Whilst watching the opening match of the 2023 AFL season, I noticed with some concern that the guernsey naming sponsor of the Richmond Tigers was Latitude Financial Services. I hoped that their defenders wouldn’t give the opposition too much latitude in the forward line. In light of the data breach via the cyber-attack on this company I hoped this would not be an unfortunate omen. When it comes to financial data security, there is still much possible latitude for cyber criminals. This is the third large data breach by cyber criminals on Australian companies or their Australian operations in a short space of time. Optus, the telecommunication corporation was first, and Medibank Private followed shortly after. Latitude Financial Services, formerly GE Money, is the first major finance company to suffer a major hack on their Australian customer’s data.
“Latitude Financial has become the latest major Australian company to be hit by a cyber attack, announcing that personal data of almost 330,000 customers had been stolen. The hack follows those of Medibank and Optus in October last year, exposing the data of 9.7 million and 2 million Australians respectively.”
– ABC News
“Do we read the tea leaves into these massive data breaches and come up with a reading that tells us that our personal data is no longer safe? That the digital space is leaking like a sieve and the whole system is unable to protect our security going forward? These cyber attacks are happening all over the globe. Australian businesses are not alone in being penetrated by malicious criminals.”
– 7 News
Who Is Latitude Financial Services?
Latitude was formed out of General Electric. LatitudePay was a buy now pay later service provided by the company. CreditLine, Latitude Go Mastercard, and Latitude Gem Visa are other products offered by the company through its partnerships with Apple, Harvey Norman, JB HiFi, and The Good Guys. The hack occurred through backend digital platform infrastructure. Hackers accessed login credentials through this backdoor.
What Personal Data Got Stolen From Latitude?
Driver’s licence information predominantly makes up the 103, 000 ID documents stolen. Around 225 000 customer records were additionally illegally accessed by the hackers into Latitude. The company has 2.8 million current customers in Australia.
Cybersecurity experts agree that with a copy of your Drivers Licence a criminal can obtain credit in your name. The importance of this piece of ID opens doors for fraud to be committed in your name. Loans, credit cards, and purchases all enjoyed at your expense. If reading this worries you – take action and get a free copy of your consumer credit report to ensure that you have not already been hacked and defrauded.
Too Much Personal Data Held By Australian Companies & Institutions
The onerous demands for financial and personal data by Australian businesses and institutions upon their customers and applicants is the honeypot for cyber criminals. The fact, that these businesses hang onto this information makes it a major vulnerability in the digital sphere. Companies consider this data to be golden and do not intend to give it up willingly. Unfortunately, there are many holes in the digital edifices constructed by companies and institutions doing business in the 21C. It is fair to say, that many companies have not invested nearly enough in the security and protection of their digital operations in Australia and elsewhere. Outsourced data entry, SEO, content management, digital merchandising, social media management, and a myriad of other necessary services can all provide backdoor portals into the main entity via third parties. As we have seen with Latitude, once a hacker has the login details the honeypot of golden data can be opened up like a waiting flower for a busy bee.
“Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire; it wafts across the electrified borders.”
– Ronald Reagan
Do Yourself A Favour & Research How Things Work In The Digital Realm
The greater majority of Australians have little idea about how the internet and world wide web works. It is like many of our modern conveniences, such as smartphones and computers, we enjoy their applications but have no idea how they actually function. This ignorance makes us particularly susceptible to the dangers inherent within digital technology. Hackers and coders share a sneering contempt for all of us who blindly use these things and then, complain when we do some really dumb stuff that costs us like responding to phishing. If you want to increase your digital security make it a moral to learn something about how these things work. Take responsibility for doing business online. Make it your business to learn something useful every day.
Home Affairs Minister Says It Was Bloody Useless!
“That law was bloody useless, not worth the ink printed on the paper when it came to actually using it in a cyber incident. It was poorly drafted.”
