By Rachael Falk
As published in The Australian on 15 September, 2020
A total of 27,814 login attempts, 2178 user names, 10 countries. This is the taxonomy of a single brute force cyber attack that resulted in the installation of malicious software, facilitated cryptocurrency mining, peer file sharing and other hacking capability.
And it was one of many.
In what is a test case — a case with the potential to set a significant precedent — the Australian Securities & Investments Commission has begun proceedings against RI Advice Group.
ASIC alleges the company had deficient cyber security controls and, despite knowing of them and having many opportunities to remedy them, failed to do so.
As a result, sensitive client information allegedly was compromised multiple times across a four-year period.
The case is especially significant given ASIC, as opposed to the Office of the Australian Information Commissioner, is bringing the action. It is a signpost for all organisations that the regulator is prepared to take tough enforcement measures in relation to cyber security responsibilities, and this enforcement will have bite.
ASIC alleges that between 2017 and this year RI, an Australian Financial Services Licence holder that has almost 300 authorised representatives across Australia, experienced numerous serious cyber breaches across many of those representatives.
These included ransomware attacks, unauthorised remote server access resulting in clients’ personal information being compromised, and unauthorised access to and use of email accounts.
While several of the incidents described in the pleadings occurred from early 2017, the claims relate to the period from May 2018. From that time, ASIC alleges RI should have responded and remedied the multiple known incidents and issues but failed to do so.
Though this matter is before the courts and yet to be decided, all organisations that store and use personal information need to take notice. Failing to could be an expensive mistake.
Using, collecting and sharing sensitive personal information to carry out business transactions is a serious undertaking. While clients or customers may have no choice but to give personal information to complete a transaction, it is at that point the organisation becomes the legal custodian of that data. And with that comes a duty of care; a duty to look after that data from the moment it is retrieved to the moment it is securely destroyed.
As this year has clearly illustrated, there is a serious risk of personal information being stolen and misused. And while some data is stolen the old-fashioned way by way of theft of paper documents or screen shots, any personal information stored on a system connected to the internet is ripe for exploitation.
Theft of personal information by cyber criminals is not some fanciful event. The threat is not simply theoretical. In legal terms, such theft is reasonably foreseeable and, therefore, it is a known business risk that must be taken seriously and mitigated against.
Taking cyber security seriously means taking all necessary measures (given the resources of the organisation) to handle, protect, store and share that data with utmost care, protecting it from threats.
These threats are known and can wreak havoc on lives. Once data is stolen, it can be used for a range of reasons but, for most, the great fear is that it is used by criminals to steal identities, take out loans, rack up debts and leave a lasting impact. It also means organisations must not only react when they become aware of cyber incidents; they must actively manage cyber security risk and plan for this foreseeable event.
While ASIC has chosen to rely on a financial-sector specific part of the Corporations Act to begin these proceedings, it is not a stretch to consider a general directors’ duties case could be brought. This would focus on “due skill and care” — mandated of directors — when it comes to overall management of cyber security risk and obligations to customers, shareholders and the market.
Last Friday the Australian Cyber Security Centre, with the Australian Federal Police and the Australian Criminal Intelligence Commission, released its unclassified annual cyber threat report. The report notes that across a 12-month period they responded to 2266 cyber security incidents and received 59,806 cyber crime reports. That is 164 cyber crime reports a day; one every 10 minutes.
This demonstrates cyber criminals are adaptable, go where the data is and, when a company is an easy target, they steal data and simply move to the next. It also demonstrates cyber crime is the only type of crime that has the potential to affect each of us in some way, even if it comes in the form of an obvious phishing attempt.
For boards, leadership teams and all businesses that expect customers to hand over personal information, a line is being drawn in the sand: handle it with utmost care, take reasonable steps to protect it at all times and, when there are issues, respond quickly.
It is not just good business; it is the law.