Financial sector continues to be high cyber target

The latest Notifiable Data Breaches Report, published by Office of the Australian Information Commissioner (OAIC) every six months, has revealed that between January and June this year, roughly 58 per cent of data breaches in the financial sector were considered to be malicious or criminal related.

Human error accounted for 30 per cent of the financial sector’s data breach notifications during this period. 

The sector, which covers “banks, wealth managers, financial advisers, superannuation funds and consumer credit providers”, was found to have reported the second-highest number of data breaches across all sectors.

It reported 52 notifications (or 13 per cent of the total sum). Only health service providers experienced more breaches, according to the OAIC.

Australian Information Commissioner and Privacy Commissioner Angelene Falk commented: “The finance sector has been among the top two industry sectors to notify data breaches since the Notifiable Data Breaches scheme began in February 2018.

“Unfortunately, financial institutions are an attractive and lucrative target for cyber criminals, and the risk of this activity is not going away.”

She urged those in the finance space to “focus on improving security and revising systems and processes for identifying and responding to data breaches”.

“Financial institutions should also prioritise training staff on secure information handling practices and make sure they understand how personal information must be handled throughout the information lifecycle,” Ms Falk concluded. 

Similarly, as reported by our sister brand Cybersecurity Connect earlier this month, Imperva Research Labs found that web attacks towards the financial sector had increased by 38 per cent between January and June 2021. 

According to Imperva Research Labs, an arm of the California-based cyber security firm Imperva, cyber criminals were increasingly targeting the industry with distributed denial of service (DDoS) and ransom DDoS attacks to disrupt operations, and to steal sensitive data via specific web applications attacks – namely data leakage, RCE/RFI and cross-site scripting (XSS).

“The sharp increase in attacks is linked to the rapid digital transformation that has taken place throughout COVID,” said Stuart Wilson, APAC vice president for financial services at Imperva, adding that these forms of attacks are growing in size and consistency throughout Asia Pacific. 

He noted that the financial services sector had invested significantly to expand their digital products and services to customers, adding: “At the same time, more and more customers are required to transact online in lieu of face-to-face contact – this digital expansion has created more opportunities for cyber criminals.

“The increased reliance on online banking and other financial services means the impact of a DDoS disruption today is greater than it has ever been before,” Mr Wilson continued. 

“A few seconds of downtime can equate to hundreds of thousands in lost revenue and have a lasting impact on a brand’s digital reputation. This makes it an effective tool for cyber criminals.”

In January this year, Imperva Research labs also found that more than 870 million records of sensitive data had been compromised during that month alone – a figure higher than 2017’s total figure of compromised records.

Additionally, data from Scamwatch shows a 53.4 per cent increase in reports about investment scams received, up from 3,104 in the first half of 2020, to 4,763 reports so far in 2021.

In addition to taking victims’ money, scammers often commit fraud or identity theft using the information they obtained from the victim.

Broking industry threats

Recent instances have also highlighted that the broking industry is not immune from this threat, with reports of attackers successfully impersonating brokers and borrowers to intercept payments.

One particular scam involves an attacker impersonating a broker over email, which led to the broker’s client depositing money into the criminal’s account rather than a settlement account. As a result, the client lost their funds.

The WA government issued a warning about similar scams targeting home buyers earlier this year, following reports of prospective home buyers irretrievably losing hundreds of thousands of dollars after being misled by hackers posing as settlement agents.

The WA commissioner for consumer protection, Lanie Chopping, commented at the time: “Payment redirection or ‘man in the middle’ scams are becoming all too common, with email accounts being hacked and cloned, with demands for money being made in situations where the victims may be expecting to receive such a request, so are less likely to question it.”

Brokers can be particularly susceptible to hacking and data breaches from malware, “phishing” – where dubious links are sent by a hacker in an attempt to access personal accounts, and general deception. 

Attacks such as these can lead to consequences that include loss of funds, the publishing/ransoming of confidential client and financial information, and identity theft. 

Regulators in the finance space have also experienced incursions recently, with the Australian Securities and Investments Commission having experienced an incident of “unauthorised access” on one of its servers, which meant it had to update its to Australia Credit Licence application process.

One method of protection encouraged by the Australian Cyber Security Centre is for businesses to introduce a system that requires at least two proofs of identity in order to grant access, also known as multifactor authentication. 

[Related: ASIC to update ACL process following security breach]