More than 3000 government officials were reportedly caught up Yahoo’s massive data breach of 2013, as experts warn that Australians are too complacent about the implications of cyber security attacks.
The breach, which occurred in August 2013 but only came to light last year, resulted in details of 1 billion users being stolen, in what was the largest data breach from a single website in history.
Social Services Minister Christian Porter, Shadow Treasurer Chris Bowen, Victorian Premier Daniel Andrews, Liberal MP Andrew Hastie, opposition health spokesperson Catherine King and Liberal senator Cory Bernardi have all reportedly been affected by the breach, based on information provided to the ABC by US cyber security firm InfoAmor.
Still, the minister assisting the Prime Minister in cyber security, Dan Tehan, said the breach was unlikely to cause any serious security issues for the government.
“Government systems are designed to reduce the likelihood of successful targeted spear phishing attacks and I’m advised the probable impact on government and government activities is low. However, it is important that everyone, including government employees, remain vigilant of unsolicited emails and suspicious links,” he said.
“We all must take responsibility and be proactive about improving our cyber security, such as using email products that use two factor authentication.”
Prime Minister Malcolm Turnbull also told ABC Radio on Tuesday that he had requested a report on the breach from his special adviser for cyber security Alistair MacGibbon.
The stolen information included email addresses, passwords, recovery accounts, and other personal information. The affected Yahoo website were not only email accounts, but also details relating to blogging platform Tumblr and photo-sharing website Flickr.
The Yahoo breach was just one of a range of high-profile cyber security breaches that emerged in 2016, with companies such as Myspace and LinkedIn also revealing they had been infiltrated by hackers.
Cyber security advisor Rachael Falk told The Australian Financial Review that while this information on its own may seem “innocuous”, it can be used to compile a dossier on an individual.
“All data has value. Looking at emails can tell you who speaks to who and who might be involved in strategic discussions,” she said.
“The information can be used in a range of ways, including to socially engineer emails to the person. If you know who they talk to, or where they went to school, or have any kind of intimate knowledge of them, it makes it more likely they will become a victim of social engineering and then they can be phished, or be involved in a greater scam.”
In 2015, cyber crime was estimated by Norton to cost Australians $1.2 billion a year.
Director of Hacklabs, a PS&C company, Chris Gatford said his firm was aware of at least one breach a week happening in Australia where customer data was compromised.
“We haven’t had a significant enough event here in Australia yet to change people’s perceptions about how serious it is. But it’s coming, it will occur, and a business will become the poster boy of what not to do, just like Target did in the US,” he said.
“The impact of this breach because it involves MPs is more significant because some of them obviously have reasonable wealth and they also handle sensitive information.
“Anyone with access to that information has different ways of monetising it. They might be willing to sell it onto people who specialise in making use of personally identifiable information (PII) or they might be able to use it to forge identities, or gain access to additional services.”
In 2012 hackers managed to destroy Wired reporter Mat Honan’s digital life, having compiled small amounts of information on him. When the hackers accessed his Amazon account, this then gave them his Apple ID, which helped them get into Gmail and then Twitter.
The breach resulted in his Google account being deleted, his Twitter account used to tweet racist and homophobic message, and all the data on his iPhone, iPad and MacBook was remotely wiped using his Apple ID.
Mr Gatford said this case demonstrates how even small pieces of information, like that stolen in the Yahoo breach, can be used to wreak much greater havoc.
“You can never get back your date of birth when that information is stolen and that is something we use as an authenticator to gain access to account information. If someone has your name, account data and address, there are a lot of organisations that would accept that as authentication.”