A cyber attack on Family Planning NSW, which exposed the personal information of up to 8000 clients - including those seeking help about abortion and contraception - has highlighted the dangers for not-for-profits that have failed to take measures to protect valuable information.
Family Planning NSW chief executive Professor Ann Brassil made a full apology to its clients and to the general public in a blitz of national media coverage, just months after tough new data breach laws came into affect in February.
The organisation said it had been one of several targeted by cyber-criminals in the Anzac Day attack, in which they threatened to release personal information unless the organisation paid a bitcoin ransom.
While Family Planning NSW had managed to secure its site by 10am the following day, and assured clients, it accepted that many clients would be worried about the safety of their data.
"We became aware of the issue on April 25 and had the site secured by 10am on April 26, 2018. Clients can rest assured all web databases are now secure and there have been no further threats from the cyber criminals. More sensitive medical records held by our organisation and its clinical staff were never under threat," Prof Brassil said.
"We know that some of the clients that we've contacted will be concerned about what it means for them."
She said compromised data included information about clients who had contacted its website over two-and-a-half years, seeking appointments or leaving feedback, but she said there was no indication that the information had been used by the attackers.
It had alerted federal police, set up a dedicated phoneline and email contact point to inform individuals, and continued a "thorough review of our information security to ensure our clients can continue to trust us for their reproductive and sexual health services".
The breach comes just two months after tough new laws came into force that require organisations to report breaches or face hefty fines.
Family Planning NSW hosts more than 28,000 client visits each year across five clinics in NSW that provide advice and services related to a range of reproductive and sexual health services.
The Office of the Australian Information Commissioner (OAIC) confirms that it was notified by Family Planning NSW about the Anzac Day data breach.
It said that the Notifiable Data Breaches (NDB) scheme, which commenced on 22 February 2018, requires organisations to notify affected individuals and the OAIC where there is a likely risk of serious harm to any of the individuals whose personal information is involved in the data breach.
Health orgs, charities in breach top five
The first quarterly report by the OAIC of data breaches has revealed a big spike in reported breaches, with 63 notifications in the first six weeks of mandatory notifications, compared to 114 for all of 2016-2017.
Among the top-five sectors affected include health service providers (24%) and charities (6%). Legal, accounting and management services (16%), finance (13%), and private education (10%) made up the top five sectors in reports.
The OAIC said 51% of data breaches were the result of "human error", while 44% were caused by malicious or criminal attacks. Just 3% were the result of system faults.
And, in an implied warning for smaller organisations - including not-for-profits - 90% of the breaches involved the personal information of less than 1000 individuals.
The OAIC's acting Australian Information Commissioner Angelene Falk said at the release of the quarterly report said notification gave affected individuals the chance to reduce the impact, such as by changing passwords.
'Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks.
Ms Falk said the high rate of human error "highlights the importance of implementing robust privacy governance alongside a high-standard of security."
"The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information."
Our Community's director of technology architecture Lars Jensen said the incident with Family Planning NSW also meant that organisations should consider how long they held data.
"It's important not to keep data longer than you need," Mr Jensen said.
"It appears the hacked website was likely just an appointment booking system, in which case there was probably no need to keep two-and-a-half years' worth of data in there.
"The breach might still have happened even if there was only three months' worth of data there, but several thousand more people would be sleeping easier."
Do overseas privacy controls affect you?
In further compliance expectations for organisations, the European Union has also just added new requirements for organisations.
The rules will come into effect on May 25, 2018, and it could affect any Australian organisations that have connections to Europe.
Our Community legal partner Moores notes that this includes organisations with offices in the EU, offering goods and services - including online, or that tracks the activity of EU individuals.
Cyber risks: Have you acted on new data breach laws?
Australian not-for-profits must comply with new laws that require them to notify authorities if they've had a significant data breach.
The news laws came into effect on February 22, 2018, which means any breaches after that date must be reported.
The law requires not-for-profits with more than $3 million in annual turnover to notify authorities of data breaches.
Organisations face fines of up to $2.1 million for breaches.
Aon insurance's national practice leader for cyber risk, Fergus Brooks, says that in the past among not-for-profits, and others, there has been "a culture of not telling people when they've lost people's data".
