id the bug has since been fixed. The company is working with an external adviser, Sygnia, to validate its internal investigation and to provide an independent assessment to authorities.  The company has assured users that no credit card or payment-related information was compromised. It has been reported that the leak contained victims’ usernames, first and last names, e-mail addresses, mobile phone numbers and country of origin, as well as the date they created their Carousell account and their number of followers in the app. According to the Straits Times, the hackers uploaded the 2GB database on 12 October, two days before the Carousell confirmed the breach. They have said they will be selling only five copies of the database. An APAC problem There has been a spate of cyberattacks targeting the retail sector in the Asia Pacific region recently, with Australian businesses, such as Telstra, Optus, MyDeal and Vinomofo, also being hit by rogue actors this month.  “We’ve definitely seen an uptick in cyberattacks recently and, in a way, it’s a good thing because it’s bringing the issue to the public’s attention in a big way,” Aaron Bugal, global solutions engineer at Sophos Group, told Inside Retail. Bugal said that Sophos Group, a British-based security software and hardware company, has often observed an attitude of complacency, or even negligence, about cybersecurity within businesses. “A lot of the time, they could have been avoided. Cybercriminals are opportunistic and, if they see an open window, they’ll take advantage, so it’s crucial that businesses make sure their cybersecurity is in check,” he said. According to Bugal, if businesses don’t step up their cybersecurity, they’ll have more than paying a ransom to worry about. As the latest spate of breaches demonstrates, the reputational damage can be devastating and customers will leave if they feel that their trust has been betrayed. What’s next? The latest breaches should be a warning to all organisations to review their cybersecurity best practices. The threat landscape is always evolving and the hazards are only getting more acute. Bugal acknowledged that it can be difficult for businesses to develop five-year plans for cybersecurity because best practices change on a monthly basis. Instead, they should focus on hiring people with the right skills and giving them sufficient resources to respond as new threats crop up. “The best thing businesses can do to prevent these attacks is to employ cyber-aware people, and ensure they have people with their fingers on the pulse watching the network,” he said. He explained that cybercriminals spend every waking moment looking for and thinking about ways to break through defences, so businesses need people who are equally dedicated to protecting them. “Unfortunately, with the tech skills shortage, this can be easier said than done for a lot of businesses,” he said. A mindset change In most cases, even the most technologically advanced systems have a weak link. Unfortunately, the human factor is one of the biggest potential problems in securing a robust cybersecurity framework.  With that in mind, businesses should think twice about the data they choose to collect, given the risk of a cyberattack. “I think businesses need to take a close look at their data hygiene practices, and really understand what data they are collecting, how they’re using it, storing it, and what systems they have in place for erasing it when they no longer need it,” Bugal said. He explained that this is particularly important because sensitive data can be used to steal someone’s identity or otherwise extort them. “[Consumers] trust organisations with this information, so it’s disheartening to see it often treated with such disregard. We know scammers will use anything they can get their hands on to exploit their victims, and it is so often easily avoidable,” he stressed. Government intervention If the risk of reputational damage isn’t enough to spur businesses to step up their cybersecurity, then increased financial penalties might.  The Australian government has proposed a number of changes to the country’s privacy laws to increase penalties for companies subject to major data breaches. The changes would lift maximum penalties for serious or repeated breaches from the current A$2.22 million to the greater A$50 million, three times the value of the benefit obtained through the misuse of information, or 30 per cent of turnover in the relevant period. They would also provide the Australian Information Commissioner with greater powers to resolve privacy breaches. The Australian government also wants to strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals. Moreover, it wants to equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information sharing powers. Bugal said the proposed changes demonstrate that the Australian government is taking cybersecurity seriously.