In November 2018, the Australian National University (ANU) suffered a massive data breach where up to 19 years of sensitive and personal data were obtained by an unknown hacker.
The ANU has said that the hack not only affected students and professionals in Canberra but that it had the potential to affect a number of high-ranking individuals across the globe. Many of the details as to the extent of the cyber-attack were not released to the public for almost a year.
Given the prominence of privacy breaches and identity theft in the digital age, many organisations have set up stringent cybersecurity controls to protect themselves. Many companies are investing in educational programs for their staff and teaching them how to deal with strange or suspicious-looking emails and not to send money to Nigerian princes.
Due to the increased awareness of many scams and the general media coverage on data security and privacy, most of us are now aware of the common tricks that hackers use to try and steal our data. That being said, with the advancement of technology, hackers are creating new ways to gain access to an organisation’s data.
What occurred?
The ANU data breach was caused by an email being sent to the mailbox of a senior member of staff. Although the staff member didn’t open the email and it was only previewed in the mailbox, the malicious code contained in the email did not require the recipient to click on any link or download and open the attachment. This is referred to as an ‘interaction-less’ attack.
Notification under the Privacy Act
At law, an organisation that experiences a data breach must notify the individuals affected as well as the Information Commissioner as soon as practicable. Under the Privacy Act 1988 (Cth), a failure to notify affected individuals of a data breach could be the subject of a complaint to the Commissioner. Serious, or repeated breaches of the Privacy Act can give rise to significant civil penalties.
Lessons learned
ANU’s Incident Report stated that ANU needs to significantly broaden its investment in cyber-security efforts under the auspices of its forthcoming strategic information security strategy. This will see stronger safeguards implemented in ANU’s mail gateways as well as SPAM filters. Most importantly, however, the report said that more effort is required to help drive awareness and safer user behaviours across the University community.
Key takeaway
This unprecedented data breach is an important reminder for all businesses and organisations to take care of the personal information being collected and stored online.
Organisations must continually monitor and invest in their IT security and have a compliant Privacy Policy as well as understanding their obligations under the Privacy Act. Above all, organisations should make sure their staff are fully aware of the risks and consequences of a data breach. Practical things organisations can introduce are training for their staff as well as complex passwords and setting up a two-factor authentication system.
The fundamental message here is that cyber-security is not the sole responsibility of the Information Technology team – it is the responsibility of everyone across the organisation.
For more information on your organisation’s requirements under the Privacy Act, contact our office.
Contact us if you need help reviewing your current privacy policy and procedures.