But the expert from the Our Community insurance partner says not-for-profits deal with "very private records because of the nature of their business", and that can't go unregulated.
His industry has been buzzing with suggestions that the Federal Government is ready to "throw the book at organisations that aren't sufficiently securing the information they're trusted with".
"I think they've got their eye on some organisations already," he says.
"Now it's crunch time and you don't want to be the one that is made example of."
Our tougher Australian laws are being mirrored in the US, Asia and Europe, with many not-for-profits doing business in those countries.
The Office of the Australian Information Commissioner (OAIC), said ahead of the new laws being enforced, it had worked with consumer groups, not-for-profits, and Australian Government agencies in the development of new resources aimed at clarifying the new rules.
The Australian Information Commissioner, Timothy Pilgrim, said, "the Notifiable Data Breaches scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs.
"The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts. The scheme also has a broader beneficial impact - it reinforces organisations' accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors," Mr Pilgrim said.
What's your plan of action?
Not-for-profits should already have a plan of action to be implemented if a breach or a cyber attack occurs.
Depending on the organisation, this could include having an insurer, legal advisers, public relations experts and information technology experts on hand to assist with a crisis.
Not-for-profits should develop an "incident response plan" and test it, Mr Brooks says.
"Let's say you get an email demanding $5000 or they'll release some private information. What are you going to do next?"
This includes your immediate "incident response" reaction in the first 24-48 hours, which may include determining what type of attack has occurred and how to protect remaining data.
The secondary part of your plan should assess how you're going to respond to any regulatory or legal claims, with the risk of class actions in Australia increasing.
"It's not difficult, and there's plenty of organisations - and Aon is one of them - where organisations can get help," Mr Brooks says.
More about the new data breach laws
The much anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016 come into force on February 22, 2018. The new law makes it mandatory to notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals if your organisation has a data breach. This is Aon's advice.
Who do the changes apply to?
The new law applies to public and private organisations that are already subject to the Privacy Act. This includes Australian government agencies (excluding state and local government) and all businesses and not-for-profit organisations with an annual turnover more than $3 million.
When will the new law come into effect?
The new law came into effect on February 22, 2018.
What happens if you don't comply?
If your organisation doesn't comply with the new laws, you could face penalties including fines of up to $360,000 for individuals and $1.8 million for organisations.
Aon says these financial implications will require a systematic change of attitude for many organisations, and conversations about cyber risks and data security need to be elevated to boardroom level.
How can your organisation prepare?
Aon recommends that organisations affected by the new law act immediately - appoint a steering committee to address the new law changes, run a full risk assessment, and consider your insurance coverage to ensure your organisation is prepared when the law comes into effect.
If you're not prepared you'll WannaCry
Despite global cyber attacks that brought down government sites across the world early in 2017, Australian not-for-profits have been relatively slow to act to protect themselves from inevitable attacks and data breaches.
Those ransomware attacks swept the globe, targeting governments, major firms, hospitals and other essential services.
The "Petya" virus spread hot on the heels of WannaCry, with both viruses encrypting data on computers, and attackers demanding payment in crypto-currency Bitcoin to unlock the data.
One security expert, Richard Metcalfe from FireEye, quoted in The Australian, says the only reason Australia wasn't hit hard by the WannaCry virus attack in May 2017 was that "many of us were at the pub".
It was simply "pot luck" that the virus happened to strike Friday night Australian time, which is why so many other countries took such a big hit, Mr Metcalfe told the outlet.
And while Microsoft's most recent security report shows 3.5% of computers in Australia were hit by malware in March - less than half the global rate - there's no guarantees the figure won't skyrocket with a significant attack.
It is big businesses that have got the attention of hackers in the most recent big attacks.
They include credit reporting agency Equifax, with a hack revealed in September that affected 143 million customers, causing its share price to plunge.
In the same month, another report revealed huge accounting firm Deloitte had been targeted in a sophisticated attack that compromised confidential advice.
But not-for-profits aren't immune.
One US not-for-profit lost 500 records containing tax and personal finance details, which were posted for sale on the "dark web".
Not-for-profits an easier target
Mr Brooks says not-for-profits shouldn't think they're immune because they're a smaller target.
"There's a misnomer that cyber criminals are going after the top end of town," Mr Brooks says.
