Our first interaction with an organisation is almost always entirely online. We’ve all grown accustomed to sharing our personal details with various online platforms, from e-commerce sites to social media networks. The benefits of this are clear – saving time, immediate response, bulk information. Yet, this comes with risks—specifically, the risk of our personal information being compromised, often without our immediate knowledge.
Are there laws about customer data? Yes - the Australian Privacy Principles (APPs) are a set of 13 principles that regulate the collection, use, disclosure, storage, security, and destruction of personal information by government agencies and organisations with an annual turnover of more than $3 million, and some other organisations (Such as those that collect ‘sensitive’ information such as health care, childcare, credit agencies and opted in small businesses). The APPs are detailed in the Privacy Act 1988.
The New Zealand Privacy Act 1993 is like it’s Australian counterpart in that it addresses privacy principles; but there are some key differences. The New Zealand privacy principles apply to all organisations that collect or hold personal information about individuals in New Zealand, regardless of their size. The New Zealand Privacy Act also has several specific provisions, the ‘Privacy codes of practice’ relating to the collection and use of sensitive information, such as health information and information about children.
Since not all Australian organisations are legally bound to these principles, and not every organisation is perfect – breaches can and will occur at times.
Here are four telltale signs that your email address or other personal details might have been sold, leaked, or breached:
Unexpected password reset or account verification emails: If you begin receiving unsolicited password reset requests or account verification messages from services you recognise (or don't), it could be an indication that someone is trying to gain access using your details or that your email is on a list being targeted. In the Latitude breach, many old customers received password reset emails and SMS from their acquired companies, causing confusion. This, however revealed the breadth of the data stolen.
Spam overload: A sudden influx of spam emails, especially ones promoting shady products, services, or asking for more information can indicate that your email address has been sold or shared among various spammers. The cyber criminals can be reasonably sure your email is valid and that you’ve bought online before, making you a potentially warm lead.
Phishing attempts: These are deceptive emails that try to impersonate legitimate companies, often asking for sensitive information or leading you to fake websites to enter login details. If you notice a surge in such emails, your details might be part of a broader list being exploited. Some might be addressed to you personally, if the scammer has bought more complete personal details.
Unusual recommendations or advertisements: If you suddenly see remarketing advertisements or product recommendations that you probably haven’t interacted with or are outright wrong for you - it might hint at your data being shared more broadly than you'd like, though it could also be a result of legitimate data-sharing practices by companies. This can be similar to the remarketing you get that is eerily related to your recent purchases, interests, or even conversations – except the recommendations are to scam websites.
What to do next:
Change your passwords: For any site or app where you think you may have reused a password or used a similar naming convention – change it. Use a password manager to store passwords for each account.
Activate Multi-Factor Authentication (MFA): This can add an extra layer of security, ensuring that even if someone has your password, they still need a secondary method such as biometrics, an authenticator app or code to access your account.
Log out of services: Check your Google, Microsoft and social media accounts for unusual device locations or unrecognised devices. Log out of all locations and change your password.
Beware of phishing attempts: Always double-check the URL of websites or links sent to you before clicking or entering details and never provide sensitive information via email, especially if you didn't initiate the conversation.
Stay informed: Regularly check services like "Have I Been Pwned" to see if your email address shows up. Being proactive can help mitigate potential damages. If you have a large footprint in breaches as reported by “Have I Been Pwned” it might be time to retire that email address permanently. This is a difficult thing to do, but it might be the most secure way forward.
Learn more about how to catch a data breach before it happens here, and contact us today for a demo of our training platform and view courses such as Data Management, the Privacy Act and how to manage your digital identity.