What you need to know:

• A spate of incidents across Ticketek, The Iconic, Endeavour Group, TVSN and others is a warning to brands of the growing risk of such cyberattacks occurring using compromised customer data, AKA credential stuffing, where usernames and passwords are leached from one attack and used by hackers to go again.
• While none of the brands above had their IT systems compromised or suffered a direct data breach, that doesn’t mean they’re off the hook. According to the OAIC, credential stuffing attacks may also trigger requirements under Australia’s Privacy Laws for brands.
• Cybersecurity experts and ADMA all agree: CMOs and marketing teams need to do a better job of brushing up cyberattack incident response playbooks, communications plans, team training and management – because it’s not a question of if you might have a cyber or data breach anymore, but when.
• Experts admit one of the challenges however, is how brands find the balance between concepts of seamless and frictional digital customer experiences and responsible, secure ones. While technical solutions abound to mitigate the risk of credential stuffing, for example, brands are reluctant to employ them if they add time or friction into the purchasing process.

In amidst all the excitement, friendship bracelet swapping, copious column inches and clever guerrilla marketing tactics celebrating Taylor Swift’s arrival in Australia, a more nefarious story emerged: That of another credential stuffing attack.

A week ago, Ticketek confirmed an unspecified number of customers had fallen victim to credential stuffing attacks that saw hackers gain access to ticketholder accounts ahead of The Eras Tour and promptly sell on tickets in Ticketek’s official Marketplace. In a statement, the event ticketing provider said it was working around the clock to resolve customer issues. It’s also setting up pop-up stands at the concerts to support customers who’ve fallen victim to the scam and has directed customers to file police reports as well as contact its customer service office.

This brazen credential stuff attack comes just weeks after online retailer, The Iconic, copped significant media and customer backlash when several customer accounts were compromised in the same way by cyber criminals and used to make purchases of up to $4,000. Other companies cited by cybersecurity experts as suffering a similar fate include Endeavour Group’s Dan Murphy’s and TVSN, both of which have since confirmed the attacks.

Marketers will immediately recognise the reputational impact a credential stuffing incident presents. The Iconic customers took to Instagram messaging to express their concerns with the online retailer as several found unauthorised transactions on their credit card bills, and had their accounts locked down in response to what it acknowledged as heightened nefarious activity across the online platform.

What brand teams and their respective partners are probably less aware of is there are also potential regulatory implications – and fallout – for the brands depending on how they deal with these cyber and data breach incidents.

Notifiable data breach

The data breach regulation marketers should be most across is the Notifiable Data Breach scheme under the Privacy Law. This requires brands to report instances where a potential data breach has occurred.

As specified by the Office of the Australian Information Commissioner (OAIC), the Privacy Act requires organisations to take reasonable steps to conduct a data breach assessment within 30 days of becoming aware there are grounds to suspect they may have experienced an eligible data breach.

According to the OAIC, credential stuffing attacks may also trigger requirements from brands whose customers have been affected, even if the data exposure occurred outside their own IT systems.

In the case of The Iconic, Ticketek and Endeavour Group, the actual data breach enabling credential stuffing occurred outside of their own infrastructure. All these brands stated this fact in their media statements. But this doesn’t mean they’re off the hook.

“Where a threat actor uses personal information already obtained [for example, through another data breach] to circumvent an organisation’s identity verification processes and gain access to personal information the organisation holds, this may still be a notifiable data breach,” the OAIC spokesperson told Mi3.

An OAIC case study paints a picture of this. A retail entity’s customer portal was subjected to a credential stuffing attack, resulting in unauthorised access to 500 customer accounts, which included identity information. At the time of the incident, the entity’s identity authentication for customer accounts was limited to email address and password.

“Following an investigation, the entity formed a suspicion the customers’ credentials were obtained in a data breach of another entity and that the threat actor(s) leveraged this information to bypass their identity authentication measures,” the OAIC stated. In response, the entity notified all affected customers of the data breach and uplifted its identity authentication measures to include mandatory multi-factor authentication for all customers.

