Having just talked about the necessity to protect client data by way of avoiding offshore loan processing centres, in this quick article we'll talk about the need to apply adequate security to your existing IT infrastructure to avoid penetration by offshore actors with a malicious intent.
A mortgage company I founded back in 2005 and left permanently a few years ago (one of the highest-volume independents in Australia) has just experienced a data-breach that potentially exposes every single former client to massive risk. And it could have been avoided.
While I'm not privileged to the specific details, my former company servers were hacked by offshore agents that encrypted all client files and then applied a ransom for their return. The payment, required in bitcoin, and one that was paid, resulted in the release of the data. Targeted or otherwise, it was a typical Ransomware attack that - as a result of weak IT systems - made them extremely vulnerable.
Ransomware is on the rise, and the perpetrators are often directing their efforts more often to smaller businesses that often fail to have suitable protection in place. The attacks are normally instigated via a standard hack of various systems, or delivered via a Malware payload in email (if your business allows personal email access this is often a likely source).
What irritates me about this particular case is that I made vulnerabilities clear to the business involved on no less than four occasions (dating back over two years) that their online security systems were grossly inadequate. In a couple of cases I read out their most recent client list with specific loan details as a means of illustrating their extremely poor data protection systems. On another occasion I hacked into their systems in front of their IT manager via my mobile phone and showed how easy it was to browse their server. Despite this very conclusive demonstration I was told that their services were 'secure'.
If a ransom is paid for the return of data (and in this case it was) we cannot assume that the situation is resolved. In many cases, more sophisticated crime syndicates will scrutinise business patterns for a number of months to intercept online transactions, they may issue false invoices through company systems, and they may continue to collect data until such time as the ransomware is used to terminate their fraudulent oversight. To presume that any stolen data won't be used for nefarious and other criminal purposes (as previously described) is absurd... and in the finance sector this presents a bigger problem that the thousands paid out to have data unencrypted.
The implications of having data stolen or compromised is severe. Any breach requires a company to report their loss, at a minimum, to the Office of the Australian Information Commissioner (OAIC), Australia Securities Investment Commission (ASIC), Australian Prudential Regulatory Authority (APRA), the police (State, Federal, or both), the applicable aggregator of financial services provider, the ATO, and relevant state commissions. Last but not least a full disclosure must be made to the individual whose data was compromised. In the banking sector, and for the end consumer, this is the financial equivalent of changing locks on a new house and the process poses significant burdens upon those affected.
The OAIC mandates that a breach be reported if the following applies:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
- this is likely to result in serious harm to one or more individuals, and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action
Examples of harm includes financial fraud including unauthorised credit card transactions or credit fraud, and identity theft causing financial loss or emotional and psychological harm. This also applies with a potential for harm to take place. In the case where offshore criminals gain access to private information one can only assume that they'll use whatever data they've obtained for additional criminal conduct.
The OAIC says the following about trust:
If an entity is perceived to be handling personal information contrary to community expectations, individuals may seek out alternative products and services.
An entity can reduce the reputational impact of a data breach by effectively minimising the risk of harm to affected individuals, and by demonstrating accountability in their data breach response. This involves being transparent when a data breach, which is likely to cause serious harm to affected individuals, occurs. Transparency enables individuals to take steps to reduce their risk of harm. It also demonstrates that an entity takes their responsibility to protect personal information seriously, which is integral to building and maintaining trust in an entity’s personal information handling capability.
The transparency of the breach, and the timely reporting is paramount (failure to do so leaves a business liable for civil prosecution). A data breach is not without criminal penalties - particularly if a vulnerability was known yet no action was taken. The Australian Privacy Principles (APP, Privacy Act, 1988) requires that all reasonable steps to be taken to protect any private information from unauthorised access; this is not merely general advice but a legislated responsibility. Failure of an APP entity to adequately manage business practices in full compliance with Act might incur penalties exceeding 1.8 million.
Depending upon the circumstances, a massive and preventable data breach may impact upon your suitability to hold an Australian Credit Licence.
Steps To Take
At what point does an aggregator step in and mandate certain criteria for those operating under their compliance umbrella? Aggregators are very good at what they do (aggregating), but should they apply strict criteria for communication, marketing, storage, and how data is managed... and should they then audit such activities? Introduced in an era that predates modern digital solutions, aggregation is a necessary 'evil'; do we assign more control to them over how we manage our business? While I have strong opinions, I have no answer.
We still see brokers using free email services such as Gmail and Hotmail all the time, and it's just one example of poor data management... and it is just one reason why we almost always mandate a higher-level Office 365 or Exchange email that has a good firewall and various virus protections in place. While we have Microsoft OneDrive systems in place for our own clients we tend to use it as a transient means of transporting data rather than a permanent storage device. However, we see brokers indiscriminately using Dropbox, Google's Drive, and other free file-hosted services routinely without regard to security - often simply providing a publicly accessible link. In many cases we've found personal data online via a simple Google search... and some companies are known to store confidential backups in publicly accessible web directories. It's the very basic misuse of data that lends itself to the argument that aggregators should justify their fees and branch out into areas that actually matter.
The privacy and data implications of sharing marketing data with numerous third-party services is one of many reasons why we build and manage our services internally, and never support a fractionalised relationship with numerous third-party providers (the notion that you'll send your website traffic to a third party website, for example, and as detailed in ASIC's RG234, is utterly absurd and should always be avoided). In fact, we routinely watch as 'marketers' lead brokers down a path of indisputable noncompliance - both in their obligation to the Act but also with regard to their poor and non-compliant advertising (and ASIC are watching - we recently had a broker come to us after experiencing compliance issues after posting an advert to Facebook's Marketplace, as recommended by a very dodgy marketer).
A backup shouldn't rely upon a cloud-hosted or other server-based solution since they're as likely to be hacked as internal IT infrastructure. While non-networked systems should always be used for backups, they don't absolve you of the damage done when systems are compromised... but it will mean that you'll have a clean copy of data.