Technology

Mumbai cyber security breach a case of 'buyer beware', former spy boss warns

Australia's former top spy has warned companies doing business with foreign call centres and data storage providers to do their homework before sending sensitive information offshore.

David Irvine, a former head of both ASIO and ASIS, said once information left Australia it was no longer protected by Australian sovereign law.

This made it possible for Australians' private details, including phone records, sourced through call centre workers in India and elsewhere, to be offered for sale by AI Solutions, a Mumbai security firm.

"If you lose control of your data, that sort of thing is entirely possible," he said.

"It relates to your ability to have suitable arrangements and controls in place with your external suppliers."

The shift towards cloud computing and the storage of sensitive corporate and government data in commercial data centres had been going on for almost a decade.

Advertisement

"For the last five or six years, encouraged by commercial advantage, we've been told it [cloud data storage] is far more efficient and effective [than storing it yourself]," he told Thursday's Association of Corporate Counsel National Conference in Canberra.

"The government, in 2010, brought in a policy encouraging more use of commercial data centres [by departments]. This was based on cost efficiency, not national security."

Fairfax Media reported on Thursday that it was possible to buy a person's home address for as little as $350. $1000 would buy the home address, multiple phone numbers, a year's phone statements and a call history.

Mr Irvine said it was a case of "buyer beware" with companies needing to realise savings from offshore storage could be dwarfed by the liabilities that would follow a major security breach.

"I would love there to be a cloud; I would like it to hover over Sydney, Melbourne or even Canberra and be controlled by Australian sovereign law," he said.

"When I put my data, no matter how it has been fixed up and dispersed all over the place, under the control of someone else's sovereign law I am leaving it open to third parties. I have no guarantees about how it is going to be affected."

Any data sent offshore needed to be so well encrypted only the owner could read it.

It also needed to be backed up, either in another storage centre or in the company's own system.

"My next question is going to be, 'Which country am I going to put it in?'," Mr Irvine, who now heads the Australian Cyber Security Research Institute, said.

"Intelligence services have the capabilities to do all sorts of extraordinary things. If your data is only lightly encrypted then you are in serious trouble wherever it is."

The latest security breaches highlighted the need for contractual arrangements that imposed "a very, very heavy penalty" on call centres and storage operators.

With the cost of global cyber crime expected to grow from $400 billion to more than $2 trillion in the next three years, the threat cannot be overstated.

"Cyber espionage is a fact of life internationally," Mr Irvine said.

"[Consider] the takeover of the Parliament House network [made public in in 2011] and last year's hacking of the Bureau of Meteorology."

The Australian Cyber Security Centre reported more than 1000 attacks on government institutions in the six months to last June.

"That figure is likely to be an underestimate," Mr Irvine said. "[It is only] those attacks that were detected."

Advertisement