– Jake Evans, ABC News, 27 Feb 2023
Clare O’Neil did not mince words when describing the legislative efforts of the former Coalition government in the cybersecurity space. It is tradition to blame the other mob when coming into government, of course. However, this does indicate how unprepared Australia and much of the world is to deal with the new reality of cyber crime targeting our dependence upon the digital realm. Rivers of gold are accessible and the bad actors do not even have to leave home. The world wide web and its dependence on coding makes it forever vulnerable to hackers everywhere. The price of convenience is its susceptibility to hackers in the criminal hotspots turning their attentions to our assets. Our financial data security: Too much latitude for cyber criminals targeting downunder. The Australian government has increased the fine for the hacked entities up to $50 million if found to be at fault.
“The attorney general, Mark Dreyfus, who has had cybercrime added to his portfolio, will introduce the legislation that would increase penalties for serious or repeated data breaches from $2.2m to whatever is higher; $50m, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.”
– Amy Remeikis, The Guardian, 22 Oct 2022
Cyber Security Tips For Protecting Your Business
“Back up your data.
Secure your devices and network.
Encrypt important information.
Ensure you use multi-factor authentication (MFA)
Manage passphrases.
Put policies in place to guide your staff.
Train your staff to be safe online.
Protect your customers.”
– Business.gov.au
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organizations often process a lot of personal data, and the reputation and liability risks are just as real.”
– Elizabeth Denham
A lot of Australian businesses went digital during the global pandemic. Lockdowns and border closures were catalysts to get many more companies and sole traders operating online. Being new to this environment has meant that they have made a lot of rookie mistakes when it comes to things like cyber security. In the Latitude data hack we have seen a backroom entity being breached, a smaller business that Latitude outsources some digital function to, and this operation was penetrated by the cyber criminals to get their login details for Latitude Financial Services. Thus, you can see the multi-faceted responsibilities that all companies must stringently adhere to in running a secure operation in the current climate. It is not enough to secure your direct digital presence and staff, it is also required to extend vigilance up and down the chains of production. Third party feeder businesses must be secured if you are going to do business with them. Cyber security is a much more complex and onerous task than previously realised by many Australians. ‘She’ll be right mate’ wont cut it anymore in this brave new world.
What Is the Government Doing About Cyber Attacks?
“To date, the government has not named the individuals it believes responsible for the “totally reprehensible” publication of sensitive health information taken from Medibank, understood to include procedures claimed by policyholders related to the termination of pregnancy and miscarriages.
But the Australian federal police commissioner, Reece Kershaw, has said he is in possession of intelligence that hackers in Russia were responsible for the Medibank data breach. “To the criminals – we know who you are,” he said in November.”
– Daniel Hurst, The Guardian, 15 Dec 2022
There are murmurings about applying Magnitsky-style-sanctions on individuals identified by DFAT to be responsible for cyber-attacks like Latitude, Optus, and Medibank. These involve asset freezing and travel bans wherever applicable. Sanctions on Russians are becoming more popular, as the war in Ukraine continues into another year. Iran and China have, also, been identified as state sponsors of cyber criminal activities occurring out of their territories.
“Amateurs hack systems, professionals hack people.”
– Bruce Schneier
Pig Butchering: Online Scamming S.E. Asian Style
Cambodia has been revealed by investigative journalists as home to enslaved scammers. A BBC report showed a compound owned by a wealthy Cambodian businessman and hotelier, where lured individuals are locked up and forced to scam westerners via phone and the internet. These largely young and Asian individuals are lured by supposedly lucrative job offers to the compound and then held against their will. Forced to scam for up to 10 hours per day they must earn illegal funds for their captor.
“Chi Tin from Vietnam told the BBC he had to pose as a woman and befriend strangers online.
“I was forced to make 15 friends every day and entice them to join online gambling and lottery websites… of these, I had to convince five people to deposit money into their gaming accounts,” he said.
