Key Points
- Millions of Australians are trying to protect their data after hackers accessed personal details in an Optus breach.
- However, we are all sharing our own data every day via websites and social media. Here's what you need to know.
When we check into locations on social media, make an online shopping purchase, access banking or medical websites, pay bills, or even use online navigation, all of these platforms can access and store our data.
Millions of Australians are now trying to protect their data following an Optus breach, which resulted in hackers accessing customers' personal information including names, dates of birth, phone numbers, email addresses, driver's licence numbers, passport numbers and Medicare numbers.
While the data in the Optus breach was illegally obtained and reportedly shared on the dark web, cyber security experts have pointed out that many of us are unwittingly sharing extremely personal information every day.
So how much data do Australians give away, and how much are we at risk?
What kind of personal data is stored online?
The scope of online data is extremely broad, and the type of information available will vary depending on how much you use the internet and your security settings.
According to technology commentator Geoff Quattromani, many of us are regularly giving away more than we realise.
Basic research on social media or a search engine can reveal details where you live, your date of birth, personal email address, workplace, and details about your partner or family.
"We're sharing a lot of data online, voluntarily and very publicly as well ... there is a lot of information about us that we would probably consider sensitive information that we're actually sharing very publicly already," he said.
"If I was to ring up (your workplace) and pretend to be you, there's a lot of identifying factors there that can help verify who you are, and potentially have your email address password changed so that I can log into it, and then the things that I could do from that would be perhaps profound."
What can somebody do with your data?
Professor Dali Kaafar, professor and executive director of the cyber security hub at Macquarie University, said he was particularly concerned about personal data being used for sophisticated scams.
"The one thing I am personally concerned about is the use of this data for things like sophisticated social engineering or more efficient social engineering type of attacks and type of threats against individuals ... things like phishing activities, and scammers really are using such data to be much more credible to the most vulnerable of us," he said.
"Scamming is perhaps the one particular activity or the one particular threat that I really would like to raise big attention to when it comes to the use of this particular data ... now suddenly we have data out there that is geared with personal information that could be used against individuals."
Mr Quattromani said this information could also potentially be used to contact financial institutions and access bank accounts.
"When we think about what we've shared in our entire time, on social media, for example, we have been sharing a lot of information and it is all still existing out there if we haven't gone and deleted anything," he said.
"We have so much information out there; we just need to think about where it all sits and whether we think it's going to be a problem in the future or not."
What is the dark web, and what does it have to do with data?
Following the Optus data breach, there have also been discussions around data being distributed via the 'dark web'.
The dark web refers to a corner of the internet which is only accessible via specialised software and allows users to remain untraceable.
Professor Kaafar says the dark web is "an unfortunate reality" when it comes to how data is shared and sold online.
“There is a data marketplace out there, it’s a reality – the dark web sadly is a reality of how data and a different type of scripts and attack execution models and techniques are being shared and sold out there," he said.
"It’s actually that ecosystem of mostly criminal activities happening out there to either share knowledge about possible attacks and possible vulnerabilities, or in fact sell and buy some of these techniques, but also, sell and buy and trade data sets like this.”
Professor Kaafar said users apply technologies such as virtual private networks (VPN) or multi-hop network to hide their identity and where they are connecting from.
Members of forums then establish communications to share data, with transactions often taking place via digital cryptocurrencies that are difficult to trace.
How long do companies store your data?
It's easy to assume that as soon as you cease membership with a company, or if you pass away, they will instantly delete your data, but that is not necessarily the case.
Mr Quattromani says companies often retain customers' data for several years for both legal and technical reasons.
"Data sometimes does need to be held, whether it's for legal purposes or financial transaction records and things like that," he said.
"Usually it is actually a seven-year window in where you need to retain customer data, even if they're no longer transacting with you, but it doesn't necessarily need to be in the same pool of data as your active customers," he said.
When a person is no longer in-contract or an active customer of a business, Mr Quattromani says the company should archive the data.
What are the basic steps you should take?
For those wanting to be more careful with their personal data online, Mr Quattromani has several suggestions:
- Set up two-factor authentication. Two-factor authentication means even if somebody knows your email address and password, they will also need an additional code that is sent to your mobile phone. This can be set up on platforms such as social media, banking, and emails.
- Be careful of what you share publicly on social media. Consider restricting your posts so they are limited to only your friends, reducing your circle of friends online, and don't reveal personal information via photos. Innocent pictures such as a child's school photo or birthday party can inadvertently disclose many of your personal details.
- Be wary of how much information websites ask for. When you sign up for a service or delivery, take a moment to think about how much of your data they really need. For example, if you purchase a product online, the company should not need to know information like your date of birth.
- Use secure websites when online shopping. Certain websites are more secure than others. For example, when a website has a padlock image next to the URL and the address begins with the letters 'https', as opposed to one which begins with 'http', this means the transaction is secure and encrypted.
- Use banking apps. When using online banking, mobile applications can often be more secure than browsers. Computer browsers can be tracked or compromised more easily, whereas mobile applications usually require either fingerprints or facial recognition to unlock the phone, in addition to account details and a PIN.
