudulent payments or into revealing sensitive information, the company said.

Eftsure’ chief growth officer, Gavin Levinsohn, said that while IT and security professionals tend to be focused on protecting networks and devices, including improving security hygiene across an entire organisation, it can be harder to prevent scams or frauds that exploit human process failure.

“For example, gaps in internal financial controls or vendor management,” said Mr Levinsohn.

Culture and awareness is therefore an important part of mitigating against the risk of fraud and cyber crime.

“Awareness is critical so that your team are better able to spot the latest scams and tactics. You also want a culture where people feel comfortable raising their hands when something seems dodgy — especially when they’ve already clicked on something questionable,” he said.

With the end of financial year approaching, Ms Bell Main said that now is an ideal time for accounting firms to put in place some good practices in relation to data.

“The amount of data coming in always peaks around the end of June so we’ve got a window of opportunity to get things in place now,” she said.

“Starting with the basics, firms should go to the ACSC website and review the essential eight mitigation strategies. Understand which strategies you don’t have and if you can’t fix them all, then at least understand where your gap’s up,” she said.

“The next step is to ensure that everyone on the team knows how to identify something that looks strange or malicious. Even if you don’t have the most mature technical controls, having people who are aware and know that they should tell people when they see bad things is really important.”

Given that a lot of the prominent breaches over the past few months have involved personal financial information — such as credit cards, passports, and drivers’ licences — accountants need to be on the look out over the next few months for evidence of identity fraud.

“As accountants, are we seeing any evidence that we have been impacted as individuals or as an organisation? Are we seeing the same in our customers’ data?” said Ms Bell Main.

“As we’re preparing for the end of financial year, we’re going to have our eyes in the places that many people don’t check with the level of detail that we do in accountancy space, so use it as a superpower. If you’re seeing strange things, it could well be that strange things are happening.”