IDCARE: Meet the cyber security charity shaping Australia and New Zealand's data breach response

When organisations are breached, it’s easy to forget the damage cyber attacks can inflict on individual victims. Information stolen can range from sensitive health data, like the recent MediBank hack, or data that could lead to identity theft, such as in the Optus breach. This is against the backdrop of an 81% surge in cyber attacks between July 2021 and June 2022 in Australia, according to Imperva.

Given the increased media focus in recent, many business leaders may be tempted to sweep data breaches under the carpet. We’ve seen countless examples throughout history, such as Uber's 2016 attempt to hide a data breach affecting 57 million users and drivers. Needless to say, this approach is always dangerous for the victims, given they can’t take reasonable steps to protect themselves.

Hoping to eradicate terrible – sometimes non-existent – incident response is IDCARE. Based in Napier, New Zealand, and Caloundra, Australia, IDCARE is a charity founded in 2013 to help the victims of cyber attacks on an individual and organisational basis, whether through personal counselling, dark net monitoring, or staff training. But the crescendo of cyber attacks in the second half of 2022, which has forced legislators to vow to ‘hunt down hackers’, has forced the organisation to confront the reality that it lacks the resources to cope with this ever-escalating onslaught.

IDCARE is, therefore, ramping up its operations, says David Lacey, the charity's managing director. Like many charities, however, resourcing is a constant battle, and IDCARE had to adopt ‘creative solutions’ to ensure it could continue to serve its core purpose not just now, but in the future. To lead the fightback in Australia and New Zealand, and the rest of the world, it’s cooking up plans to mobilise its own reserve army.

IDCARE is a unique charity with global ambitions

IDCARE describes itself as Australia and New Zealand’s national identity and cyber support service. Funded by 35 public and private organisations as well as public grants, it aims to provide advice on how individuals and businesses should respond to data breaches, cyber security concerns, and identity theft.

Although IDCARE mostly serves those living in Australia or New Zealand, people can access the charity’s services from anywhere in the world, says Lacey. All you have to do is fill in its Get Help form online, and you’ll be put in touch with an IDCARE case manager. Around one in ten people that engage IDCARE don’t actually live in Australia or New Zealand, he adds.

The charity was born from an 18-month feasibility study Lacey decided to launch more than ten years ago. He wanted to examine what kind of national services the victims of cyber crime need, reporting his findings to a joint industry and government committee. The charity was then created from the reproted demand for services independent of government and not commercially motivated.

IDCARE's MD David Lacey established the organisation a decade ago following an 18-month feasibility study

The National Cyber Security Centre (NCSC), a branch of GCHQ, fulfils a similar role in the UK. But IDCARE was established in-part as a vehicle to deliver the aftercare and support for victims that other institutions tend not to. Lacey has previously highlighted victims of cyber attacks suffer from anxiety and poor emotional health. This is where IDCARE posititions itself as unique in the market, given it employs a number of consellors in addition to the technical staff you’d expect.

The charity employs a team of 55 to this end comprising identity and cyber security case managers, counsellors, community education officers, computer scientists, data scientists, lawyers, project managers and developers. One part of the team works one-on-one with individuals and breached organisations to discover what’s happened, assess risks, and develop response plans, says Lacey, with the other monitoring online and market behaviours, examining insights, and working with industries and governments to review performance and improve best practice.

“I think the reason for them reaching out is they don’t see the unique support service available in their country – a service that is free to the community and blends the behavioural with the technical,” Lacey says. “That’s why we don’t reject people who reside outside of Australia and New Zealand. We think our service is universal and there are plans to establish regional centres in other locations should the right government and corporate support be identified.”

Funding the fight against cyber crime

One of the main challenges it faced on conception was funding. “In Australia there are different types of charities. Some can collect donations and others cannot. In Australia, our charity cannot, but in New Zealand, our charity can,” explains Lacey. Instead, it must entice organisations to subscribe in exchange for providing services, with the additional revenue reinvested into delivering charitable services to the community.

“Initially this was a real challenge, but over time those services have become really valued in the market and are allowing IDCARE to continue to grow to meet the community demand,” he says. These services include online profiling and alerting, where the charity has a separate Identity Security Operations Centre. It also provides data breach response services, organisational benchmarking, incident response reviews, and bespoke reporting.

The organisation pulled in more than $6 million in its 2022 financial year, with 68% coming from ‘goods and services’ and the remainder from grants. All revenue generated must be reinvested back into the delivery of its services. It also currently has a wide range of subscriber organisations. Governmental organisations are a core subset, including the Australia’s Department of Home Affairs, Queensland police, the New South Wales (NWS) government, New Zealand’s Department of Internal Affairs, and the Tasmanian government. Many private sector entities, like Commonwealth Bank, Bupa, Equifax, Woolworth Group, and Telstra, also subscribe to IDCARE.

Calling in the reserves in 2023

The surge in cyber attacks targeting Australia during 2022 forced the charity to rethink its scale and delivery. For context, despite a population of roughly 25 million, up to 10 million accounts were exposed in the Optus breach alone, alongside 9.7 million in the Medibank breach. Demand for IDCARE services grew 45% at the same time. Lacey expects more of the same in 2023.

“This year we are introducing an IDCARE Incident Response Reserve which is delivering a training and development programme to individuals across government and corporates that leverages donated time they allow for their staff to assist with charities,” he says. “We are talking with a number of tertiary sector partners about assisting this work and offering the programme as a micro-credential to recognise and create more value for participants.”

When a “mega-breach” event occurs, Lacey explains, IDCARE will call on its reserve to help with its case management demands. When such events occurred last year, IDCARE was impressed by corporations who called to offer support, but it didn’t have the means to train people to its standards, so they can be effectively deployed.

IDCARE is asked each day by three to five organisations to help with a data breach response. “We get to see first-hand the good, the bad and the ugly in terms of organisational response with our case management services, then the flow-on effects to impacted persons,” he says. “When organisations genuinely place the breached person at the centre of their response, things typically work well. When they don’t, it’s disastrous.”

Lacey hopes there’ll be no need for IDCARE in future, but he doesn’t see this as likely. Alongside rising demand is the fact data breaches are borderless. This is what Lacey calls the internationalisation of identity exploitation, where, for example, a UK citizen will have their identity exploited in Asia. “We can expect much more of these scenarios in the future,” he notes. “This is why a big piece of our work involves maintaining an intimate knowledge of response system affordances across the world.”

Over the next five years, IDCARE is aiming to prioritise being “client first”. This means focusing on the reduction of harm to individual victims, as well as carrying the response load for organisations and shaping industry and government behaviours. Summarising his mission, Lacey states: “For many, if you are not harmed by the crime, you almost certainly will be by the response. We are determined to do our bit to change this.”