Data Breach Protection Guide for Australian Businesses

In 2022, cyber incidents in businesses and organizations worldwide have skyrocketed, with data breaches being one of the main concerns. Almost 109 million personal accounts and emails were compromised in Q3 2022 — a 70% increase compared to Q2.

Particularly, Australia has seen a significant rise in data breaches, especially in its financial services and healthcare sectors. Their biggest healthcare insurance firm, Medibank Private, recently reported a data breach in October that exposed the personal data and medical records of almost 10 million people.

Additionally, Optus, one of Australia’s largest telecommunications firms, suffered a cyber attack dubbed by experts as one of the worst data breaches in Australian history. The perpetrators demanded a ransom and exposed personal data like names, email addresses, and passport numbers of over 10 million customers.

Given these incidents, this guide will serve Australian businesses and organizations as a guide on how to better safeguard data, prevent data breaches, and enhance their overall cybersecurity resilience, as well as look at the most important Australian cybersecurity measures, laws, and regulations that serve to protect customer data.

What Is a Data Breach and How Does It Occur?

A data breach is a cybersecurity incident in which sensitive data is unlawfully exploited, mishandled, exposed, and accessed by unauthorized parties. All individuals, organizations, and small or medium-sized businesses that collect, use, or store data can be affected by a data breach.

The exploited data often consists of financial information, company secrets, customer data, or sensitive data like PHI (protected health information) and PII (personally identifiable information). The most common attack methods or vectors include malware infections, ransomware attacks, denial-of-service attacks (DoS), spyware, and even stealing passwords via brute force attacks.

Additionally, third-party breaches, human error, employee negligence, improperly discarded hardware, software misconfigurations, as well as social engineering schemes like phishing can pose serious cybersecurity issues and can compromise sensitive data.

After a successful attack, criminals can sell the exfiltrated data on the dark web to other malicious actors, further facilitating cybercrimes like identity theft or fraud.

How Australian Businesses Can Protect Their Data and Prevent Data Breaches

When data protection is in question, Australian businesses should utilize a combination of cybersecurity measures, best practices, and employee training, as well as compliance with laws, regulations, and guidelines mandated by the Australian government.

Here are the most important steps in safeguarding data for Australian businesses.

1. What is Considered an Eligible Data Breach?

Australian businesses should familiarize themselves with what constitutes a data breach because not all data breaches are necessarily a result of exploited vulnerabilities or cyber attacks. As long as unauthorized entities have accessed sensitive information, it can be considered a data breach.

Under Australian data security laws, an eligible data breach constitutes a loss, unauthorized access, or unauthorized disclosure of personal information that may cause “serious harm” to the data’s owner.

For example, allowing a third-party entity that has not followed best security practices or compliance standards to handle critical data is considered a data breach. Additionally, when an employee loses a hard drive, USB stick, or laptop with personal data or company data can be regarded as a data breach as well.

What is Considered “Serious Harm”?

Australian businesses that hold, use, and store data must have a clear understanding of when a data breach involving personal information is likely to cause “serious harm.” Serious harm implies a significant negative privacy impact on the data owner, including financial loss or identity fraud.

It is strongly advised for all Australian businesses to see whether data transfers may result in serious harm that may constitute an eligible data breach.

2. Know When Your Data Has Been Breached

Australian businesses must implement network and activity monitoring strategies to know when they have suffered a data breach.

Staying informed on the latest updates on data breaches in Australia is crucial, and companies should constantly be updated via mediums and notification centers like the ACSC's Alert Service and the data breaches page of the Office of the Australian Information Commissioner.

Small businesses and individuals may also use other media, like the Have I Been Pwned website, to see if their emails are found on known data breach lists.

3. Cybersecurity Measures Businesses Can Take to Prevent Data Breaches

To reduce and prevent data breaches, the ACSC (Australian Cyber Security Centre) advises Australian businesses to implement combined efforts of:

Listed below are the most important security controls and ongoing protection practices to prevent data breaches and other security incidents.

Install Anti-Malware/Antivirus Software

Installing antivirus or anti-malware software is one of the first steps to building a cybersecurity program. They can help prevent ransomware-related breaches and other phishing and spyware-related security breaches. Both software can automatically scan systems and computers and compare them to known viruses and malware and quarantine them if necessary. The software also has built-in tools to begin virus removal processes.

