Late on 15 November 2017, Cash Converters International Limited announced to the ASX that it had been the victim of a cyber-attack.
The announcement stated (in part) that:
"[CCV] has received an email threat from a third party claiming to have gained unauthorised access to customer data within a Cash Converters’ United Kingdom website...The unidentified third party’s threat included the widespread release of the data unless it receives a financial payment."
The announcement went on to state that the accessed data:
- related to a decommissioned website operated by a third party in the United Kingdom; and
- may have included personal details, purchase history, passwords and, in some cases, masked credit card details of customers.
Latest attack emphasises the need to be vigilant
This latest attack follows a series of serious cyber-attacks that have occurred in 2017. These attacks include the WannaCry ransomware attack in May and the NotPetya cyber-attack in June.
Each of these attacks affected some of the world's largest businesses and were based upon the vulnerability in Microsoft Windows known as EternalBlue, the details of which were allegedly stolen from the NSA by hacking group, the Shadow Brokers.
Other cyber-security events in 2017 include the revelation that Appleby, a law firm based in Jersey and Bermuda, was the subject of a cyber-attack in 2016 which led to the disclosure of a huge volume of confidential documentation and various security lapses which have led to the exposure of personal information to the public. An example of such a lapse is the recent exposure by an Australian Government contractor of the personal details of staff from an Australian company.
The frequency with which such attacks are occurring is a stark reminder to organisations that they need to be vigilant in the maintenance of their defences to possible cyber-attacks.
It is not enough for organisations to assume that its internal IT department or external IT consultants will be doing all that is necessary to maintain the defences of the organisation.
Rather, the boards and senior management of organisations need to be actively engaged in the steps being taken to minimise the risk that their organisation will be the next hit and so as to ensure that they discharge the duties that they owe to their organisation. In this regard, ASIC has previously stated that "[e]ffective corporate governance should involve active engagement by directors and the board in managing any applicable cyber risks".
Being prepared for the worst
The fact that any number of large and sophisticated organisations have suffered from cyber-attacks in 2017 demonstrates that all organisations are at risk.
That being so, businesses of all sizes should consider what steps they have taken, and can take, to mitigate the impact of a cyber-attack and the plans which they have in place to respond to such an attack.
Steps which organisations should be taking include:
Listed entities will also need to consider how they will deal with a cyber-attack in the context of their continuous disclosure obligations. As the recent announcement by Cash Converters International Limited demonstrates, even an attack which does not impact upon a listed entity's financial forecasts may still need to be announced to the market.
The need for such an announcement carries with it the risk of unwanted media attention and reputational damage. That being so, it is necessary for any data breach response plan to provide guidance as to the steps that the organisation should take to handle media enquiries and to minimise any reputational damage, particularly in the case of listed entities.
Impact of the mandatory data breach notification scheme
From 23 February 2018, the Privacy Act 1988 (Cth) will include a mandatory data breach notification scheme.
The mandatory data breach notification scheme will require organisations and Federal agencies subject to the Privacy Act to promptly notify the OAIC and any potentially affected individuals of an "eligible data breach".
The imminent introduction of this scheme only increases the imperative for organisations to get their house in order by taking the steps identified above.
Importantly, the obligation to notify the OAIC and potentially affected individuals will not arise if the organisation is able to take action before any serious harm is caused by the breach. This exemption from the mandatory notification scheme demonstrates the value of being proactive and having detailed plans in place which facilitate early detection and action.
The introduction of this scheme also means that all entities will need to ensure that their data breach response plans extend to the manner in which the organisation will manage the public relations issues that will almost certainly arise once it begins to provide the mandated notifications.