Australian Security Industry Association calls for federal regulation of cyber security sector after breach

A national security industry body is calling on the Albanese Government to regulate the cyber security sector, including the introduction of basic background checks for workers, in a bid to safeguard consumer and company data.

The Australian Security Industry Association has warned businesses are potentially allowing untrustworthy people access to sensitive data as well as security systems and infrastructure as the organisation calls for the vetting of cyber security workers.

The push comes as notorious hacking group ShinyHunters claims to have stolen the data of 560 million users from global ticketing giant Ticketmaster, with potentially thousands of Australians exposed in the purported breach.

Australian Security Industry Association chief executive officer Bryan De Caires the industry body had been pushing for cyber security professionals to be regulated for years but said governments and regulators had become daunted as technology quickly evolved.

“It’s like the elephant in the room. It’s a bit too big to bite so it’s easier to leave,” he said.

“But it won’t go away. Every security device is typically connected to the Internet of things.”

On Tuesday reports emerged that notorious hacker group ShinyHunters was attempting to sell 1.3 terabytes of personal information of Ticketmaster and Live Nation users for $US500,000 on Breach Forums.

The stolen data reportedly includes full names, addresses, email addresses, phone numbers, ticket sales and event details, order information, and partial payment card data.

Alarmingly, the compromised payment data reportedly contains customer names, the last four digits of card numbers and expiration dates.

ASIAL wrote to the offices of Prime Minister Anthony Albanese and Home Affairs Minister Claire O’Neil calling for the harmonisation of regulation of the sector across the states and territories to address the rise of cyber threats and terrorism.

“Regulatory inconsistencies between jurisdictions are not conducive to achieving optimal security outcomes for Australia,” Mr De Caires wrote in February.

“Your leadership will be pivotal in achieving a resolution of this issue, which in turn will strengthen our nation’s security capability and capacity.”

Mr De Caires made a follow-up call to the Home Affairs office about two weeks ago but has yet to receive a response.

Greens Senator David Shoebridge, who is the party’s digital rights spokesperson, backed ASIAL’s calls and said there was a strong case for nationally consistent regulation and the mandatory licensing of cyber security workers.

“Any firm or individual who is seeking access to government, corporate or individuals IT and cyber security systems should at least have a police clearance and also some basic level of competency,” he said.

“If you think of the scale of this risk, the idea that there is no current regulation of the cyber security industry is pretty remarkable.

“You need a licence to put a lock on someone’s back door, but no qualification or clearance is needed to work on critical cyber security systems. That is clearly ignoring the scale of the problem.”

Recent large-scale data leaks in Australia have impacted large companies such as telco Optus and private health insurer Medibank.

In 2019 data security researcher Nik Cubrilovic was sentenced to a two-year community corrections order after pleading guilty to charges relating to accessing data held by rideshare company GoGet.

Federal parliament’s joint committee on law enforcement is currently conducting an inquiry into cybercrime in Australia.

Committee chair Labor Senator Helen Polley said millions of Australians were impacted by cyber crimes each year and ransomware attacks alone caused about $3 billion in damage to the local economy each year.

“The Albanese Government is budgeting $600 million into fighting cybercriminals, forcing businesses to report when they have been hacked, and creating a special team to learn from major attacks under a rebooted cybersecurity strategy,” she said.

The Albanese Government has committed to professionalizing the cyber security workforce as part of the Cyber Security Strategy 2023-2030 and is developing a skills framework.