“The manager told me to work obediently, not to try to escape or resist or I will be taken to the torture room… Many others told me if they did not meet the target, they would be starved and beaten.” “
– BBC News
Now, we in the West, are in the invidious position of not even being able to righteously despise the scammers who take our money. We have to feel sorry for them because they are victims too. Obviously, not all scammers are in this terrible situation. Perhaps, we should ask them during our grooming, “Excuse me, sorry to interrupt your patter, but on the off chance that you are a scammer, could you please clarify your status within the scamming community?” Stunned silence on the other end, for a moment or two, until normal service is resumed. Yes, of course I will transfer hundreds of thousands of dollars to this bank account on your advice. Wake up Australia, if it sounds too good to be true – it bloody well is! Don’t take investment advice via online sources if you want to hang onto your money. These scammers are very sophisticated now with credible websites and local phone numbers. The default position must be extreme scepticism across the board.
These scammer compounds for enslaved operatives are located in many South East Asian countries like Vietnam, Malaysia, Taiwan, Hong Kong, Thailand, and Myanmar. Wherever there are lax and corrupt regimes you will find operations like this running. It is all part of the digitalisation of organised crime. Criminals have turned their main focus to the internet and its porous nature. They call this scamming by the evocative title of ‘pig butchering’ – you and I are the pigs, by the way.
“Last month, Thai authorities arrested She Zhijiang, a Chinese businessman with investments across South East Asia, including a billion-dollar casino and tourism complex in Myanmar called Shwe Kokko. He was wanted by Interpol, which described him as the head of a criminal gang that ran illegal gambling operations in the region. Multiple victims have alleged they were trafficked, imprisoned and brutalised in Mr She’s complex, known by its nickname “KK Park”. “
– BBC News, 21 Sept 2022
Rich individuals, especially billionaires, are accorded a great deal of respect on the basis of their wealth. This happens all over the world, Australia and America included. It is a timely reminder that more scrutiny is required into how individuals make and maintain their extreme wealth. Donald Trump is a known liar, cheat, and very soon may finally be prosecuted for some of the crimes he has allegedly committed. The amassing of inordinate amounts of wealth is not something to be admired, rather it is, in my view, a failure of our societies and economic systems. How can individuals with excessive wealth honestly and fairly coexist with millions of people living in poverty.
The Superannuation Situation in Australia
Very recently, a decision was made by the newish Albanese government to halve the generous tax breaks for Australians with more than $3 million in their super fund. This will not come into effect until after the current term of office for this federal government and will not be retrospective in any way.
“Currently, earnings from superannuation in the accumulation phase are taxed at a concessional rate of up to 15 per cent. This will continue for all superannuation accounts with balances below $3 million. From 2025-26, the concessional tax rate applied to future earnings for balances above $3 million will be 30 per cent. This is expected to apply to around 80,000 people, and they will continue to benefit from more generous tax breaks on earnings from the $3 million below the threshold.”
– Treasury.gov.au
Despite this, we heard a cavalcade of cries from the Opposition that this was an attack on the wealth of ordinary Australians. Hoping to ignite a similarly successful scare campaign, as they did over the proposed removal of franking credits for self-managed super funds in the lead up to the 2019 federal election, however, multimillionaires during a cost of living crisis have not proven to be quite so popular in 2023. Superannuation was designed by the Hawke/Keating government to provide dignified retirements for ordinary Australians and not as tax havens for super wealthy Australians. It has been used as an economic football by successive governments since John Howard was Prime Minister.
Super Funds Are Super Cyber Targets
The Australian Prudential Regulation Authority has warned super funds of the need to increase their focus on cybersecurity protections. The Australian superannuation funds are valued at $3.3 trillion and must be a mouth watering target for organised crime and hackers.
“Our intention is that the vast majority, if not all, of the APRA-regulated super funds will be assessed this year, and we do intend to share thematic findings from this work.” She added that board’s cyber capabilities would also be scrutinised as part of a broader move to “improve the quality of governance across the super sector”.
– Australian Prudential Regulation Authority general manager of superannuation Katrina Ellis in Hannah Wootton, AFR, 22 Feb 2023
Skin Cancer Study Unpublicised Data Breach Exposed
QSKIN study hacked in cyber-attack breach on personal medical data: QIMR Berghofer, which is a medical research institute located in Brisbane, was hacked in 2022 via servers containing the sensitive data. In Australia, there is no legal requirement for companies to disclose, to the public, data breaches. The information illegally accessed likely involved names, addresses, and Medicare numbers of around 1,000 people. The servers, which were the portal for this cyber-attack, are owned and operated by the technology company Datatime.
