Cybersecurity expert warns of risk with too many holding onto unnecessary client info

12:37 pm on 13 December 2021

Many small to medium businesses hold too much information about things they do not need, says a cybersecurity expert.

No caption

(File image) Photo: 123RF

It comes as the country comes under increasing cyberattacks, with criminals looking to mine personal data.

Vertech IT Services managing director Daniel Watson said businesses holding onto old data that they did not need created unnecessary risk for the public.

"If the only reason why you're retaining customer information is perhaps more marketing purposes later on, then do you still need to retain the additional information such as date of birth, drivers licence detail ... other stuff that you might have collected and might have been necessary as part of the initial transaction," Watson said.

Getting hacked was not down to luck and it was just a matter of time, he said.

"If you do not have an excellent reason to retain customer information, you need to dispose of it.

"For example, I don't see why immigration consultants would sit on the details of more than 4000 past clients. It is creating unnecessary risk for many people who are oblivious to the threat they are facing."

The problem was made worse by poor cybersecurity measures from an "unacceptably high" portion of small and mid-sized enterprises (SME), he said.

"Reputation, financial and legal risks are just some of the threats that your average Kiwi SME is courting, bearing in mind that privacy legislation now requires the company to report a breach to affected customers as well as the Privacy Commissioner.

"The penalties are not to be sneezed at - fines [are] from $10,000 up to $350,000 for a class action."

Watson said companies needed to introduce or update policies, educate staff, and protect data.

Get the RNZ app

for ad-free news and current affairs