When is a breach not a breach?

A failure to recognise the importance of long-term data protection exposes a deeper ignorance about the principles of best-practice cyber-security. Worse, it runs the risk of individuals failing to meet their corporate duty of care.

Cyber-criminals possess sophisticated big data analytics, amongst other advanced IT resources. Despite claims to the contrary, it’s naive to assume that any stolen “siloed” data set cannot be cross-referenced with other stolen data to create a usable data profile that can be exploited to the detriment of customers and account holders.

Just because there is no immediate evidence of corrupt or harmful activity, it doesn’t mean customers or account holders aren’t susceptible to longer-term harm. The reality of this situation is not lost on responsible data controllers and law makers, who have called for data to be protected by “strong and effective” encryption.

However, revelations of a potential breach of unencrypted data in the Australian banking sector, and defensive comments made by its management when the breach was made public, sound a warning that too many large organisations still do not take data security seriously enough.

Earlier this month, ABC Political Reporter, Jane Norman, and Business Reporter, Michael Janda, revealed that the Commonwealth Bank of Australia confirmed it had “lost” the financial statements of 20 million accounts, though it insisted account security itself had not been compromised as the data did not contain passwords or PINs.

The data in question had been stored on two magnetic tapes that should have been destroyed by a third party, following the decommissioning of a data centre. The CBA believes the tapes were destroyed, but they can’t be sure as there is no record of the event.

The incident is covered in full by an article published on the ABC news website.

A “forensic” investigation into the data breach was ordered, but customers were not notified of the breach until the story was published by BuzzFeed. When asked to comment, the CBA acknowledged the incident was unacceptable but defended its decision not to tell customers.

Having discussed the situation behind closed doors with the OAIC in 2016 it was decided that no further action was to be taken. In a statement delivered by Acting Head of Retail Banking, Angus O’Sullivan, the CBA apologised for an inconvenience or worry caused by the incident but when pressed on the decision not to notify customers, said “When incidents like these are shared more broadly, they create risks in and of themselves… When we look back now, the decision that was made at the time has probably been borne out to be a good decision in as much that the data hasn’t turned into fraudulent activity”.

Following the breaking of the story there has been further fallout. The OAIC has been back in touch with the Commonwealth Bank and the Australian Prudential Regulation Authority (APRA) has issued a damming report, criticising the CBA’s poor governance and risk management culture.

The journalists go on to ask a number of questions concerning the breach, but at no point do they question whether the data was encrypted or not. In today’s enlightened breach environment, failure to encrypt sensitive data, whether in motion or at rest, goes beyond poor risk management.

Of course, had the breach occurred this year, things would have been different. Under the new notifiable breach regulations there would have been no question of keeping the incident quiet. Unless the data was encrypted. In which case, it may not have qualified as a notifiable breach.

The Australian Notifiable Data Breach scheme, like the EU’s GDPR, calls for data to be protected using “strong and effective” encryption. Although the regulations do not stipulate what constitutes “strong and effective”, it is worth remembering that not all encryption solutions offer the same degree of data protection.

Do not fall into the trap of opting for a low-assurance encryption solution in the hope that it allows you to tick one of the compliance boxes for GDPR. In order to offer robust, high-assurance data protection, your encryption solution should be comprised of dedicated, tamper-proof hardware. It should offer authenticated, end-to-end encryption and secure, client-side encryption key management. Finally, it should use standards-based encryption algorithms (such as AES256bit) and should be certified by government recognised independent testing authorities.

 

Senetas Logo
Senetas Logo