Heard of social engineering? In the context of information security, social engineering is defined as the use of deception to manipulate individuals and institutions into divulging confidential or personal information that may be used for fraudulent purposes.
Phishing attacks against online accounts are one form of social engineering in the information security sense.
So, too, is someone calling a government agency and pretending to be someone else in an effort to access personal information and fleece that person of their money, benefits and identity if the attempt is successful.
According to a Guardian Australia report on the weekend, Services Australia reported 49 data breaches as a result of social engineering by early July 2024, which is more than 440 per cent higher than the nine social engineering breaches reported by the agency for the whole of 2023.
Before that, only one social engineering breach was reported each year in 2020, 2021 and 2022.
That’s a massive hike on data breaches against the agency tasked with managing benefits and reimbursements for millions of Australians, and gathering and retaining their identifying data and bank accounts.
According to the Guardian‘s report, Services Australia says the surge in social engineering is largely the result of people using someone else’s personal information that was stolen from data hacks elsewhere.
“The vast majority are the result of customer information becoming compromised through previous third-party data breaches occurring in Australia and overseas, as well as from small- and large-scale identity theft or phishing scams and from mail theft,” Services Australia general manager Hank Jongen is reported as saying.
“The increase in notifiable data breaches in recent years across industry and government reflects the growing trend of scammers impersonating organisations and targeting individuals to steal sign-in credentials and other personal information.”
More than 14,000 Australians were notified during the 2023-24 financial year that their data held by the agency had been potentially accessed illegally – again, a big jump on previous years.
So it’s official, the scammers are winning.
Government agencies are struggling to keep up with the aims of ill-intended players at home and from across the world.
They are stealing data from wherever they can and then using that personal information to steal from elsewhere whenever they can.
The Services Australia surge can almost definitely be attributed to the recent huge data attacks against Medibank and MediSecure.
The MediSecure data breach alone affected about 12.9 million Australians.
Australian Privacy Commissioner Carly Kind has laid out the gravity of the problem for the government and private sectors.
The latest statistics from the Office of the Australian Information Commissioner (OAIC) show the number of data breaches notified to it in the first half of 2024 was at its highest in three and a half years.
The OAIC was notified of 527 data breaches from January to June 2024, according to the latest Notifiable data breaches report released in September.
This is the highest number of notifications since July to December 2020 and an increase of nine per cent from the second half of 2023.
Governments and the health sector were the biggest targets.
Commissioner Kind said the high number of data breaches is evidence of the significant threats to Australians’ privacy.
“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm,” the Commissioner said.
“This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm.
“Privacy and security measures are not keeping up with the threats facing Australians’ personal information, and addressing this must be a priority.”
That’s the take-home message – anti-scamming measures are not keeping up with the pace of the threats and the number of successful scamming incidents.
The government seems to be at a loss. It’s trying but it’s an uphill, and so far, losing battle.
New legislation, such as the Privacy and Other Legislation Amendment Bill 2024, means nothing to malicious players.
The same goes for penalties against companies found to have been lacking in their security systems.
Yes, better security and smarter encryption of data must be encouraged and should be enforced. It all helps.
“We would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians’ personal information to the maximum extent possible,” Commissioner Kind said.
Hear, hear – but the hackers operate outside of all rules and regulations.
It’s called social engineering, and it’s fast becoming one of the biggest out-of-control threats to face the nation.
Original Article published by Chris Johnson on Riotact.