Threat Of Identity Theft Looms - New Cyber-Assaults
Threat Of Identity Theft Looms As Business Cyber-Assaults Take New Form
20 February 2013
The ramping up of efforts by fraudsters to go after Australian businesses holding personal information could contribute to a greater risk of identity theft and subsequent credit fraud for Australian consumers, warns a consumer advocate for accurate credit reporting.
Yesterday new Attorney-General, Mark Dreyfus QC advised that recent national survey results for more than 250 major businesses show cyber-crime is becoming increasingly targeted and coordinated, with one in five businesses experiencing one in the last year.
Mr Dreyfus said that cyber assaults have shifted from being indiscriminate and random to being more coordinated and targeted for financial gain. Most occur from outside the business, although it appears internal risks are also significant. [i]
The 2012 Cyber Crime and Security Survey Report commissioned by CERT Australia and conducted by the Centre for Internet Safety at the University of Canberra revealed that most serious assaults involved the use of malicious software, theft or breach of private information and denial-of-service.
In one case, an organisation reported the theft of 15 years' worth of critical business data.
A third of instances involved the theft of notebooks, tablets or mobile devices.
CEO of MyCRA Credit Rating Repair, Graham Doessel says Australians should feel concerned about where their personal information could be exposed to potential company data breaches, as personal information has become a valuable commodity used to commit identity theft and potentially ruin the victim’s credit rating and their financial future.
“We can’t take lightly the possibility that any company that keeps data on its customers could be at risk of cyber-crime. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters,” Mr Doessel says.
Last week the Australian Taxation Office (ATO) announced the identities of four tax agents were stolen and used to fraudulently obtain AUSkeys giving access to specialist tax agent online services.
Whilst the ATO was able to contain the threat, and cancel the AUSkeys, it said in a statement to the media that doing business online has benefits, but also comes with risks.
“People looking to commit identity fraud constantly look for ways to profit so it is critical to remain vigilant regarding your personal information and online security,” the ATO statement said. [ii]
Mr Doessel says this instance is one of a long line of assaults on Australian businesses and government entities in recent years.
“Unfortunately it seems everywhere people turn one entity or another has been hacked – and it seems everyone with a computer is at risk. It is still extremely scary the level of risk peoples’ personal information undergoes these days when it is stored online,” he says.
Personal information in the wrong hands can lead not only to identity theft but credit fraud, which involves the use of the victim’s credit rating, which can have significant long term consequences.
“Basically, a lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised,” he says.
He says once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.
“These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive detriment to their financial future - defaults for as little as $100 will stop someone from getting a home loan,” he says.
Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.
“What is not widely known is how difficult restoring a credit file can be – even if the individual has been the victim of identity theft, there is no assurance the defaults can be removed from their credit file. The onus is on the victim to prove their case and provide copious amounts of documentary evidence,” he says.
Changes to the Privacy Act 1988 should help consumers collectively when businesses experience cyber-crime which leads to a data breach. [iii]
From March 2014, increased powers of the Privacy Commissioner will force organisations that experience a breach to do something about it. Previously, the Commissioner could investigate and make recommendations as to what the organisation should do, but it had no way of requiring the organisation to take action.
The Commissioner can also issue civil penalties to organisations that experience a breach and either fail to take reasonable steps to protect the information entrusted to them, or fail to adequately respond.
Mr Doessel says consumers need to be insisting that the companies who hold their personal information have adequate tools to prevent a data breach, but he says despite this, the changing nature of cyber-crime means it can be difficult to keep up with the technology of fraudsters.
“Despite our best efforts to keep our details safe, we don’t have control over the IT systems of the company which holds our information, so we have to place a lot of trust in them to stay one step ahead of fraudsters. With most organised crime gangs now placing identity theft on their repertoire, more damaging and more frequent assaults are probably imminent in the future,” Mr Doessel says.
He says as a matter of routine, consumers should check their bank and credit card statements thoroughly when they come in, and should also order a copy of their credit report regularly – which would indicate if their credit file had been misused.
Under current legislation a credit file report can be obtained at no cost every 12 months from the major credit reporting agencies Veda Advantage, Dun and Bradstreet and TASCOL (if in Tasmania) and is sent to the owner of the credit file within 10 working days.