Privacy under attack The threat to our data

CANNINGS PURPLE WHITE PAPER

Data breach

Chris Leitch is Cannings Purple's data breach communications lead, driving risk management projects and shaping strategies for clients that allow leaders to be prepared and agile in crisis and issues management.

He is available to lead or support projects around data breach preparedness, including development of communications plans, scenario planning, auditing and testing existing plans, helping to build a secure data culture and developing data breach simulations to test resilience.

We can help!

Cannings Purple is your partner to build and test data breach resilience. Start a conversation with our data breach lead Chris Leitch today

The databases of telecommunications firm Optus were hacked in 2022, in one of the biggest breaches in Australian history. Up to 9.8 million current and former customers had personal data such as phone numbers, addresses, Medicare and driver’s licences stolen.

Optus CEO Kelly Bayer Rosmarin, reflecting on the data breach at a business lunch in March 2023, said the company did everything it could to protect customers but it was clear they were unprepared in terms of communications.

“We sent out 16 million customer communications [with] 110 different bespoke messages for the different cohorts...

“There were a couple of messages that, when you read them, you thought: ‘Oh, this looks like it’s been written by someone who hasn’t slept in four days’.

“I wish every single one of those 110 communications had been to our usual level of quality.”
- AFR, March 2023

Communications with clients and customers are the public facing interactions but the clarity of messages to staff, suppliers, and other stakeholders are equally important.

The Optus data breach

Close

Case study

“

Continue reading below

Millions of Australians have lost control of their personal data as a result of notifiable data breaches.

Three of Australia’s biggest data breaches occurred in the last 12 months.Whether they were the result of malicious actions or negligence, their details are potentially in the hands of cybercriminals, leaving them exposed to fraud and identity theft.

Cyber threats are evolving faster than any other risk management areas, and business leaders must demonstrate they are taking these threats seriously.

The threat to our data

The databases of telecommunications firm Optus were hacked in 2022, in one of the biggest breaches in Australian history.

The Optus data breach

Case study

For many organizations, understanding the full scope of the relationship between cyber riskand their third-party suppliers/vendors can be a blind spot. Yet it is critical.

Marsh/Microsoft State of Cyber
Resilience Report

About two notifiable data breaches are made each day in Australia on average, with around seven in 10 of those reports the result of malicious or criminal actions.

When information is stolen, goes missing or becomes visible to criminal elements, the reputational damage can be devastating, shattering the trust that staff, customers, investors and other stakeholders have in an organisation as a sound custodian.

Increased sophistication by attackers and the widespread availability of ransomware and malware tools has raised expectations for company disclosure, through such means as the Notifiable Data Breach scheme.

Data breaches among bigger companies, such as Optus, Medibank or Latitude Financial, have long tails and investors make their influence felt by withdrawing funds or taking legal action.

The risks are more than just within organisations, with supply chains increasingly a weak link in data protection risk management.

A supply chain attack, also known as a value-chain or third-party attack, occurs when information is compromised through an outside partner or provider with access to your systems and data.

Personal information is legitimately shared with third-party organisations and platforms for the purpose of doing business, such as an external agency who handles services or a software platform used for business purposes.

Although many businesses have effectively enacted internal cybersecurity protections, The Marsh State of Cyber Resilience Report 2022 found that just 43% have conducted risk assessments of their supply chain.

Despite best efforts, the reality is that almost all organisations will experience some form of privacy breach, cyberattack or other serious data breach, which can be harmful to people and damaging for an organisation’s financial position and reputation.

As regulations on managing sensitive data and third-party vendors continually evolve, compliance is becoming increasingly complex.

There is an increasing need for business leaders to develop cyber-resilience and a data safety culture with their organisations, as well as rapid response capabilities.

A well-rehearsed communications plan and a strategy to mitigate the impact of cyberattacks or data breaches can be the difference between saving an organisation’s reputation or destroying relationships with stakeholders.

The response in the first 72 hours can determine if the damage will become irreparable.

Preparation is critical to managing cyberattacks and data breaches, and no effective response was ever created in a time of crisis.

Organisations need to know what data is being protected and how it’s being protected, and where there are risks and vulnerabilities in accessing information.