"But they're much harder targets compared to smaller organisations, which are often more willing to pay the $10,000 to retrieve data from a ransomware attack."
He says six-figure costs are quite likely for organisations that get hit by a hacker.
"Cyber criminals certainly don't discriminate, or have morals, when it comes to whether or not they'll target a not-for-profit."
Many smaller organisations don't reveal if they've suffered a data breach or attack, for fear of the reputational damage, but that is about to change with the new federal laws .
Yet the US-based National Cybersecurity Center says months after the warnings following the global attacks, for most small and medium organisations, cybersecurity "hygiene" - or proper training and procedures - was "sorely lacking".
Its chief executive, Ed Rios, says the problem is too often ignorance, with 75% of attacks a result of human error, usually clicking on a malicious link or using a weak password.
Time to increase vigilance
That lax approach is no different in Australia, says Mr Brooks.
"What tends to happen after a major attack is a whole lot of noise, which prompts people to patch things up," he says..
Since the attack, smaller not-for-profits had forgotten about the risk and were demonstrating less vigilance than bigger organisations.
"We're continuing to see claims for ransomware, but it is now more coming from the small to medium rather than the corporate sectors," Mr Brooks says.
"It's not a matter of if something bad happens, but when something bad happens, whether it's dropping a USB key, tablet, or laptop; or that someone targets you because they've decided they hate your organisation because of your religious or political stance."
So what are the risks?
New laws and continued attacks are a sobering reminder of the cyber risks now faced by organisations of all types.
Without a plan of action, your organisation's data could be compromised, putting confidential information, stakeholders' contact details, private health files, and mission-critical software at risk of exposure or deletion.
Mr Brooks says key cyber risks for not-for-profits revolve around the sensitive information they hold, such as personal and healthcare information.
Threats to organisations from cyber breaches include:
- business interruption leading to income losses and expenses
- the cost of restoring data
- notification and investigation costs
- the costs of any extortion
- public relations and communications costs
- legal costs linked to privacy, defamation, damages and intellectual property claims
- fines and penalties.
During 20 years working in information security, Mr Brooks has seen dramatic growth in cyber crime, with 85% of attacks now linked to ransomware coming from regions including eastern Europe, Taiwan, China, and the US and from home-grown cyber crooks.
Those attacks involve hackers using legitimate-seeming emails or software to bait users into activating computer viruses that scramble data.
Victims are issued with demands to pay a ransom to regain control of their computers, and in some cases criminals will sell or threaten to release the data they've harvested from hijacked computers and servers.
But despite all the warnings - and even after security awareness training - "people are still clicking on that link", as criminals develop increasingly sophisticated methods to entice victims, Mr Brooks said.
Baiting methods include faked emails from senior managers, timing attacks for when people are on leave, and conducting rigorous background research about organisations before attacks.
Recent Aon client seminars have highlighted confusion about how the new laws will work, but Mr Brooks says any "serious" breach - even the release of a single sensitive email - could require organisations to notify authorities.
Cyber-protect your organisation now
The government Australian Cyber Security Centre says organisations should do the following to protect themselves from cyber attack:
- Patch and update systems immediately, including Microsoft operating systems. Using unpatched and unsupported software increases the risk of cyber security threats such as ransomware.
- Back up your data. If you do not have backups in place you can arrange to use an off-site backup service. This is good practice for all users.
- Ensure your antivirus software is up-to-date.
- Individuals and organisations are discouraged from paying the ransom, as this does not guarantee access will be restored.
Mr Brooks says the attacks this year are "the same vulnerability being exploited".
"Patches are out there, but the reason this can still happen is that people either still haven't patched vulnerable systems, or they are unable to.
"In the Petya attack, the ransom is just $US300. So it's not targeted at any business in particular, just anyone who's silly enough to pay it. It's not clear even if you do pay it that you'll get the digital key to unlock your data."
Mr Brooks says the reasons why organisations may be unable to patch their systems include:
- They are running legacy applications that won't work with updated versions of Windows (the UK's NHS had this problem)
- They are running illegal pirated copies of Windows that can't be patched
- They have IT officers who don't have full oversight of their network, or haven't made cyber threats a high enough priority.
"It's not that firms aren't aware of the problem, it's just not in the line of sight, or nobody's sure who is managing it."