The latest national cyber attack, which has affected the data of more than 2 million Woolworths customers proves what cyber experts have been warning for years: Australia is easy pickings for cyber criminals.
A shortage of specialist technical experts, who have often chased more interesting and better paying jobs overseas, is said to be partly responsible. But what the Optus and Woolworths data leaks have also highlighted is just how vulnerable Australians are, and how weak our laws are, when it comes to protection for consumers.
The latest cyber attack affects MyDeal.com.au –a wholly owned subsidiary of the Woolworths Group.
Over 2 million Australians exposed to risk of fraud and identity theft
According to the company, it suffered a number of targeted attacks which exposed data on its customer relationship management (CRM) system. It says this was identified on the same day.
The company claims that all customers affected – 2.2 million Australians – have now been contacted by email. If you have not received an email, then you have not been affected.
The compromised information includes names, birthdates, phone numbers and addresses. The company asserts that it does not store payment, driver licence or passport details.
But even so, it’s unnerving for those affected, particularly those who are also caught up in the Optus data breach, and the overriding concern is that users could be exposed to the risk of fraud offences resulting from the use of their data and theft of their identities.
Many other Australians, who have not been affected by either, will undoubtedly be sitting watching from the sidelines, increasingly nervous about which big company might be next.
Data sharing, data management and security issues
In the digital age, data has become like gold for businesses – and with more and more businesses conducting business online, customers have little choice but to hand over sensitive personal identifying information to make a simple transaction.
Companies are always looking for ways to partner up with other companies, to provide ways to provide additional services and broaden their relationships with customers. This is a simple marketing and customer relationship building strategy, but it also means that companies take risks with customer data and, when they do so, need to ensure prudent management of data, as well as security and privacy.
Has the writing been on the wall?
In the case of Woolworths, customers have every right to be angry. Potential gaps in the company’s data security procedures and processes have been prevalent for some time.
Last year, the company came under fire for the leak of more than $1m in Groupon shopping vouchers, resulting in fraudulent transactions that drained the cards of their value before their rightful owners could use them.
The leak occurred because redeemable codes for gift cards, offered by the online service Groupon, were accidentally emailed to more than 1,000 customers who had purchased the cards, valued at between AU$200 and AU$100.
The spreadsheet contained the customers’ names and email addresses as well as the voucher amount.
Previous security issues
At the time, Woolworths blamed the leak on a “technical fault,” which seemed to be a sufficient enough explanation at the time to placate customers and authorities, although it is difficult to understand how a spreadsheet could be “accidentally” emailed out to a segment of the database.
Earlier this year Woolworths had to defend itself against claims of security breaches of user data in its Everyday Rewards loyalty program, after an increasing number of complaints from people saying they had received bogus offers via email and also had points stolen after having their Facebook accounts hacked.
At the time, the company said it believed that fraudsters were accessing Everyday Rewards login or account details from online scams and other sources. Customers also complained that they had to spend long waiting times on the phone trying to have the issue resolved by the Everyday Rewards team.
The Office of the Australian Information Commissioner (OAIC) has been notified of the data breach, and is now engaging with Woolworths to ensure that it complies with the Notifiable Data Breaches (NDB) scheme.
However, as the recent Optus breach blatantly pointed out, under the NDB scheme, compliance only means notifying customers, and making recommendations about the steps affected customers should take in response to the data breach. By then, of course, the damage has been done and the potential for crimes such as identity theft and fraud are very real.
Holding companies to account
While some believe should all take individual responsibility for our online activity, adopting a mindset of “user beware”, companies and organisations also need to be held to greater account for these data breaches, beyond simply notifying customers and suggesting remedial actions.
Optus and Woolworths are not the only companies to suffer data breaches – in recent times Government organisations have also been attacked, and global tech giant Facebook found itself in the middle of a massive data breach.
Facebook was subsequently fined $17 million euro, but perhaps the greatest damage done was to the company’s reputation – shares plummeted in value and users left the platform in droves.
In Australia, a class action against Optus is being considered, and other investigations are underway, but those consumers who want immediate recourse may need to consider taking action with their wallets and their feet … and simply stop doing business with these organizations.