Too much data collection means we’re more at risk of having personal information stolen, expert says
We are at greater risk than ever of having our personal data stolen, with so many companies collecting and storing unnecessary amounts of personal information about their customers, a security expert has warned.
- Prime Minister Anthony Albanese says Australia needs better data protection laws
- Professor Asha Rao says we need ‘tough penalties’ for companies that fail to protect their customers’ personal data
- She says companies should also be prevented from collecting so much data
Professor Asha Rao, associate dean of mathematical sciences at RMIT University, says Australia needs new laws to prohibit companies from engaging in unnecessary data collection.
She says we also need “tough penalties” for companies that fail to protect customer data, similar to penalties for violating money laundering and counterterrorism financing laws.
His comments come in the wake of telecoms giant Optus’ massive customer data breach.
Prime Minister Anthony Albanese also signaled legislative crackdown intent.
Data collection must stop
Professor Rao teaches the math behind cryptography, which is at the heart of cybersecurity.
His students went on to work for Australia’s largest banks, major accountancy firms and Coles and Woolworths, among other companies.
Professor Rao told the ABC this week that due to the ubiquity of the internet, we are living in the most “dangerous” times in history for people’s personal data.
She said the demand from companies for customers to hand over increasingly detailed personal information, for no apparent reason, had to stop.
“It’s absolutely appalling,” she said.
“It’s what we call data retention and feature creep. They’re collecting data that they absolutely don’t need to collect.”
The Optus data breach included customer names, dates of birth, email addresses, mailing addresses, phone numbers, Medicare card numbers, passport numbers and driver’s license numbers .
The data was typical of the type of information that some companies require from customers to prove their identity when signing contracts.
Professor Rao said too many companies were collecting and storing far too much unnecessary information about their customers, and many failed to understand how important it was to protect data.
“We need to have tough penalties for data breaches involving personal information,” she said.
“They have to introduce new laws, and [to] give it all [regulatory] agencies a few teeth.
“This is the most dangerous time for human personal data, and it’s getting worse, because everything is online,” she said.
In a recent article, Professor Rao and his colleagues Tracy Tam and Joanne Hall found that small businesses also face more problems as they increasingly become attractive targets for cybercriminals but lack the means to fight them. .
“Our research found that small businesses tend to operate differently than large businesses because of their size,” their article states.
“One phenomenon is the tendency to mix personal and professional use in devices.
“The growing use of cloud services by small businesses also raises questions about accountability and the control and visibility a small business actually has over its IT security,” he said.
The cyber threat, a growing problem
Australian authorities have been aware of the cybersecurity problem for a long time.
Between July 1, 2019 and June 30, 2020, the Australian Cyber Security Center (ACSC) claims to have responded to 2,266 cybersecurity incidents at a rate of almost six per day.
According to a study commissioned by Microsoft in 2018, cyber incidents targeting small, medium and large businesses were already potentially costing the Australian economy up to $29 billion a year.
Australia’s Cybersecurity Strategy 2020 also warned that Australians were being targeted online by a range of different groups.
“The barrier to entry into cybercriminal activities is very low,” he said.
“Underground online marketplaces offer cybercrime as a service or access to high-end hacking tools that were once only available to nation states.
“Malicious actors with minimal technical expertise can purchase illicit tools and services to generate alternative revenue streams, launder the proceeds of traditional crimes, or break into networks on behalf of more sophisticated adversaries.”
In a public submission to the strategy in 2019, Sapien Cyber warned that the consequences of attacks in Australia were “increasing in severity” as information systems became more central to business and society.
Prime Minister signals intention to change law
On Wednesday, Prime Minister Anthony Albanese told parliament Australia’s laws needed an overhaul.
“When customers hand over their data to companies in Australia, they expect it to be kept safe and this type of data breach should be an absolute red flag for Australian companies,” a- he said of the Optus data breach.
“Clearly we need better national laws, after a decade of inaction, to manage the huge amount of data companies collect on Australians, and clear consequences for when. [companies] doesn’t handle it well.
“We are committed to protecting the personal information of Australians and strengthening privacy laws through the Privacy Act Review.”