“Organisations must remain vigilant as the increased occurrence of large-scale data breaches in recent years heightens the risk of credential stuffing attacks,” the authority added.

ADMA regulatory and affairs director Sarla Fernando brings this regulatory risk for brands back to the second concept of ‘potential harm’ under the Notifiable Breaches Act.

“The OAIC is saying is you may have to tell us if the breach has led to a potential serious harm, and you've not been able to mitigate that. What that flags is how important it is for brands to understand what actually would create a serious harm,” she said. “The risk of not doing the right thing, and breaching the requirement to notify, would come if they've incorrectly identified what they would consider to be a serious harm.”  

An explainer on credential stuffing

Credential stuffing poses a potential risk to brands even if they weren’t breached directly. It also shows how blurry the delineation between cyber, privacy and data breaches is.

To the cybersecurity world, credential stuffing is not new. As RSM Australia cybersecurity and privacy services partner, Ashwin Pal, explained, the root cause is people using the same password across multiple websites. If a site they use is easy for a hacker to compromise, they can grab that password and through various means, work out not only which other websites you’re using, but use your password plus relatively easy to guess username, to legitimately login to an account and start using it.

“Let’s say you were silly enough to use the same password on a news website, then on your Internet banking: What I will do is try a bunch of websites I think you use, using the same password with different combinations of usernames. One of them works, I get in and you know the rest of the story,” said Pal. “That’s credential stuffing – I grabbed your credentials from somewhere and I’m stuffing them into multiple websites to gain unauthorised access.”

Because we've had very big data breaches with the likes of Optus, Latitude Financial and Medibank over the last two years, there’s a lot more accessible data circulating around the dark Web, making this more common, added Fernando.

“To an organisation like The Iconic, they'll be thinking, but not saying, it’s actually the customers’ problem because they've used the same password and username. They're not wrong. Technically, there needs to be encouragement to change our own habits around data,” she said. “That's not going to fly though. A business has to have taken all reasonable steps to try and protect data, especially more so with Australia’s data laws changing, which look to put the onus on the business rather than the consumer.”

The response to mitigating credential stuffing as a brand “isn’t rocket science”, according to Pal. The first step is applying monitoring software to your own website to check for unusual activity and behaviour that’s not normal. A second is implementing multi-factor authentication, specifically on high-value accounts or when high-value purchases are being made. This is critical because “passwords can no longer be considered secure”, he said.

The third step is proactively educating customers about the risks. The banks are a good example of this, per Pal, letting customers know of heightened activity or scam campaigns targeting customers.

Choosing trust or seamless customer experiences?

This proactivity around communications is a bugbear for Monash University professor in the Department of Software Systems and Cybersecurity, auDA chair and technology advisor, Nigel Phair. He’s scathing about recent brand responses to credential stuffing attacks, citing The Iconic’s as a poor example.

“They got very cute with their messaging saying look away, it’s not a data breach, it’s not our problem. It exactly is their problem. It’s their customers’ data and there are things they can do,” Phair told Mi3.  

“This is something that – 110 per cent – such brands need to pay attention to. What it falls under is the umbrella of trust and safety. If places like The Iconic want to be known as a safe, trusted, confident shopping experience and destination, they need to put in risk management controls that enable that.”

Yet according to Phair, two hefty reasons exist for companies often not doing these things. One is a question of technology investment and sophistication. The other relates to frictionless versus more secure customer experiences.

“Many brands don’t want to inject any friction into the customer journey – they want to make it really simple for people to get on their portal, buy and get off,” said Phair.  

Take Ticketek or other ticketing websites globally: Most, if not all, avoid multi-factor authentication because of the friction and time it introduces into the purchase process when 600,000+ Taylor Swift tickets go on sale. When the initial Taylor Swift tickets dropped, Ticketek’s system managed to repel more than half a billion bot attempts coming from scalpers, while a record-breaking 4 million people across Sydney and Melbourne were trying to secure tickets.

This challenge of balancing seamless experiences with responsible digital practices is something Fernando also spotted as a quandary.  

