Experts warn Christmas data breaches like Medibank and Optus could continue

The Optus and Medibank data breaches have dominated headlines as experts warn the festive holiday period could make things worse.

What are your rights in this space? How can you avoid your data being compromised? And what legal areas are changing or need to change?

Unfortunately, it is looking like Christmas will cause an increase in data breaches.

Director of cyber intelligence and public policy at CyberCx, Katherine Mansted, described the recent "deluge of data breaches" as opportunities for criminals to cause further harm.

"The general conditions that we're operating in at the moment is there is a lot of people's personal information out there and unfortunately the impact of those data breaches doesn't stop when the media headlines do," she said.

Personal information about Australians is more available and Ms Mansted said criminals "will leverage data that they've already got from people" to scam for money, particularly during Christmas.

"What we've seen time and time again is criminals exploit the Christmas period and the holiday period when people are stressed, they're busy and they're off their guard, to engage in scams," she said.

"[It] will be turbocharged by all of that data that we've got out there at the moment ... data breaches are here to stay, they were happening long before we had the big name breaches.

"Unfortunately when it comes down to Christmas time, you've got companies that are working on skeleton staff, often they're in a technology freeze so they're not updating systems as regularly as they might during other times of the year and that does heighten cyber security risk."

Despite the inevitability of data breaches continuing to happen, public understanding and personal information protection has been something Ms Mansted said "we're getting better" at managing.

"We're getting more sceptical when it comes to receiving text messages or emails that try and bully or pressure us into paying someone or inputting our credentials," she said.

Putting multi-factor authentication onto personal accounts, avoiding default passwords and regularly reviewing security settings are some other recommendations.

"This is actually my personal action that I'll be doing, is using the downtime over the Christmas holiday to do a bit of a personal cyber hygiene check," Ms Mansted said.

READ MORE

"Sitting down and making sure that you don't have any passwords that are caught up in known breaches and your iPhone will actually run those tests for you and let you know, maybe transitioning to a password manager so you have good password practice."

Tom Worthington, an honorary senior lecturer at the Australian National University in computer science said people should also avoid uploading too much of their own personal content.

"What people forget is they usually provide far more intimate stuff in their social media than they do in official company requests for information," he said.

"So before worrying about what some company might accidentally release of yours, think about what you're putting up yourself and think about not sharing it."

There are a number of laws and policies in place with more expected to come so personal information collection by organisations is well managed.

Persia Navidi, partner in insurance, cyber and climate risk at Hicksons Lawyers, said there were a range of obligations companies have to ensure customer's information remains safe.

The security of personal information under the Australian Privacy Principles through the Privacy Act details "guidelines" and obligations for all corporations except small businesses under $3 million annual revenue.

"For example, the entity needs to take action to ensure the security of personal information it holds and actively consider whether it's permitted to retain that personal information," Ms Navidi said.

"There are some guidelines there, however this is I think one of the areas that is going to be looked at more closely, particularly given everything that we've seen this year."

The Corporations Act is another piece of legislation which has a section outlining that the director needs to discharge their duties with a degree of care and diligence which "includes cyber risk".

"Based on all the information that we have today, cyber risk is certainly a risk that needs to be considered and managed properly and directors need to have enough of an understanding ... otherwise potentially they're not abiding by their duties," Ms Navidi said.

There are many moving pieces since the major Optus and Medibank data hacks, as the Privacy Act was successfully amended on December 12 to increase the penalty for data breaches to a body corporate from $2.2 million to at least $50 million.

However, Ms Mansted said "that's not going to be the only thing we hear from the government, we're expecting quite significant privacy and data protection reforms in the new year".

"Corporate Australia needs to focus more on why they're collecting data, what the purpose is ... how they're going to secure it and then ultimately, when and if they need to delete that and move it off their systems," she said.

"I think that is a potential game changer for people's privacy and personal information."

When it comes to how the government could prosecute against foreign hackers, Ms Navidi said it was "the million dollar question".

"It's the nature of cybercrime ... it's not physical and it's done behind the scenes and therefore makes it hard to identify where something's happening," she said.

"I think this is something that government will try and focus on."

Ms Navidi said "empowering the individual" was another key way to ensure further safety.

"Anyone who has a phone, which is effectively everyone, needs to be considering what their cyber security measures are and what their potential risks are," she said.