In recent days, both Ticketek Australia and Ticketmaster have fallen victim to breaches that have exposed customer information to hackers. This adds to the growing list of high-profile data breaches that have jeopardized the privacy of millions of individuals.
For instance, in 2022, Optus reported a breach of 9.8 million records, while in 2023, Latitude, an Australian financial services firm, experienced a data breach affecting over 14 million records.
Even my own university, the Australian National University, suffered a data breach in 2018 that impacted 200,000 records. In 2024 alone, companies like Dan Murphy’s, Football Australia, Microsoft, Nissan, Dell, Roku, Suncorp, and Shell have all encountered breaches.
Despite advancements in technology and increased awareness of cybersecurity threats, organizations continue to be vulnerable to breach attacks.
It may seem like these breaches are becoming more frequent and that any company could be a potential target for a data breach. However, the situation is not as straightforward as it appears.
So what exactly happens in a data breach?
A data breach refers to unauthorized access or disclosure of sensitive or private information, such as customer identities, payment methods, account details, and purchase histories. Breaches can occur when cybercriminals exploit vulnerabilities in computer systems, networks, applications, or physical security to gain unauthorized access to protected data. They can also access data when it is accidentally made available outside the organization, such as through incorrectly addressed emails or lost USB memory sticks.
In Australia, there has been a relatively consistent rate of notifiable data breaches since 2020, with around 450 reported every six months according to the Office of the Australian Information Commissioner. While these figures are higher than when the notifiable data breach program began in 2018, it is important to note that this is partly due to organizations being required to disclose breaches. The more you actively look for breaches, the more you are likely to find them.
Although the number of data breaches may not be significantly increasing, the average cost and severity of these breaches have risen considerably. According to IBM, the average cost of a data breach was US$4.45 million (A$6.69 million), a 15% increase over three years. So, what is driving these increases?
The value of personal data is on the rise due to increased demand for targeted advertising and the growing importance of data-driven decision making. Many organizations, both legitimate and otherwise, want to gather more detailed information about individuals. The more comprehensive and accurate the data, the more valuable it becomes.
Stricter privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR) and Australia’s Privacy Act, have compelled organizations to enhance their data management practices and security measures to protect user information and avoid costly fines. This has made it more challenging for cybercriminals to acquire large amounts of user data.
However, illicit markets for customer data are becoming more popular as anonymizing networks and tools become more user-friendly. Tools for selling data on the dark web have also advanced, enabling cybercriminals to collaborate and share information about sought-after data, potential targets, and new attack methods. Finding a buyer for stolen data has become much easier than it was in the past.
Nevertheless, larger companies are investing more in data protection and storage. Consulting firm Gartner reports that 87% of chief information officers in Australia and New Zealand plan to increase their cybersecurity budgets this year. As a result, data and cybersecurity practices are becoming more complex, requiring a higher level of skill for a malicious actor to successfully carry out an attack.
So, how can you protect your data in light of these frequent breaches?
While personal data continues to hold value, there will always be a market for it. It is crucial to practice good cybersecurity habits:
– Regularly review and delete inactive accounts, and monitor your accounts for any suspicious activity.
– Enable two-factor authentication (2FA) on your accounts and devices to receive prompts on your phone when someone tries to log in or transfer money.
– Be cautious about the personal information you share online, especially details like birthdays, birthplaces, and names of family members or pets, as these can be used to answer account recovery questions.
– Avoid clicking on suspicious email links, regardless of how harmless they may seem.
– Never provide sensitive information to unknown or unverified sources, particularly cold callers claiming you have a virus or are eligible for a refund. Authentic callers will be willing to provide an official number for you to call back.
Instead of focusing solely on how our data can be breached, it is essential to consider how organizations obtain our data in the first place. The best way to protect yourself online, whether it’s from data breaches or compromised accounts, is to guard your data closely. Your identity is valuable, so don’t give it away easily.
