[BreachExchange] Did Marriott breach balloon Australia’s latest OAIC data breach numbers?

[Destry Winant]

https://www.itnews.com.au/news/did-marriott-breach-balloon-australias-latest-oaic-data-breach-numbers-525053

New +10 million Aussie victims increment launched.

The gargantuan Marriott customer data hack that hit around 500 million
people globally at the end of 2018 appears to have substantially
swollen the Office of the Australian Information Commissioner’s
quarterly data release after a single notification accounted for more
than 10 million affected Australians.

The OAIC on Monday was forced to lift the ceiling of its regular
statistical table, adding a new increment of +10 million Australian to
its quarterly catalog of corporate woe that had previously topped out
at 1,000, 000 to 10,000,000.

In what could be a worrying sign for the future, the OAIC hasn’t put
an upper-range on its top number, confining it simply to the
“10,000,001 or more” range.

The Marriott penetration incident, which targeted reservation
information, actually started back in 2014 at its Starwood Hotels and
Resorts network.

That network included major brands including “W Hotels, St. Regis,
Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels,
Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien
Hotels & Resorts, Four Points by Sheraton and Design Hotels,” the
company said at the time.

Since then, the attribution finger has been pointed at Chinese
intelligence as the most probable protagonist with the most to gain
from such a monumental attack that hovered-up guests’ passport
details, credit card numbers, mobile numbers and travel histories.

A conspicuous absence of related credit card, payment and identity
fraud for financial gain was also interpreted as confirming an
intelligence gathering raid as opposed to a financial fraud motivated
grab.

Information security sources contacted by iTnews said they were not
aware of credible alternative explanations for the leap in affected
individuals in Australia, noting that international companies
operating in Australia were bound by reporting and privacy laws here.

The malice economy

There was a trove of other bad news in the OAIC’s latest quarterly
breach data dump that came in conjunction with a ‘year in review’
assessment after 12 months of operation of mandatory breach reporting
requirements.

As a fresh data set contingent on a mandatory reporting regime for
organisations suffering data breaches – albeit without naming them –
most observers have expected solid continuous rises as breach
reporting volumes came out of voluntary reporting.

The industrialisation of malicious exfiltration is the clear trend.
For the quarter ending March 31st 2019 notifiable data breach
notifications landed at 215 compared to 262 for the previous October
–December 2018 quarter and 245 for the July-September 2018 quarter.

At face value those numbers are not hugely helpful in detecting trends
or swings because notification volume numbers in double digits only
really start below the 5000 people affected mark.

“The majority of data breaches in the period involved the personal
information of 100 individuals or fewer (68 per cent of data
breaches). Data breaches impacting between one and 10 individuals
comprised 50 per cent of the notifications,” the OAIC said in its
latest report.

But it’s the persistence of malicious or criminal attack as a source
of data breach notifications that stands out at 61 percent this
quarter as opposed to good old fashioned “human error” that landed at
35 percent. The quarter before it was 64 percent malicious vs 33
percent human and 57 percent malicious vs 37 percent human the quarter
before that.

At a sectoral level, the top four breach reporting industries (ranked
high to low) remained – as expected – health; finance; legal,
accounting and management; and education.

But it in the number five reporting slot (and this is numbers of
reports as opposed to numbers of people affected) the wooden spoon has
been shared across retail, mining and manufacturing and personal
services over the last three consecutive quarters.

Out of sight

What’s impossible to see from the OAIC statistics is how data breach
numbers correlate – or don’t – with other patterns like online credit
card fraud reported by banks that has been steadily rising.

With those losses now tipping $500 million-a-year, most of which is
sheeted back to the same merchants roped in by mandatory reporting,
areas of sectoral or systemic deficiency would be illuminating.

In the meantime, the IT security marketing juggernaut continues to
make hay from anonymised regular numbers that can only increase as
corporate confessionals become more routine.

That said, vendor marketing opportunities are being cruelly cut by
half by the OAIC.

The watchdog said on Monday that from July this year it would trim its
output from quarterly to half yearly, the same frequency used to
report payment fraud numbers.