An Australian government-backed service for victims of identity theft blasted a plan to toughen privacy laws amid an explosion of online data theft, saying it would spur compromised companies to pay ransom and invite more hacking.
IDCare, a non-profit that helps internet crime victims, said by making it easier for regulators to fine companies for poor data security and failing to criminalise ransom payment, Australia may inadvertently fuel a cyber-crimewave.
The message came in an unpublished submission, reviewed by Reuters, to the attorney general who is working to update privacy law for the internet age just as the country experiences a spike in large-scale data thefts that the government says has touched almost every family.
"A significant reason why Australian governments and businesses are increasingly targeted by ransomware attacks ... is because we pay," IDCare said in the submission.
IDCare's views will count heavily in a government review of privacy laws expected to make it easier to fine or sue companies that fail to protect customer data, as it has become one of Canberra's go-to referral groups to help victims of cyber crime.
Canberra raised the maximum fine to A$50 million ($34 million) from A$2.2 million for companies that fail to stop data theft after the first major attack in October, when some 10 million customer accounts at No. 2 telco Optus, owned by Singapore Telecommunications, had information taken.
The government is now considering making it easier to apply that fine and simpler for individuals to sue for theft of personal information.
IDCare said by raising the threat of massive fines, Australia would force companies to choose whether to pay A$1 million, the typical cost of a ransom demand, or notify the authorities and risk a fine of up to A$50 million.
"In terms of ransomware attacks, Australia is open for business," it said.
IDCare noted that Australia was the country fifth-most targeted by data thieves in January 2023, far worse than other countries relative to its economy and population.
Without rules that bar or discourage ransom payments, it said "it is unlikely ransomware groups targeting our organisations will curtail their activities".
A spokesperson for Attorney-General Mark Dreyfus said the government had acted swiftly to increase penalties following large-scale data breaches and would consider 116 proposals in a review of privacy law before deciding further steps.
The Office of the Australian Information Commissioner said its approach in seeking penalties or setting new rules would be "pragmatic, evidence-based and proportionate".
DEMAND SPIKE
Since Australia made it compulsory for companies to report data breaches in 2018, IDCare's submission said community demand for its services had rocketed.
Within a month of the Optus hack, top health insurer Medibank Private Ltd revealed millions of its accounts had been compromised, with potentially sensitive medical information stolen from hundreds of thousands of people.
Then last month, a consumer finance provider, Latitude Financial Group Holdings Ltd, said hackers stole data from some 14 million customer accounts over nearly 20 years.
In each case, authorities directed affected customers to IDCare, which coaches victims on shutting down exposed accounts, notifying relevant service providers, and preventing losses.
To stem a surge in calls, IDCare now sets up "major incident" websites for people affected by breaches, its chief commercial officer Mark Rowley told Reuters.
It also plans to open a new support centre in Sydney by mid-2023, adding to centres in Brisbane, Perth and New Zealand, and increase staff to 60 from 40.
"There's no question that since last October the spate of ongoing data incidents has continued, if not escalated, so it's really required an acceleration of plans," Rowley said.
"I don't think this year any of us planned for events of that magnitude in Australia."
($1 = 1.4806 Australian dollars)
(Reporting by Byron Kaye; Editing by Praveen Menon and Sonali Paul)