– Danny Tran, ABC News, 20 March 2023
“Notifiable Data Breach (NDB) scheme
The NDB scheme applies to all entities with existing personal information security obligations under the Privacy Act. The NDB scheme requires entities to notify affected individuals and the Australian Information Commissioner (Commissioner), in the event of an ‘eligible data breach’.
A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates. Entities must conduct a prompt and reasonable assessment if they suspect that they may have experienced an eligible data breach. “
– OAIC.gov.au
What You Can Do To Investigate & Protect Your Own Financial Data
Check your mail for letters, statements, and bills in your name that do not comply with your own understanding of your financial affairs. Carefully examine your bank statements and transaction records for unauthorised activity. Immediately, request free copies of your consumer credit file from the 3 credit bureaus.
Illion Ph. 1300 734 806
Experian Ph. 1300 783 684
Equifax Ph. 138 332
You are entitled to request a free copy from each agency every 90 days and upon any unsuccessful application for credit from a lender. It is important to check and recheck every detail in your credit report. If there are incorrect listings you can request for any mistakes to be corrected. Your credit file must be an exact and true account of your financial activity, as it pertains to the accessing of consumer credit. You can get help from specialist consumer credit lawyers if unsure what to look for in your consumer credit file. It pays to know what you are looking for and expert advice can make a world of difference. The only changes, which can be legally made to your credit report, are due to this process of correcting errors.
There are No Win No Fee credit repair lawyers such as ourselves who work in this field.
If you find fraudulent activity listed on your credit file contact the listed lender and inform them of your situation. Contact your local police and report the crime. In addition, contact the Australian Cyber Security Centre and report the cyber crime.
Credit Repair
Restoring your credit worthiness can be achieved after identity crimes and fraudulent activity carried out illegally in your name. Sometimes this can take longer than victims would like. It often requires patience and diligent determination to overturn wrongs done in your name. Legal advice and assistance are available for those experiencing difficulties.
Credit repair can be achieved for those wishing to restore their credit worthiness on the basis of their own financial behaviour. A bad credit rating does not last forever if the recipient is willing to tread the path of fiscal responsibility and seeks redemption. There are no quick fixes in these instances. Communication with all lenders and making payments on time are the keys to getting your financial reputation and credibility back. Companies promising quick and easy credit repair are full of BS. In many cases, these businesses are exploiting those in financial trouble and charge fees above and beyond what is necessary.
We are living during a time of increased cyber-criminal activity reaching into the lives of ordinary Australians. There are no easy solutions to this problem, as it is a built-in by-product of the internet infrastructure. Australian businesses and institutions are going to have to change their behaviours around the keeping and securing of personal and financial data. Individual Australians are, also, going to have to up the ante with their own security around online behaviour. Our financial data security, and the latitude available for cyber criminals must be addressed by governments and businesses in Australia and indeed, around the world.
References
ABC News, Latitude Financial is the latest big company to announce a cyber attack that exposed customer data. This what we know so far, 16th March 2023, Viewed 19th March 2023.
BBC News, Cambodia scams: Lured and trapped into slavery in South East Asia, 21st September 2022, Viewed 19th March 2023.
Business, Protect your business from cyber threats, Aust Gov, 7 Match 2023, Viewed 18th March 2023.
Evans Jake, Federal government to rewrite cyber laws after Optus, Medibank hacks, ABC News, 27 February 2023, Viewed 19th March 2023
Hurst Daniel, Russian Medibank hackers could be first targets of Australian sanctions against cyber-attackers, The Guardian, 15th December 2022, Viewed 19th March 2023.
Jones Stephen, Superannuation tax breaks, Ministers Treasury portfolio, 28th February 2023, Viewed 19th March 2023.
Remeikis Amy, Australian companies to face fines of $50m for data breaches, The Guardian, 22 October 2022, Viewed 18th March 2023.
Wootton Hannah, APRA warns super funds and trustees of cyber risk crackdown, AFR, 22nd February 2023, Viewed 19th March 2023.