Data breaches are on the rise, but that won’t force companies to up cyber security
You would be forgiven for thinking data breaches are on the rise.
The latest was revealed on Wednesday when hundreds of people who have an Aviation Security Identity Card were sent an email telling them their information might have been stolen.
Ian Brightwell was one of thousands whose data was compromised in the recent PageUp data breach in May.
"I just received, as many people did, two emails. One from David Jones and one from the Attorney-General's office," he said.
But he said those emails did not give him much confidence about what had been leaked.
"It's very unclear whether maybe passwords and things are out there," he said.
"The impression I get is they don't know. Which doesn't leave you with a good feeling."
Companies that use PageUp's recruitment software on their career websites had to notify thousands of people who had applied for a job that their data was compromised.
It is part of the Government's Notifiable Data Breach scheme (NDB), which mandates companies inform the Government and victims when their personal data has been leaked.
The NDB scheme was implemented last February and while the first-quarter numbers are not a full reflection, they are shocking nonetheless. Only six weeks were monitored in the first quarter.
The Office of the Information Commissioner was told of 63 breaches between February 22 and March 30. That is 1.5 breaches a day.
The second quarter numbers are due out this month.
But experts say reporting breaches will not stop your data being stolen.
"It's not really forcing companies, as far as I can tell, to up their cyber security," visiting fellow at the Australian Strategic Policy Institute, Tom Uren, said.
"I expect there were many [breaches] that weren't reported."
Businesses weighing up the risks
"Companies face two sorts of risks when there's a data breach," Mr Uren said.
"There's the reputational damage that occurs and there's also the possibility of fines from the information commissioner.
"Those fines are actually pretty small. So, there's a temptation I think for companies to not report and just hope to keep the data breach hidden."
Murray Goldschmidt from Sense of Security works with companies to develop their cyber security.
He said businesses were not taking cyber security seriously.
"There are many organisations out there who are still quite far behind others in the marketplace," he said.
"Unfortunately, I think many organisations will be waiting for some evidence that there is actually a large financial implication around having a data breach and they might only take action after the fact."
It is hard to know the exact costs of a data breach. There are many variants — from the type of breach, how many people are affected and what kind of business you are in.
But the Ponemon Institute has tried to crunch the numbers.
They have looked at data breaches around the world and say the average cost to a company is more than $5 million.
But it says the cost of a "mega breach", where 1 million to 50 million records are lost, can run from $54 million to $474 million.
Victims taking action
Companies could be up for big costs if they face a lawsuit over a data breach.
Sydney-based Centennial Lawyers is working with people like Mr Brightwell who were caught up in the PageUp breach to launch a class action.
"We provide these businesses with our own personal data and they exploit that," solicitor George Newhouse said.
"When something goes wrong there are no repercussions. A class action can have a role to hold these businesses accountable.
"Businesses can factor in the cost and the risk of having to pay compensation against the cost of providing appropriate levels of security."
The message to business from the cyber experts is clear — pay for the strongest cyber security you can.
"People think of that as a cost, but I actually think in the long term, that's a business enabler," Mr Uren said.
"If you can't keep your data secure, you run the risk of basically losing the business."