What to do if your data is compromised in a company cyberattack?

Facebook X Reddit Pinterest

Millions of Australians have had their data compromised in recent major cyber attacks and while the crime may be committed virtually, it can have very real consequences for victims.

Optus, Medibank and Latitude Financial Services are among the major companies recently targeted in high-profile cyber attacks, and the private customer data stolen in those breaches could now be in the hands of hackers, scammers or those seeking to commit identity fraud.

We spoke to a cybersecurity expert to find out what you need to know in case your data has been exposed, from licence and passport numbers to sensitive health details and email addresses.

Thousands of Australians have been caught in company data breaches in the last year. (Getty Images/Cultura RF)

What details can be exposed in a major company hack?

It all comes down to what data the company has of yours.

Richard Buckland, Professor of CyberCrime at UNSW, said the government needs to act to protect Australians by limiting what companies can hold.

But at this stage, sensitive information held can be as simple as names, dates of birth, addresses or phone numbers.

This can escalate to be as invasive as bank details, credit card information, transaction histories, rental histories and even deeply personal health data, as seen in the Medibank breach.

In the case of Medibank, a trove of medical history was held for ransom and ultimately some were posted online, causing deep anguish for those involved.

On the other end of the spectrum, Buckland said the extremely concerning Latitude breach could put victims at serious financial risk.

Hacker working on laptop in the dark - scam - shadowy figure online — Details like your name, address, passport or driver’s licence can be breached. (Getty Images/iStockphoto)

“The data they hold on to is the data they use to identify us before a financial transaction,” he told 9news.com.au.

“If the bad guy gets it then the bad guy can go and do financial transactions.”

The data includes all the information required to take out a loan or a credit card, which can be done online.

He warned driver’s licence information isn’t just restricted to the number now that companies ask people to submit photographs of their cards, which also show a picture, name, address and date of birth.

What should I do if my data is breached in a cyber attack?

If your driver’s licence or passport numbers are exposed in a major breach, you should contact the company to have these identification documents replaced.

Buckland said this should be done as quickly as possible.

Similarly, Latitude has offered to cover the costs of replacements.

If the fallout is in its early stages, you can replace both documents at your own cost and they will have different identification numbers.

It is best to contact your state or territory’s transport department for help with licences.

You can grab a form from Australia Post or go through the passport replacement portal to get a new official travel document, which costs about $193.

Queensland unveils change to drivers licence — Experts urge anyone who has had their data breach to immediately replace identity documents. (Twitter)

Obviously, you can’t change your date of birth, and you’d have to move to change your home address.

Be aware that if you replace your Medicare card, it will have the same number on it.

If you’ve been compromised, Buckland also recommended checking your credit history through one of Australia’s three credit bodies.

This is where you will be able to detect if a criminal has tried to take out a loan in your name.

It might not stop you from being hacked but it will let you know earlier, Buckland said.

“If a criminal goes to another bank you have no relation with, that bank will contact one of these people to let them know,” he said.

To protect yourself from large amounts of money being taken, Buckland advised keeping bank accounts separate, with only a small amount in an everyday account that’s shared with companies.

“The idea being if someone gets in they can’t get everything,” he said.

The same can be done with a credit card by having one with a low limit and another for bigger amounts.

Replacing a passport can cost about $193. (Getty)

Brace for future scams as cunning thieves seize on breaches

Every seven minutes there is a report of a cyber attack in Australia. In reality, that’s only what has been reported and many go undetected.

More than 76,000 cybercrime reports were logged in the latest annual government report, up 13 per cent from last year.

You might think the criminals responsible for these big hacks are the biggest danger to you but they aren’t.

The cybersecurity expert warned it’s actually the ”opportunist scammers worldwide that will seize this as a pretext for tricking people”.

So what does that look like?

Well in the case of Latitude it could be receiving a letter, call, text or so forth from someone pretending to be JB HI-FI or Harvey Norman – some of the company’s clients – asking about the scam and offering support.

Scammers are not just bombarding Australians with text messages anymore. Now they are turning to letters to convince people to part with their cash. — Scammers could reach out via email, text or even letters. (Scamwatch)

However, these are scammers who can obtain your details and go on to commit their own scams.

“It will be a wave of scams going on now,” Buckland warned.

He advised people to be suspicious of anyone who contacts you and not reveal any information or transfer money. Here’s some examples to be careful of.

Be wary of messages that know your name, birthdate, address or other personal information.

In the case that you an email or message like this, never click the link within it.

”Do nothing, no matter how convincing a phone call, email or letter don’t trust it,” he said.

Remember, people can also be vulnerable to wider hacks if their passwords are easily guessed from your personal information.

Keep an eye on online accounts and check for unusual activity, from social media and banking.

How to avoid being a victim of a major company cyberattack?

This is a tough one as the data has been exposed through the company.

This is where Buckland said the government needs to act.

Privacy and data policies could be ramped up so companies are forced to look after the data they hold properly.

However, some laws require companies to hold on to data for a period of time, which Buckland said gives businesses an “excuse for hoarding data”.

It is up to major companies to prevent data breaches. (Nine)

“We need laws stopping companies from keeping data, laws stopping companies from demanding data and laws stopping companies from storing data,” he said.

Sadly for customers, there isn’t a lot you can do when a company is hacked.

His top tip in a perfect world would be not to give your details to anyone and avoid keeping all your money in one place. But we don’t live in a perfect world.

“The best thing you can do is be obnoxious and not hand out data but that’s difficult,” he said.

“These are hard things for people to do it’s unfair that consumers take on and wear all the risk.”

Another option as a fail-safe is to ensure two-factor authentication is used for all your logins.

This can ensure stronger protections against a hacker getting into your accounts like online banking, PayPal or emails.

The government is trying to crack down on businesses that fail to protect customers from a major data breach.

The text message to look out for that could trick almost anyone

Penalties can be even larger depending on company turnover and the estimated value of the stolen data.

Reported losses from cybercrime in the 2021-22 financial year were $39,555 for small businesses, $88,407 for medium businesses and $62,233 for large businesses.

But self-reported losses amounted to $98 million in this period.