What is a data breach and how can it affect you?
What is a data breach and how can it affect you?
What's coming up?
In this activity you'll find out about data breaches. A data breach happens when personal information is accessed, disclosed without authorisation, or is lost. This means not all data breaches are malicious in nature; they can be caused by human error, machine or systems failure.
An example of a malicious data breach is when a third-party steals data from a service you use, such as a company, bank, or medical services provider.
Start activityBeing aware of data breaches
These days it's normal and safe to use the internet to access services for banking, medical needs (including prescriptions), topping up your phone account, or anything else that uses your personal information.
However, it's important to be aware of data breaches when they happen, in case your information is ever involved.
An example of a non-malicious data breach
Not all data breaches are malicious in nature. A data breach may occur as a result of human error or a system fault. For instance, an employee of a health provider decides to back up some data that includes your records. Instead of copying the data they accidentally delete in. Then in a panic they accidentally delete the old back up too.
An example of a malicious data breach
Some data breaches are intended to cause harm. For example, imagine you have a mobile phone service with a widely used telco provider. Your account includes your name, address, data of birth, and some other ID or perhaps answers to secret questions. This information is stored in a database on a computer server.
One day a hacker illegally accesses the server and downloads your information and the information of thousands of other users, with the potential aim of selling it to scammers so they can use it to confirm your identity.
What happens to data stolen in a breach?
When hackers complete a data breach, they often simply encrypt the data so the company can't use it and demand a ransom payment to release the data.
Hackers can also sell the information to scammers, who can use it to commit identity fraud or to help make their scams more credible. A scam can sound more convincing, for instance, because the scammer already knows your date of birth.
You can learn more about how personal information is used for scams in the Identifying and avoiding scams topic.
What happens in an ‘eligible’ data breach
Sometimes, the data breach is what’s called an eligible data breach. This is where the breach is likely to cause serious harm, and the company is required to notify you about the breach.
The company will must also tell you what steps you need to take. These steps could be different depending on the nature of the breach.
What to do if you're part of an ‘eligible’ data breach
Depending on the severity of the data breach, a company might advise you to immediately update the passwords for your important online accounts, such as government services and banking. You might also be instructed to provide new or different identification details.
You’ll learn more about what to do if you’re the victim of a data breach later in this course.
Sometimes the company or service closes
Occasionally a data breach can be severe enough that it means the company or service can't keep operating. You won't be able to access the service anymore and may need to find a new provider. This is more likely with smaller companies, and not very likely at all for large companies such as telecommunications and big health funds.
How to stay safe after a data breach
Sometimes you may be instructed to go and get new ID documents, or renew certain kinds of ID, after you find out you were part of a data breach. Not all data breaches require you to renew documents, so it’s best to wait for instruction before doing this. For example, you might be instructed to renew your driver licence even if it's years from expiry.
This will prevent any scammers from using your licence details, because the new licence will have a new number and new expiry date.
The government helps with managing data breaches
Under the Privacy Act, a company is responsible for notifying individuals when it has suffered an eligible data breach. The company will either contact you directly via email or post, or you can find more information on the company’s website.
If you’re affected by a data breach, the Office of the Australian Information Commissioner and Scamwatch provide general information on what you can do to help minimise harm.
Well done!
This is the end of the What is a data breach and how can it affect you? activity. You've learned what a data breach is, and the kinds of personal information that might be involved.
Next up, in the How to tell if you're part of a data breach activity you can learn more about being proactive about data breaches and protecting your identity.