Australian data breaches: A brief discussion of cyber risk

In late September 2022, the database of one of Australia’s largest telecommunications providers was compromised by a cyber-attack.

Personal details of millions of Optus customers, including names, birth dates and email addresses, were breached in the incident. In particular, the identification documentation of just over a million of such customers had been compromised.

This was clearly an incident of significant scale for Optus to wrestle with that included post-mortem investigations, appeasing uneasy customers and softening reputational impacts. This breach also created broader implications for Australian society, both for the companies in possession of personal customer data and the customers who knowingly, or perhaps unknowingly, handed over their data.

One important avenue of discussion is the expected trend in Australian data breaches. This might be measured in terms of the frequency of incidents, the number of customers impacted, or the financial cost of prevention, detection and recovery. As measured by customer count, the Optus data breach is only surpassed by the Canva data breach of mid-2019, in which nearly 140 million users of the Australian-based graphic design platform were victimised.

Clearly, the difference with the Canva incident was that most users were based outside of Australia whereas the Optus incident struck “closer to home” and gained fairly strong media attention due to the recency bias.

At the same time, using incident frequency as the proverbial cyber storm gauge – in both financial years 2021 and 2022 – the Australian Cyber Security Centre (ACSC) quoted 13% annual growth in the number of cyber-crime reports. Yet the same source did report a 7% annual decrease in the financial year 2020. Nevertheless, the prevailing longer-term trend in cyber risk is assuredly that of increasing frequency and sophistication creating a meaningful shift in climate rather than a flippant turn of weather.

This raises the issue of whether Australian businesses will be able to keep toe-to-toe with, or ideally, remain several feet ahead of, malicious cyber parties and threats. The Australian Government has set the example, in particular with its December 2022 release of the 2023-2030 Australian Cyber Security Strategy, a national framework with the aim of cementing Australia’s place as the global gold medallist in cyber security.

In parallel, companies are well-advised to adopt their own cyber risk management framework, which naturally depends on their industry, size, complexity and business plan. Each company must assess the nature of its operations and its resulting exposure to cyber climate change. Then, it must sensibly weigh the cost of investing in robust preventative and detective measures against the cost of being hacked, disrupted and potentially held to ransom.

An increasing number of companies are forced to accept “when” rather than “if “ particularly within larger companies that have numerous principles implemented to minimise cyber risk. Such principles include: 

  • Intertwining cyber risk management within the company’s overall risk management framework.
  • Encryption.
  • Incident logging.
  • Safe deletion of data.
  • High awareness of cyber-smart culture.

 

But what can be said about the customers who potentially might not have the transparency or time to combat what is, all too often, untransparent and untimely? With or without combative strategies, it is perhaps inevitable that at some point in our lifetime, we will be victimised by an online entity, and can only hope the damage will be relatively benign.

Some comfort can come from online tools that automatically keep track of all the companies holding one’s personal data. At a more basic level, awareness and education for current and future generations is invaluable for remaining “street-smart” in the cyber world.

The growth and evolution of the cyber world is exciting but it is also a source of anxiety for individuals, businesses and regulators. It promises opportunities for innovation, more convenient and customised experiences for customers, and the possibility of non-traditional data analytics and modelling projects for actuaries. At the same time, there is the ever-present danger of misuse by cyber criminals, mishandling by businesses and misunderstanding by consumers.

As technology increasingly develops, customers and companies will continue to interact with a sophisticated cyber world. An interesting example is the proposed new generation of the internet, the so-called metaverse. The metaverse is an interconnected set of virtual worlds accessible via a computer, smartphone, or indeed, a VR or AR (virtual reality or augmented reality) headset. Only a science-fiction concept as recently as the 1990s, the metaverse now welcomes 400 million active worldwide users per month. Just like the current generation of the internet, it is open to all. However, it takes the creation of a digital self to a new level, allowing users to navigate online 3D environments for shopping, gaming, learning, and much more.

As we immerse ourselves more deeply and regularly in the cyber world, we are enabled by next-generation technologies and experiences like the metaverse and become increasingly more exposed to ‘sharing’ our data with malicious online entities, creating new avenues of being targeted and compromised. While companies compete with each other over market share and customer satisfaction, an investment in the latest technology is a tempting and understandable ‘must-have’ when competing.

Ushered along by the advancement of technology, a rational, prudent and joint approach to cyber risk management must be maintained. If we are to reap the benefits,  we require top-down initiative from regulators, bottom-up awareness from customers and responsible middle management by companies.

Future data breaches might not just be names – they could include faces – and affect not just individual companies in Australia but whole industries on a global scale. Band-aid reparations such as clever marketing and one-off fines are short-term solutions to the sustained problem that is cyber climate change.

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.