Read here to learn more about Australia’s Ransomware Action Plan.

Monitor for Risks and Vulnerabilities

Australian businesses should consider using tools that automatically scan for vulnerabilities and offer a cybersecurity rating for future reference, further enhancing their security posture. Continuous monitoring services like UpGuard BreachSight provide 24/7, around-the-clock monitoring for known security risks.

Implement Network Segmentation

Australian businesses should consider implementing segmented, and password-protected Wi-Fi networks split into subnetworks. In case of a data breach where a bad actor gains access to a network, segmented networks significantly reduce the impact and spread of an attack.

Using segmented networks is a major part of attack surface management, and Australian businesses can benefit from a proper attack surface management solution for their type of business.

Update Software and Systems

Australian businesses must make sure that their operative systems, software, browsers, and plugins are up to date at all times. The reason why the WannaCry malware spread so easily in 2017 was those cyber attackers found easy ways to exploit critical vulnerabilities in older versions of Windows operating systems.

4. Configuration Management Against Data Leaks

Data breaches are not to be confused with data leaks, where the exposure of sensitive data is typically accidental and through human error. However, over 30% of Australia’s biggest companies had a data leak in 2021.

Cloud leaks are a common type of data leak where a cloud data storage provider, like AWS, Azure, or Google Cloud Platform (GCP), is improperly configured, usually with poor S3 security. Configuration management and configuration management tools help to thwart such inconsistencies by identifying changes to the state of a system and preventing data leaks.

5. Cybersecurity Training and Education for Employees

To avoid common incidents stemming from employee negligence and malpractice that may facilitate a data breach, Australian businesses should provide proper security training for staff and employees.

General cybersecurity awareness training and best practices should include the following:

6. Data Breach Response Plan

The importance of a proper data breach response plan cannot be emphasized enough, especially when data breaches occur. A data breach response plan helps companies identify, contain, assess, and remedy the impact of a potential data breach, as well as notify all affected entities and the relevant authorities.

If in doubt, it is generally better to report unnecessarily rather than to hold off reporting. For example, the Sony Playstation Network data breach had no credit card fraud identified but was penalized with significant fines for their seven-day delay in notifying customers.

Australian companies must have a comprehensive data breach response plan that complies with Australian regulatory requirements, including the NDBS (Notifiable Data Breaches Scheme) and the GDPR. More on that later.

7. Vendor Monitoring Tools / Third & Fourth-Party Data Breach Prevention

Most Australian businesses outsource their operations via other suppliers that, in turn, outsource their own operations to third-party suppliers, which may facilitate data breaches related to third-party risks and fourth-party risks.

To prevent this, businesses must consider vendor risk management and third-party risk management as comprehensive plans and programs to identify and mitigate possible data compromises, legal liabilities, and reputational impacts from third-party and fourth-party risks. A vendor monitoring tool can help monitor and identify vendor risks.

8. The OAIC Guide to Securing Personal Information

Finally, all Australian businesses should refer to the OAIC (Office of the Australian Information Commissioner) guide for protecting personal data. This guide includes all the important requirements of the Privacy Act 1988 that businesses should follow.

This includes protecting companies' personal information from misuse, interference, loss, unauthorized access, modification, or disclosure. It also includes guidance on how to destroy or de-identify personal information they hold once it is no longer needed (unless an exception applies). Even if your company does suffer a data breach, following the OAIC guide can help prevent significant fines.

Click here for more information about preventing data breaches on the Australian Cyber Security Centre.

Australian Cyber Security Laws and Regulations That Help With Data Protection

Aside from relying on security measures, practices, and internal controls, Australian businesses are strongly advised to adhere to Australian data protection laws, guidelines, and regulations to help with preventing data breaches and avoiding severe penalties for non-compliance.

The Australian government has been hard at work in efforts to reform and revise national cyber security regulatory standards, cybersecurity frameworks, and regulations that help industries strengthen their security, similar to the US.

