Aussie Travel Cover, one of Australia’s largest travel insurance companies, suffered a cyber attack last year, which it learned about on 18 December.
The New South Wales-based insurer informed third-party agents about the data breach five days later, on 23 December, but opted not to notify its hundreds of thousands of potentially affected policyholders, telling the travel agents that sell Aussie Travel Cover policies that “at this stage, there is no reason to advise policyholders”.
The Office of the Australian Information Commissioner (OAIC)’s data breach notification guide states that it “strongly encourages notification in appropriate circumstances as part of good privacy practice, and in the interest of maintaining a community in which privacy is valued and respected.”
ABC reports that a hacker known as Abdilo “stole a large amount of personal information of travel insurance clients, including names, phone numbers, email addresses, travel dates and how much policies cost.”
He explained his motivation as boredom: “It is irresponsible, I do not justify what I do,” he said. “If you are vuln [vulnerable to hacking] 99 per cent of the time, I am going to steal everything and release it and/or sell it.”
ABC estimates that at least 870,000 records were affected.
Reports suggest that Abdilo used an SQL injection attack to exploit vulnerabilities in old Microsoft server software. Will Ockenden of ABC’s PM said that “the problem with having outdated software means you’re potentially leaving your entire database open to anyone who comes along.
“And the SQL injection attacks have been around for quite a while, but IT security experts are saying that the number is rising of late.
“And it also seems like the hackers have a virtual smorgasbord of choice. There are thousands of websites and servers out there running the old software, so it’s really just a matter of picking the so-called low-hanging fruit.”
All organisations that are concerned about their data protection obligations – whether under Australia’s Privacy Act 1988 or other relevant national legislation – should implement an information security management system (ISMS), as described in the international standard ISO 27001.
An ISMS is an enterprise-wide approach to information security that encompasses people, processes and technology. Employing an ISMS will ensure that software is kept up to date, that staff are appropriately trained to recognise and mitigate threats, and that processes are in place to handle data breaches properly.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price access to world-class cyber security resources wherever you are in the world.