Australia is calling cybercriminals, data theft victim assistance service says

IDCare, a non-profit organization that helps victims of cybercrime, said that by making it easier for regulators to fine companies with insufficient data security and decriminalizing ransom payments, Australia could inadvertently fuel a wave of cybercrime.

The letter appears in an unpublished document, seen by Reuters, addressed to the attorney general, who is working to update privacy laws for the internet age, just as the country is experiencing an uptick in widespread data theft that the government says is affecting approx. every family.

“One of the main reasons why Australian governments and businesses are a growing target of ransomware attacks […] “Do we pay,” IDCare said in its report.

IDCare’s opinions will greatly influence the government’s review of privacy laws, which would make it easier to impose fines or prosecute companies that fail to protect people. its customer data, as IDCare has become one of Canberra’s groups dedicated to helping victims of cybercrime.

Canberra raised the maximum fine from A$2.2 million to A$50 million ($34 million) for companies that failed to prevent data theft after the first major attack in October, during which around 10 million customer accounts for the second-largest telecom operator, Optus, were compromised. owned by the Singapore Telecom Corporation.

The government is now considering making it easier to implement this fine and to make it easier to prosecute perpetrators of personal information theft.

IDCare said that by threatening huge fines, Australia would force companies to choose between paying A$1 million, the usual cost of a ransom demand, or notifying authorities and risking a fine of up to A$50 million.

“When it comes to ransomware attacks, Australia is open for business,” the authority said.

IDCare noted that Australia was the fifth country targeted by data thieves in January 2023, far worse than other countries for its economy and population.

Without rules prohibiting or discouraging the payment of ransoms, ransomware groups targeting our organizations are unlikely to curtail their activities.

A spokesman for the attorney general, Mark Dreyfuss, said the government moved quickly to toughen penalties in the wake of widespread data breaches and would consider 116 motions as part of a review of the law. Concerning the protection of privacy before a decision on the necessary action is taken.

The Australian Information Commissioner’s Office said its approach to sanctions or creating new rules would be “practical, evidence-based and proportionate”.

The demand is increasing

Since Australia required companies to report data breaches in 2018, the IDCare report said community demand for its services has skyrocketed.

Within a month of the Optus hack, leading health insurance company Medibank Private Ltd revealed that millions of its accounts had been compromised, with sensitive medical information stolen from hundreds of thousands of people.

Last month, Latitude Financial Group Holdings Ltd, a consumer credit provider, said hackers stole data from about 14 million customer accounts over nearly 20 years.

In each case, authorities directed affected customers to IDCare, which helps victims close compromised accounts, notify affected service providers, and prevent losses.

To stem the flow of calls, IDCare is now creating “major incident” sites for those affected by the breaches, Mark Rowley, the company’s chief commercial officer, told Reuters.

It also plans to open a new support center in Sydney by mid-2023, as well as centers in Brisbane, Perth and New Zealand, and increase its staff from 40 to 60 people.

“There is no doubt that since last October the wave of data incidents has continued, if not escalated, which has already necessitated an acceleration of plans,” Rowley said.

“I don’t think any of us have planned events of this magnitude in Australia this year.

($1 = 1.4806 Australian dollars)