Can you prevent a hack?

Can you prevent a hack?

Photo By Madartzgraphics

In the wake of the Optus data leak, legislation before Parliament will lift the maximum fine for serious or repeated breaches of the Privacy Act from $2.2m to up to $50m. But there are no guarantees that even the strongest safety measures will prevent an attack. So, what does that mean for business and their customers?

Legislation before Parliament will lift penalties for serious or repeated privacy breaches, provide new powers to the Australian Information Commissioner, require entities to provide detailed data to the Information Commissioner to assess public risk, and give the regulator greater information sharing powers. In a statement, Attorney General Mark Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected.” But the question is, can any business claim that customer data will be protected from hackers?

If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and destroyed.

The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps “requires the existence of facts which are sufficient to [persuade] a reasonable person.” That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data.

Scams and how to avoid them

I got a text the other day “Hi Mum, I have broken my phone and I am using this number.” The “Hi Mum” scam has exploded with more than 1,150 Australians falling victim to the ploy in the first seven months of 2022, with total reported losses of $2.6 million. Once the scammer establishes contact, they start requesting money for an urgent bill or a replacement phone etc. For those with children or dependant family members, it is not that hard to believe. According to the Australian Consumer and Competition Commission (ACCC), two-thirds of family impersonation scams were reported by women over 55 years of age.

Another common scam is the lost or unable to deliver package texts and voicemail. With Christmas just around the corner, we can expect to see another escalation of this scam where tracking links purportedly from Australia Post, Toll, or Amazon etc., are used to instal malware. Once accessed, the malware will access your contacts and spread the malware and potentially access your personal information and bank details.

In July, the Australian Taxation Office (ATO) reported a new wave of ‘Tax refund SMSF scams’. The texts purported to be from the ATO stating that the individual had a tax refund and to click on the link and complete the form. Another scam purporting to be from the ATO advised that the recipient was suspected of being involved in cryptocurrency tax evasion and requested that they connect their wallet. At which point the wallet was accessed and any assets stolen.

The ACCC’s Targeting Scams report states that in 2021, nearly $1.8bn in losses were reported but the real figure is likely to be well over $2bn.

The largest combined losses in 2021 were:

  • $1 million lost to investment scams with 2021 figures significantly increased by cryptocurrency scams – more scammers are seeking payment with cryptocurrency and losses to this payment method increased 216% to $84 million.
  • $227 million lost to payment redirection scams.
  • $142 million lost to romance scams.70

Protecting yourself from scams

  • Help educate older relatives. The over 55s are the most likely to fall victim to a scam.
  • Always use the primary website or app of your suppliers not a link from a text or email.
  • Don’t click on links from emails or text messages unless you are (absolutely) certain of the source. For email, if the sending email domain is not clear or hidden, hover over the name of the sending account to check if the email is from the company domain.
  • For Government services, use your MyGov account. Any messages to you from the ATO or other Government services need will be published to your MyGov account. Never click on links purporting to be from a bank, ATO or Government department.

Protecting your business from scams

Payment redirection scams, where the email of the business is compromised, caused the highest reported level of loss for business in 2021 at a combined $227 million.

Payment redirection scams involve scammers impersonating a business or its employees via email and requesting an upcoming payment be redirected to a fraudulent account. In some cases, scammers hack into a legitimate email account and pose as the business, intercepting legitimate invoices and amending the bank details before releasing emails to the unsuspecting business. Other times, scammers impersonate people using a registered email address that is very similar to one from a legitimate business.

  • Educate your team about threats and what to look out for, the importance of passwords and password security, and how to manage customer information. Phishing attacks, if successful, provide direct access into your systems.
  • Ensure staff only have access to the business systems and information they need. Assess what is required and close out access to anything not required. Also assess how customer personal information is accessed and communicated. Personal information should not be emailed. Email is not secure and it is too easy for staff to inadvertently send data to the wrong person.
  • No shared login details or passwords.
  • Complete a risk assessment of your systems and add cybersecurity to your risk management framework.
  • Develop and implement cyber security policies and protocols. Have policies and procedures in place for who is responsible for cybersecurity, the expectations of staff, and what to do in the event of a breach. Your policies should prevent shadow IT systems, where employees download unauthorised software.
  • Understand your organisation’s legal obligations. For example, beyond the Privacy Act some businesses considered critical infrastructure such as some freight and food supply operations are subject to the Security of Critical Infrastructure Act 2018. This might involve small businesses in the supply chain.
  • Use multifactor authentication on your systems and third-party systems.
  • Update software and devices regularly for patches
  • Back-up data and have backup protocols in place. If hackers use ransomware to lock your systems, you can revert to your backup.
  • If customer data is being shared with related or third parties domiciled overseas, ensure your customer is aware of where their data is domiciled and your business has taken all reasonable steps to enforce the Australian Privacy Principles. Your business is responsible for how the overseas recipient utilises your customer’s data.
  • Only collect the customer data you need to provide the goods and services you offer.
  • Ensure protocols are in place for accounts payable.

Related Posts


ATO Fires Warning Shot On Trust Distributions

The ATO has warned that it is looking closely at how trusts distribute income and to who. The way i

Read More

Queensland backs down on Australia wide land tax assessment

The Queensland Government has backed away from an amendment that would have seen the land tax ra

Read More

The ATO Debt Dilemma

Late last year, thousands of taxpayers and their agents were advised by the Australian Taxation Offi

Read More