Data breaches are on the rise, up to 68% in just a single year between Q4 2020 and Q4 2021. With the share of corporate data stored in the cloud growing by 20% a year – from 50% in 2021 to 60% in 2022 – the surge in data breaches will continue until organizations develop better cybersecurity capabilities and information security practices.
While all customer data is sensitive, this threat looms larger for organizations that handle personally identifiable information (PII) and personally identifiable financial information (PIFI). For organizations in financial or healthcare services, data breaches expose their clients to greater dangers and are accordingly subject to more stringent regulations.
Highlighting the pressing nature of this ongoing threat, two weeks ago a telecommunications company in Australia suffered the largest and most potentially disastrous data breach in the country’s history.
What Happened During the Optus Data Breach?
On September 22, Optus – a subsidiary of Singapore Telecommunications Ltd – announced that approximately 2.8 million personal records had been exfiltrated from the company’s network. These records included names, birthdates, home addresses, phone and email contacts, and passport and driving license numbers of current and former customers.
The only silver lining for Optus customers is that PIFI such as payment and account information was not leaked.
Though Optus initially claimed that that attack employed highly sophisticated means, subsequent disclosures – both from an anonymous person claiming responsibility for the attack and cybersecurity experts – have revealed that the breach occurred across an open application programming interface (API) that was not configured to require user authorization or authentication for access.
The existence of an open API connected to such a great volume of sensitive personal information squarely shifts blame and culpability back onto Optus IT management. Far from sophisticated, the means required to breach the data was simply knowledge of the API URL.
Long-Term Implications of the Breach
Optus customers whose data was breached will face a heightened risk of identity fraud so long as the data in the records such as driving license and passport numbers remain valid. As for Optus, national law firm Maurice Blackburn has already filed a representative complaint with the Office of the Australian Information Commissioner (OAIC). As Australian law requires companies to “take reasonable steps to protect personal information,” the firm could be on the hook for a substantial settlement.
Beyond the immediate consequences, this incident spotlights the variety of exposure vectors that lead to PII and PIFI. In most cases, users and customers are largely unaware of the vulnerabilities contained in the technologies and services they use every day.
Where Have You Shared PII and PIFI?
In all likelihood, you have shared sensitive personal information with dozens of companies and service providers from banks and financial institutions to ecommerce platforms and streaming services. In each case, two factors determine the security of the exchange: the method of exchange and the security protocols of the company receiving your information.
While online service providers typically collect account information directly on their own websites, financial institutions still conduct information-heavy processes like loan applications over email. If you have a home mortgage or have ever applied for a business loan, it’s entirely likely your inbox and that of your loan officer still contain multiple instances of your most sensitive PIFI.
The PIFI in your own inbox is as secure as the credentials you maintain and the devices you use to access your email account. As for your information stored on business email accounts, the security of that information depends on the protocols the organization has in place for handling sensitive data.
As 83% of organizations report having experienced an email data breach in the last 12 months, you should re-evaluate using email for the exchange of PIFI in the future.
Re-Evaluating How Organizations Collect and Store PII and PIFI
In the contemporary threat landscape, email is a fundamentally insecure platform for exchanging sensitive data. Users may be careless with their credentials or shared devices. Organizations may have lax internal protocols, elevating the risk of accidental or malicious breaches. And email data transits by default in plain text – the option to encrypt exists in most platforms, but few users take advantage of it.
Where additional legal consequences apply to data breaches – in healthcare and financial services – the general trend in most countries is towards placing greater responsibility on the handling organization. The E.U.’s General Data Privacy Regulation (GDPR) applies the rule of informed consent to all personal data processing, leaving organizations responsible for providing a legal justification for every data instance.
In the US, the Federal Trade Commission (FTC)’s SafeGuards Rule was updated to force many businesses in the US to adopt significant new information security measures by June 9, 2023 (note this deadline was extended by six months in November, the original deadline was December 9, 2022).
In Australia, Cyber Security Minister Clare O'Neil has declared that the country is “probably a decade behind” in cybersecurity. While existing law may be sufficient to hold Optus responsible for reckless practices, organizations that handle PII and PFI should take this incident as a lesson to eschew vulnerable technologies like email by replacing them with secure document portals. They should also establish strong internal PII policies that educate employees on potential risks and impose consequences for bad practices.
When it's time to collect PII from your new clients and customers, you can rely on FileInvite's bank-grade security. Sign up for a trial here.