Breached data of Australian consumers for sale on public forums

The high-profile Medibank, Optus, and MyDeal breaches are only the tip of the iceberg when it comes to data exposed due to cyber threats and hacks in Australia.

The highly sensitive data and information of Australians are being traded online, ABC Investigations reports. This data includes logins for Australian Tax Office accounts, along with medical data of NDIS recipients.

The investigation has uncovered that large amounts of stolen data and personally identifying information are being sold online for amounts as little as $1 USD.

At least 12 million Australians have had their data exposed by hackers in recent months. Those hacked weren’t even aware of the fact until they were contacted by the ABC. They said they were either not adequately notified by the organisations responsible for securing their data, or that they were misled as to the seriousness of the breach.

Particularly concerning to accountants is that this data includes login details to individual MyGov accounts.

What about 2FA/MFA?

MyGov and ATO services are built with two-factor authentication, which protects accounts with compromised usernames and passwords, but those same login details could be used as a means to bypass less-secure services. 

While hackers may not be able to access MyGov or ATO accounts because the accounts are protected by MFA, these credentials can still be exploited. For example, if an accountant’s credentials for their MyGov account are the same as their email’s, their email is now compromised. The same can be said for any other accounts that have the same credentials as the breached one.

It’s not just on the Dark Web

The exposed information isn’t just on the dark web. Unfortunately, it’s easily accessible to cybercriminals because they’re on public forums and websites.

This ease of access to the information just highlights how hackers don’t even need to use sophisticated methods in exploiting this data.

What should accounting firms do?

As custodians of sensitive client data, it’s always best to ensure that you have as many layers of protection possible across your systems and any device that accesses client data. Here are the easily actionable measures for doing so:

1. Have an identity management solution in place. Protecting client data goes beyond passwords and password managers now. Identity management is the sophisticated way that organisations can control and keep users safe by assigning rights and restrictions to an identity.
   • Use passwords that are more than 8 characters in length, and don’t use passwords that can easily be guessed (like birthdays or children’s names)
   • When using an identity access manager or password manager, make sure that any password stored are encrypted.
   • Implement multiple failed login attempt lockouts
     Learn how Practice Protect’s Access Hub lets you manage user identities and keep data and systems secure.
     
2. Apply time-based access for accounts that have admin access or higher. This measure ensures accounts aren’t accessed at times outside of business hours. With hacks originating from outside Australia, this protects your firm from cyber threats originating from overseas.
   
3. Train and educate your team. Your team are the last line of defence when it comes to cyber threats. Ensuring they are educated about best practices when it comes to security is an investment into security for your firm as a whole.
   

At Practice Protect, we have a holistic cybersecurity solution that over 20,000 accountants worldwide use to secure their data. Whether it’s securing email systems, desktops and devices, or passwords and tream training, Practice Protect has a solution. Book a demo with our team to learn more.