Not surprisingly, reports in the media of new sophisticated cyber attacks continue to be commonplace. Here’s a brief snapshot of a few recent data breaches, demonstrating the wide variety of incidents that can occur:
- Mobile banking apps malware: We have seen recent reports of banking customers being targeted by sophisticated malware designed to target Android devices. The malware presented on customer’s devices with a fake version of a login screen (used to access bank details via the bank applications on mobile phones). Although it was reported that, in terms of scale, the attack was not massive, it is an indication of potential cyber threats to come. The malware attack in this instance was reported to have had the potential to not only intercept the customer’s username (or account number) and password, but also, if the bank application required an authentication token sent via SMS, the contents of that SMS, thus potentially circumventing the security measure of multi-factor authentication;
- LinkedIn breach: The well publicised LinkedIn security breach, in which LinkedIn was the victim of an unauthorized access and disclosure of some members’ passwords, in fact occurred back in 2012. However, the breach recently received further airplay last month after LinkedIn became aware of additional data that had been released claiming to be email and hashed password combinations of more than 100 million LinkedIn members from the original 2012 incident. LinkedIn took steps to invalidate passwords for all accounts of members who had not reset their passwords since the 2012 breach and informing them of the need to update their passwords. Although this data breach related to an international occurrence, no doubt given the impact on Australian members, the Office of the Australian Information Commissioner had been contacted recently in relation to the potential release of additional data from the 2012 incident. The OAIC, in a statement released about the incident, indicated it was pleased to see that LinkedIn notified its impacted members. The OAIC also took the opportunity to restate its encouragement of entities giving voluntary notification of data breaches; and
- Lost laptop: Perhaps a slightly less remarkable example of a data breach were reports of a university losing a laptop containing sensitive information. In order to receive ‘support and academic adjustments’, the university had required disabled students to disclose their medical condition or impairment and that information was stored on the subject laptop. Although the laptop was password protected, the university acknowledged that the protection did not guarantee security of the stored information. The incident highlights that, in an environment of sophisticated cyber risks, old style physical security should not be overlooked.
This article was written by Andrew Miers, Partner, Matthew Hunter, Senior Associate and Patrick Byrne, Trainee Solicitor.