The human factor: the untold impact of data breaches

Who is Australia’s average data breach victim?

More females than males fall victim to a data breach, according to iDcare, and most are aged between 25 and 45. There’s an even geographic spread across the country.

Most of the time individuals directly enable the compromise of their own information, generally through a telephone or phishing scam, the organisation has found.

Almost 90 percent of those who have been breached self-detect a compromise and/or later misuse of their data, but only 3 percent report it to law enforcement.

Around half of people who have had their details compromised will have this data abused - for example their stolen credit card details are used to make purchases.

The majority of the breaches reported to iDcare involve stolen driver's licence details, either in a physical or online form, followed by bank account information, debit and credit card data, and mobile phone account information.

Of all compromises reported to iDcare, there’s a 50/50 split between online and physical breaches, the latter including things like stolen driver’s licences and mail theft.

The organisation sees a lot of the classic Microsoft telephone scam - where an attacker impersonates a Microsoft employee to gain access to a target computer - or ransomware like Cryptolocker, which Lacey says is extending from business scenarios to individuals.

However, almost all misuse scenarios - where personal data is stolen and then used in some way by the attacker - occur online. The average value of this sort of fraud is $27,267.

What to do when you've been breached?

For individual victims, iDcare looks to address how they can mitigate flow-on effects through a practical and tailored response plan. It spends an average 19 hours on each individual client.

“If your email was hacked, you might have 12 different identifying credentials in there. iDcare has a specific response measure for each of those scenarios, which we can give to you in one place,” Lacey said.

“For every hour we invest in a client, we save them 12 hours figuring out what’s within their email that they need to address, and the process and requirements the organisations will require you to address.”

Lacey says the organisation doesn’t yet have the data to identify how many cases it has successfully resolved for clients, but points to an 83 percent customer satisfaction rate, and a newly-funded research project that will map the journeys of its clients over 12 months. The study started last month.

“Once you have your identity compromised, it’s not like you can get it back,” he said.

“Success for us looks like [a client] hasn’t experienced misuse, and they’ve managed risk around compromise. We haven’t had any clients calling us back saying it’s happened again since we’ve been in operation.

“But this study should hopefully really drill into that, what [clients] look like at the 12 month, 18 month mark."

Lacey will present an insight into iDcare’s first 18 months in operation at next week’s AusCERT 2016 conference in Brisbane.