Cyber-Security and Privacy failures – the huge costs to a business

Under recent reforms, Australian companies face penalties of upwards of $50 million for serious or repeated data breaches.

Year-on-year increase in beaches

In its most recent Annual Cyber Threat Report, the Australian Cyber Security Centre revealed a year-on-year increase in the number of cyber incident reports it receives. According to the report, the ACSC is notified of a new cyber breach every seven minutes.

It’s now more important than ever to protect your organisation from the reputational damage and financial consequences – including expensive litigation and fines – of failing to adequately handle and protect customer data. While cybercriminals may be at the forefront of data breaches, it remains the case that businesses need sophisticated cybersecurity solutions that include a well-designed cybersecurity compliance training course. Everyone has a part to play in safeguarding data and avoiding preventable lapses in security. Under recent reforms, companies face penalties of upwards of $50 million for serious or repeated data breaches.

Consequences of a breach of the Privacy Act: Latitude Group half year loss up to $105 Million

According to the ACSC, financial losses from cybercrimes and data breaches cost an average of $39,000 for small businesses and $88,000 for medium sized businesses. Especially for large corporations, privacy failures can cause incalculable reputational damage to your organisation: financial services firm Latitude Group is set to report a half-year loss of up to $105 million following a data breach that gave cybercriminals access to the data of over 14 million customer records.

Data stolen from the breach included highly sensitive items such as passport and driver’s license numbers. However, more than half of the almost 8 million license numbers stolen by hackers were provided to the firm over a decade ago. 97% of the remaining 6 million records stolen were collected in the years between 2005 and 2013. Much of this data belonged to former customers of Latitude.

A significant failure on the part of Latitude to destroy or de-identify information no-longer necessary

This represented a significant failure on the part of Latitude to destroy or de-identify information no-longer necessary for its business activities –– a key procedure outlined by the Australian Privacy Principles and regulated by the Australian Privacy Act 1988 (Cth). These principles outline important data-handling practices most businesses should follow to avoid legal liability and reputational damage. If your organisation has an annual turnover of AUD$3 million or greater, or is a health service and holds health information, you are also legally bound by the Privacy Principles. Had Latitude held only onto the data it reasonably would need to fulfil its business activities or external obligations, the scale and impact of the breach would have been far less severe.

Latitude has also earmarked $46 million for remedial costs associated with the breach. This does not include security upgrades, funds for potential ligation such as class actions or for the payment of fines. Remember: It only takes a small failure in your security practices to potentially compromise your organisation’s data.

Medibank loses $2 billion in market value

The 2022 Medibank hack was of the worst data breaches in Australian history, with over 200GB of data representing over 9.7 million customers accessed and held to ransom. In less than a day, Medibank lost $2 billion in market value because of the breach. However, hackers gained access to Medibank’s databases by stealing the login credentials of a single IT service provider.

Medibank projects that the cost of the cyberattack is expected to reach $45 million dollars in the year since the breach. This does not include the costs associated with investor lawsuits and regulatory fines; Medibank now faces four separate class action lawsuits due to the breach.

Education is key

Employee education in data handling best-practices, industry standards and statutory obligations is essential to avoid and mitigate the potential harms that a data breach can cause. By investing in comprehensive and tailored cybersecurity compliance training programs, supported by relevant information privacy law training, you can ensure that you remain compliant with regulations and ethical standards.

GRC Solutions Resources

GRC Solutions offer a suite of courses catering to the needs of organisations both across Australia and internationally. We are the experts in online compliance training, and offer:

• Off-the-shelf courses built with foundations of expansive industry knowledge;
• Custom-built training to suit the specific needs of your organisation;
• The award-winning Salt Compliance LMS, with the new and intuitive Salt Adaptive application and;
• Consultancy services to better understand your business specific requirements.

Click here to view our suite of Privacy and Data Protection courses, including Cybersecurity– Australia, Privacy Training for Financial Services – Australia, and Privacy for Schools.