Hackers could see Australia as weak target after Optus, Medibank data breaches.
International hackers and computer-hacking syndicates will be eyeing off more Australian targets after a string of recent data breaches, a cybersecurity expert says.
Ben Walker worked in cybersecurity in the private health insurance industry for six years, and says hackers will now “see Australia as a soft target”.
“I think hackers will be emboldened by this they’ll probably come again looking for another organisation to exploit as well,” he said.
“They would be interested in the fact that two massive companies in Australia have both been impacted in short succession.”
While Medibank is yet to detail the cause of the breach, he fears the insurer may have left itself vulnerable.
“I think the truth is the company would have either left the door unlocked, or a door open, or a window unlocked, or a window open,” Mr Walker said.
Medibank’s chief executive, David Koczkar, has offered an unreserved apology to those affected and promised to continue to provide customers and the public with updates on the investigation.
“Medibank is actually quite sophisticated and quite mature when it comes to its cyber defences,” Mr Walker said.
“If it wasn’t Medibank, it certainly could have been one of the other big private health insurers,” he said, adding hospitals or general practice surgeries could be future victims.
“My advice to all Australian organisations would be: ‘Be on the lookout’.
“I think there’ll be an increasing prevalence of hacks, with millions of records exposed.”
University of Sydney data breach researcher Jane Andrew said smaller organisations that have been affected by cyber-attacks were likely “keeping it quieter” to avoid scrutiny.
Australia’s data breach notification laws only require companies with an annual turnover of $3 million or more to notify the privacy commissioner about exposed customer data.
Professor Andrew added that current legislation only required companies to disclose to the commissioner, but not to the public.
Professor Andrew said stronger fines were helpful but “not enough”, saying all companies should be forced to disclose breaches.