Data privacy and cybersecurity in Australia are principally regulated via a combination of federal, state, and territory laws like the federal Privacy Act 1988 (Cth) (Privacy Act), the AAPs (Australian Privacy Principles) within the Privacy Act, as well as the European GDPR.

Some of these laws aren’t mandatory for all Australian businesses but do well in enhancing the businesses’ cyber security resilience, especially when ransomware is in question.

The Privacy Act 1988

The Privacy Act 1988 regulates personal information and data that are collected, stored, disclosed, and handled by private sector entities and federal government agencies (except state agencies).

The Privacy Act does not cover Australian companies with a turnover of less than 3 million AUD unless they are a:

  • Private sector health services provider
  • Business that sells or purchases personal information
  • Partnerships, trusts, and unincorporated associations
  • Credit reporting entities like credit providers and other entities that handle credit card information
  • Commonwealth Government and Australian Capital Territory Government agencies
  • Contracted Commonwealth service provider for a federal government agency

Read here to see which data protection legislations are relevant to which Australian states and territories.

Australia’s New NDB (Notifiable Data Breaches Scheme)

As of 22 February 2018, Australia’s new Data Breach Notification laws have come into effect, requiring businesses under the Privacy Act 1988 to promptly notify the OAIC (Office of the Australian Information Commissioner) in case of an eligible data breach that involves data tax file numbers, or personal information that may pose the risk of serious harm.

The scheme is mandated by data breach notification laws like the European Union General Data Protection Regulations (GDPR), and it focuses more on privacy rather than security.

The Data Breach Notification Scheme applies to companies and organizations under the Privacy Act 1988. This includes government agencies and businesses with an annual turnover of over AUD 3 million in any financial year since 2022.

Read this checklist from the OAIC to learn if your organization falls into these categories.

Data Breach Response Plan

The Notifiable Data Breaches Scheme requires businesses to implement a data breach response plan to minimize the potential impact of a data breach and help companies respond more quickly in the future.

The data breach response plan covers four key points for the IT staff and employees:

  • How to isolate breached systems
  • Audit and investigate the incident to determine compromised data
  • Remediate the breach and recover data if possible
  • Inform affected individuals

Businesses also need to complete a review of the data breach to consider long-term action against future incidents. The NDB laws also require businesses to have a cyber insurance policy implemented that plays a major part in funding the requirements for a Data Breach Response Plan.

Read AICO’s guide for developing a data breach response plan.

GDPR (General Data Protection Regulation) For Australian Businesses

The EU-GDPR (European Union General Data Protection Regulation) is the EU’s primary legislation for harmonizing their data privacy laws and offering privacy protections for EU businesses and individuals.

While the GDPR is a European regulation, it applies to all businesses that offer goods and online services to European citizens, including Australia. These are also called the “Australian Privacy Principles (APP).”

Both the GDPR and the Australian Privacy Act 1988 share legislative similarities, like requiring businesses to implement a “privacy-by-design” approach to data privacy compliance, as well as complying with privacy principles and data protection obligations.

To meet these requirements, Australian businesses are mandated to:

  • Minimize personal data processing
  • Properly encrypt and pseudonymize personal data
  • Show transparency when handling personal data
  • Allow individuals to monitor the processing of their data
  • Create, improve, and replace suitable data protection features for their business

In a collaborative process with the Notifiable Data Breaches Scheme, the GDPR obliges Australian businesses to report data breaches to the OAIC within 72 hours of noticing the breach. Additionally, the data controllers must inform all affected of the data breach.

Which Australian Businesses Does the GDPR Apply To?

The GDPR covers all Australian data controllers and data processors covered by the Privacy Act 1988 that have a website that uses cookies, targets, or mentions EU customers.

This includes Australian businesses that have an office in the EU; for example, Australian businesses with websites that enable trading goods and services in any European language or by enabling payment in euros.

Read here to understand the complete requirements for Australian businesses’ GDPR compliance.

What Are the Penalties for GDPR Non-Compliance?

Australian organizations that fail to comply with their regulation may face significant fines of up to 4% of their annual global turnover or up to €20 million — whichever is greater.

Read here to learn more about meeting the third-party risk requirements of the GDPR.

Free

UpGuard logo in white
UpGuard free resources available for download

Ready to see
UpGuard in action?