“With our marketing, we put a lot of emphasis on accessibility. We have a responsibility to deliver what is a good customer experience, but something that’s protecting the customer too,” she said. “As marketers, we've got to put things in, and not try and make it so easy it's a seamless thing. A customer experience doesn't have to be seamless. It has to be a good experience, and one a customer is expecting.”

Take a couple of ways more verification can be built into a site: A CAPTCHA system, where the user has to solve a puzzle or click on the images featuring a traffic light, bus or bike, or a credit card’s three-digit CCV (a much less secure option, according to Pal).

“I'm so used to having to click through everything that's got a bike in it using a CAPTCHA system. As a customer, you know why they're asking me this as it's protecting me. I can't get angry about it,” per Fernando. “As an industry, we should be stepping up and going these are the minimums we should be asking customers to do. Those that don't are not seen as a seamless journey, they're seen as an irresponsible journey.”

Another issue Fernando identifies is people believing separation of credit card details to protect the customer means they’re not in danger.

“What they haven't necessarily understood is they're capturing other information that falls into the category of sensitive information, which will actually put the person at greater harm,” she said. “It could be something very small. Say you want to collect from your customer whether they want to receive a Christmas or Hanukkah greeting. You might do that because you want to be respectful, but you've now captured religious beliefs. That is sensitive information. That's another level of responsibility you need to have within your data practices.

“It is far more important for people today to build understanding and get granular. Because the cost of a breach and this kind of incident is significant.”

What marketing teams need to do next

As a precautionary measure, the OAIC strongly encourages all organisations to review and strengthen their security and access measures, including identity management and authentication. This may include introducing multi-factor authentication and masking personal information within customer accounts to reduce risk should the account be accessed without authorisation.

Organisations should also ensure staff are well‑equipped to identify and respond to credential stuffing attacks and customers know what to do if concerned they may have been the subject of an attack.

“Brands can ask customers to choose more complex passwords. They can ask customers to change their passwords. They could do activities that will prompt people to build good practices around how they handle their data,” said ADMA's Fernando. “We can also minimise the types of personal information being held within businesses. The onus is on us to take extra responsibility to make sure we don’t hold the kind of data where if a data breach happens, we can be in trouble.”

Phair attributes much of the lethargy he sees to a mistaken belief brands have that a cyber attack or data breach won’t happen to them. “That’s the malaise we’re seeing across Australian organisations. They’re not going through the fundamentals of risk management of their platforms, information and customer journeys.”

The top tip from Phair and RSM Australia's Pal is to have a plan in place for how your organisation will respond to potential cyber and data breach incidences.

“Organisations that respond well practice this stuff. The question CMOs should be asking is: Have we scenario planned this happening to us? They should be the first ones in the senior management group meetings asking this,” per Phair. “Even though credential stuffing has been around a long time, many haven’t heard of it before. If they haven’t, they need to start considering it, start role playing, bring in penetration testing to see if it can be done on their platforms. And if it most likely can be, they need to address this with a controlled framework.

“Remember it’s not an IT we’re trying to solve, it’s a business issue.”

Nuanced communications, avoiding bulk email sends while being transparent with customers are equally critical. “Know the three things you’re going to tell customers and media when either ring up saying we’ve heard there is something amiss,” said Phair.  

Pal’s callout is making sure you understand what has happened and how public the information is: “That is not just around information being leaked, but how it’s touching your customers as well."

“We have playbooks for this stuff we do for clients. When we do playbooks around a detection and response scenario, our response does not stop at the technical response: A large part of response procedures are dedicated to managing reputational damage.

“The security team’s responsibility should only be stating the facts and what the data breach or cyber incident is all about. They’re not marketers. The marketing team needs to have enough nous to take that and go, okay, this is what has happened, is this likely to cause us reputation damage. If so, we need to do X, Y Z.”

Pal reiterates the responsibility marketers have to be across growing cyber risks, as well as the business and customer implications they present. But he’s worried the message isn’t getting through fast enough.

“Whenever there is a data breach, it does become the CMO’s problem. The only sure risk you’re going to run is reputational,” he says. “Why aren’t more CMOs involved in this? I don’t know. Time will tell.”