Malicious or criminal attacks are a leading cause of data breaches notified to the OAIC.

Strong password protection strategies, including raising staff awareness about the importance of protecting credentials, can greatly reduce the risk of this type of data breach.

Australia’s leading agency on national cyber security, the Australian Cyber Security Centre (ACSC), says credentials (usernames and passwords) are typically stolen when:

  • a user is tricked into entering their credentials into a page that mimics the legitimate site
  • a brute-force (automated trial-and-error) attack on username and password combinations is performed against a service, if it doesn’t prevent such activity
  • a service is compromised, and credentials are stolen and used to access the system or tested against other sites such as social media and email
  • a user’s system is compromised by malware designed to steal credentials.

Tips to prevent and mitigate data spills or breaches

Improving staff awareness of cyber security issues and threats, including the cyber risk environment in which an organisation operates, needs to be a priority for all businesses.

Cyber criminals use common tricks to get employees to reveal their organisational credentials, enabling the exploitation of sensitive information including data protected under the Privacy Act 1988. These include:

  • phishing, where confidential information is stolen by sending fraudulent messages to victims
  • spear phishing, a dangerous class of phishing where criminals use social engineering to target companies and individuals using very realistic bait or messages, based on company information sourced from publicly available information such as annual reports, shareholder updates and media releases.

The ACSC recommends prevention techniques such as clearly documenting and training employees in cyber security systems and plans, and designing and implementing cyber security awareness programs for all employees.

Passwords

To mitigate data spills and breaches and other cyber security incidents, the ACSC advises the following:

  • require all users to periodically reset passwords to reduce the ongoing risk of credential compromises
  • consider increasing password length and complexity requirements to mitigate the risk of brute-force attacks being successful
  • implement a lockout for multiple failed login attempts
  • if credentials have been compromised, reset passwords as soon as possible
  • discourage users from reusing the same password across critical services such as banking and social media sites, or sharing passwords for a critical service with a non-critical service
  • recommend the use of passphrases that are not based on simple dictionary words or a combination of personal information: this reduces the risk of password guessing and simple brute-forcing
  • advise users to ensure new passwords do not follow a recognisable pattern: this reduces the risk of intelligent brute-forcing based on previously stolen credentials.

Software systems

To mitigate data spills and breaches and other cyber security incidents, the ACSC advises the following:

  • use multi-factor authentication for all remote access to business systems and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository
  • look out for unusual account activity or suspicious logins: this may help detect when a service such as email has been compromised and needs a password reset
  • encourage users to think carefully before entering credentials:
    • ask if this is normal
    • don’t enter credentials into a form loaded from a link sent in email, chat or other means open to receiving communications from an unknown party
    • even if the page looks like the service being reset, think twice
    • do not click the link; instead, browse to the website and reset the password from there
    • be aware that friends or other contacts’ accounts could be compromised and controlled by a third party to also send a link
  • keep operating systems, browsers and plugins up-to-date with patches and fixes
  • enable anti-virus protections to help guard against malware that steals credentials.

The ACSC has a range of guidance to help prevent and mitigate data incidents, including strategies for improving staff awareness, multi-factor authentication and creating strong passphrases.