21/10/2017 11:26 AM AEDT | Updated 23/10/2017 2:49 PM AEDT

Another Week, Another Data Breach: Welcome To The New Normal

A juicier pot of data-honey attracts more bees.


This week customers of Dominos Pizza were shocked to discover their personal details had found their way into the hands of scammers after a company contracted by the pizza giant was blamed for leaking customer email addresses, names and store suburb.

The latest story about a major safety and privacy breach at an Australian company was just that, the latest in a series of breaches or personal data stuff-ups in Australia in recent months.

"I don't even know if I can count the number of breaches there have been this year," said Chester Wisniewski, principal research scientist and security expert at Sophos, referring to data breaches around the world.

"It's probably five or six times the number of people on this planet, which means we've all been victimised in some way or another several times each."

Wisniewski consults with governments about data security, and while he believes the mass pooling of personal data is too attractive for some cyber criminals to resist, he also believes governments can limit the damage.

One avenue is Australia's Notifiable Data Breaches Act, which established a mandatory data breach notification scheme in Australia -- which comes into effect in February -- and will require organisations to notify people when the loss of their information is likely to result in serious harm.

A statement from Dominos Pizza on its website

"That's the beginning of it. Step one is saying if you lose more than a thousand records you need to notify people and let them know, and that means for private sector organisations they may take a hit on the stock exchange," said Wisniewski.

Just last week it was revealed 30 gigabytes of unclassified but commercially sensitive data was stolen by hackers who accessed the systems of a Department of Defence subcontractor. The Sydney Morning Herald reports the data covered information about the $14 billion Joint Strike Fighter program.

In July, Human Services Minister Alan Tudge was forced to ­reassure Australians whose Medicare numbers were leaked that the numbers alone could not be used to access health records.

The Guardian Australia reported one of its journalists could buy his Medicare card number less than $30 from a "dark net" trader.

It was a leak that came just over a year since the Australian Bureau of Statistics (ABS) said its census website was attacked by hackers four times, forcing them to shut down the site as a precaution after the fourth attack.

The breaches come as the federal government proposes a massive database -- called The Capability -- of Australian faces, taken from their drivers licences.

A juicier pot of honey attracts more beesDr Suelette Dreyfus

"The more data you try to group together, the richer the pool will be, the bigger the attraction to the cyber criminal element," said Dr Suelette Dreyfus from the University of Melbourne's School of Computing and Information Systems.

She said there were two main privacy concerns.

One concern is governments and companies collecting and amalgamating data only to repurpose it without the citizen or consumer's permission (i.e. more intrusive Centrelink searches on the government side, or from private companies selling the information on).

Another concern is that data being breached by criminals.

"The more you merge data sets and build a richer profile of someone, the more valuable it becomes. So if you imagine you're just selling someone's credit card information on the internet, that's less valuable than if you can sell their credit card number, their medicare number, their medical history, their credit rating.

"All of a sudden, that's a much more valuable thing.

"So you increase the risk to people's privacy on two levels."

On Monday Chris Painter, who until recently was the U.S. State Department's coordinator for cyber issues, said based hackers can exploit ties to other countries despite nations like Australia and the U.S. having advanced cyber defence capabilities.

He urged countires to have laws and trained police officers in place to cooperate on international cyber crime cases.

There are agreements aimed at strengthening international collaboration to fight cyber crime, such as the Budapest Convention which is aimed at coordinating nations' cybercrime laws. It now has 56 signatories in Europe and around the world.

Painter said he has seen the stakes change and sophistication improve after 27 years working on cyber crime.

"It really is a cat-and-mouse game where we have to up our defences and we have to have consequences for those who breach those defences," he said.

Just days later, Australian Security Intelligence Organisation (ASIO) said it had been unable to investigate all "harmful espionage" and "foreign interference" against Australia due to sheer size of malicious activity directed at the country over the past year.