Thisisawake-upcallforwebsitesecurity
After another prominent ANZ website has been hacked, risking identity theft and scams to those impacted, it’s time for businesses to prioritise robust security of their digital assets.
A never-ending battle
Recent news of a massive data breach targeting a prominent New Zealand website may have been overblown. Initial news reports suggested millions were affected, but MediaWorks, the company involved, has clarified that the breach impacted around 403,000 individuals who entered online competitions since 2016.
While the good news is the number affected is lower than first feared, this incident exposes a critical vulnerability: many websites are not equipped to handle even basic security threats. And the impact on these 403,000 customers shouldn't be downplayed. The exposed data, which includes names, addresses, dates of birth, and contact information, exposes those individuals to potential identity theft and targeted scams.
But this incident isn't isolated. Other high-profile website hacks over the last few years have included:
-
2023 - Genoapay and Gem Visa - This "buy now, pay later" company suffered a data breach exposing 7.9 million New Zealand and Australian customers' driver licence details and 53,000 passport numbers.
-
2022 - Optus telecoms - A cyberattack compromised the personal information of 9.8 million Australian customers, including names, addresses, and dates of birth. The company is facing legal action as well as multiple government and a Senate investigation due to the incident.
Here’s what we know
Let's dive deeper to understand the true scope of the most recent breach, and more importantly, what businesses can do to safeguard their online presence.
The breach targeted a specific database containing competition entries.
Data classification and segmentation are critical for minimising the impact of a breach. Not all data needs the same level of security. Separating sensitive information from less critical data like competition entries can minimise the impact of a breach.
Hackers exploited a previously unidentified vulnerability.
This reinforces the need for continuous vigilance in security measures and regular vulnerability assessments. Website development companies should prioritise secure coding practices and employ tools to scan code for vulnerabilities before deploying a website. Additionally, website hosting providers should offer regular penetration testing to identify and address weaknesses in their infrastructure proactively.
Steps are being taken to improve security and support affected individuals.
The steps MediaWorks is taking are commendable, this includes notifying relevant authorities, improving security protocols, and offering guidance to those impacted. This highlights the importance of having an Incident Response plan and understanding your obligations under the Privacy Act 2020, to report breach notifications to the Privacy Commissioner and system vulnerabilities to CERT NZ.
Protecting your digital assets
The solution lies not just in reactive measures after a breach, but in taking a security-by-design approach that builds security into the whole development process. This is the only way to ensure a website or application meets a required level of security before a breach is even attempted.
Here's what needs to change:
-
Security-conscious development - Building a secure website isn't an add-on; it's the foundation. Developers must be trained in secure coding practices to eliminate vulnerabilities from the start.
-
Secure hosting environment - Choosing a website host is like picking a digital home. Opt for providers with robust security features – firewalls, intrusion detection systems, and data encryption are non-negotiables. Look for providers who offer regular security reviews and demonstrate a commitment to keeping their systems up-to-date with the latest security patches.
-
Vulnerability management - Regular penetration testing should be a standard practice to identify and address weaknesses before they are exploited.
-
Data minimisation - Businesses should collect and store only the data they absolutely need. Less data means a smaller attack surface for hackers.
-
Data encryption - Sensitive data, both at rest and in transit, should be encrypted to render it useless even if intercepted.
The rallying cry
The incident serves as a reminder to businesses of their responsibility to prioritise robust security of their websites and applications throughout their development and hosting lifecycles. As well as keeping up with maintenance and regular checks to stay ahead of threats.
This may be asking if your website development company is prioritising secure coding practices and employing tools to detect and patch vulnerabilities before they can be exploited. Plus confirm if your website hosting provider is investing in robust security infrastructure with firewalls, intrusion detection systems, and regular penetration testing to identify weaknesses.
Your digital partner: Dynamo6
Dynamo6 is here to support your secure your digital presence. We offer comprehensive technology services, including secure software development, secure website hosting, and vulnerability reviews. Contact us today to learn more about how we can help you.
Sources
-
RNZ, “Alleged MediaWorks hack sees 2.5m Kiwis' data stolen”, March 2024.
-
Newshub, “Hackers in MediaWorks data breach blackmail victims for Bitcoin”, March 2024.
-
Mediaworks, “Cyber Security Update and FAQ”, accessed April 2024.
-
The Guardian, “Optus loses court bid to keep report into cause of 2022 cyber-attack secret”, November 2023.
-
NZ Herald, “Genoapay and Gem Visa cyberattack worse than previously thought”, March 2023.
-
Yahoo! Finance, “100,000 Aussies sue Optus over data breach”, April 2023.
-
Privacy Commissioner, “Privacy breaches”, accessed April 2024.