Media Release
Threat Of Identity Theft Looms As Business Cyber-Assaults Take New Form
20 February 2013
The ramping up of efforts by fraudsters to go after Australian businesses holding personal information could contribute
to a greater risk of identity theft and subsequent credit fraud for Australian consumers, warns a consumer advocate for
accurate credit reporting.
Yesterday new Attorney-General, Mark Dreyfus QC advised that recent national survey results for more than 250 major
businesses show cyber-crime is becoming increasingly targeted and coordinated, with one in five businesses experiencing
one in the last year.
Mr Dreyfus said that cyber assaults have shifted from being indiscriminate and random to being more coordinated and
targeted for financial gain. Most occur from outside the business, although it appears internal risks are also
significant. [i]
The 2012 Cyber Crime and Security Survey Report commissioned by CERT Australia and conducted by the Centre for Internet
Safety at the University of Canberra revealed that most serious assaults involved the use of malicious software, theft
or breach of private information and denial-of-service.
In one case, an organisation reported the theft of 15 years' worth of critical business data.
A third of instances involved the theft of notebooks, tablets or mobile devices.
CEO of MyCRA Credit Rating Repair, Graham Doessel says Australians should feel concerned about where their personal
information could be exposed to potential company data breaches, as personal information has become a valuable commodity
used to commit identity theft and potentially ruin the victim’s credit rating and their financial future.
“We can’t take lightly the possibility that any company that keeps data on its customers could be at risk of
cyber-crime. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters,” Mr
Doessel says.
Last week the Australian Taxation Office (ATO) announced the identities of four tax agents were stolen and used to
fraudulently obtain AUSkeys giving access to specialist tax agent online services.
Whilst the ATO was able to contain the threat, and cancel the AUSkeys, it said in a statement to the media that doing
business online has benefits, but also comes with risks.
“People looking to commit identity fraud constantly look for ways to profit so it is critical to remain vigilant
regarding your personal information and online security,” the ATO statement said. [ii]
Mr Doessel says this instance is one of a long line of assaults on Australian businesses and government entities in
recent years.
“Unfortunately it seems everywhere people turn one entity or another has been hacked – and it seems everyone with a
computer is at risk. It is still extremely scary the level of risk peoples’ personal information undergoes these days
when it is stored online,” he says.
Personal information in the wrong hands can lead not only to identity theft but credit fraud, which involves the use of
the victim’s credit rating, which can have significant long term consequences.
“Basically, a lot of identity fraud is committed by piecing together enough personal information from different sources
in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and
that’s where their credit file can be compromised,” he says.
He says once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some
difficult times repairing their credit rating in order to get their life back on track.
“These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive
detriment to their financial future - defaults for as little as $100 will stop someone from getting a home loan,” he
says.
Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s
credit file. Under current legislation, defaults remain on the credit file for a 5 year period.
“What is not widely known is how difficult restoring a credit file can be – even if the individual has been the victim
of identity theft, there is no assurance the defaults can be removed from their credit file. The onus is on the victim
to prove their case and provide copious amounts of documentary evidence,” he says.
Changes to the Privacy Act 1988 should help consumers collectively when businesses experience cyber-crime which leads to
a data breach. [iii]
From March 2014, increased powers of the Privacy Commissioner will force organisations that experience a breach to do
something about it. Previously, the Commissioner could investigate and make recommendations as to what the organisation
should do, but it had no way of requiring the organisation to take action.
The Commissioner can also issue civil penalties to organisations that experience a breach and either fail to take
reasonable steps to protect the information entrusted to them, or fail to adequately respond.
Mr Doessel says consumers need to be insisting that the companies who hold their personal information have adequate
tools to prevent a data breach, but he says despite this, the changing nature of cyber-crime means it can be difficult
to keep up with the technology of fraudsters.
“Despite our best efforts to keep our details safe, we don’t have control over the IT systems of the company which holds
our information, so we have to place a lot of trust in them to stay one step ahead of fraudsters. With most organised
crime gangs now placing identity theft on their repertoire, more damaging and more frequent assaults are probably
imminent in the future,” Mr Doessel says.
He says as a matter of routine, consumers should check their bank and credit card statements thoroughly when they come
in, and should also order a copy of their credit report regularly – which would indicate if their credit file had been
misused.
Under current legislation a credit file report can be obtained at no cost every 12 months from the major credit
reporting agencies Veda Advantage, Dun and Bradstreet and TASCOL (if in Tasmania) and is sent to the owner of the credit
file within 10 working days.
ENDS