2022 has seen many unsettling global events. It should perhaps come as no surprise that the world has also witnessed a spike in cyberattacks on key institutions.
Governments and commercial enterprises are struggling to stem the tide of malware and hack attacks targeting organisations for financial gain, or critical infrastructure for more nefarious reasons.
In recent months, Australia seems to have been particularly hard hit. Against a backdrop of the new administration criticising the previous governments failed attempts to tighten national cybersecurity regulations, would-be cybercriminals have been making hay.
In September, Australian telecoms giant Optus announced the details of 10 million customers had been stolen during a hack. A publicly exposed API facilitated access to sensitive customer data including drivers licenses, phone numbers, dates of birth and addresses.
Optus was swift to notify the affected parties, and to implement changes in privacy policies, but a key question remains. Was the sensitive customer data encrypted? And if not, why not?
Further statements that “this was a very sophisticated attack” are unsatisfactory. Very sophisticated and increasingly malicious attacks are commonplace, they are not something new and different. Data protection, in the form of encryption, should be a default part of any organisation’s cybersecurity stance.
The story goes from bad to worse for the Singapore owned telco. Following the initial breach, the ACCC announced investigations by two regulatory bodies. The Australian Communications and Media Authority and the Office of the Australian Information Commissioner will explore whether Optus met its data protection obligations.
Optus could be facing some steep financial penalties, with fines of up to $2.2 million for each privacy contravention a real possibility. Optus itself has set aside $140 million to remediate the impact of the breach but that may not be the biggest issue. The loss of trust that accompanies this type of breach could have a long-term impact on profitability. Just one month after the breach announcement, 10% of its mobile customer base had left, with over 50% saying they were considering a change of provider as a direct result of the breach.
In a recent interview, Australia’s cyber security minister, Clair O’Neil warned that the world was ‘under relentless cyberattack’. This warning came as Australia’s security agencies battled to stop the latest large scale ransomware attack on one of the worlds largest private health insurers, Medibank.
In October 2022, Medibank halted trading and promptly sent a message to customers informing them they had received information from a group of cybercriminals claiming they had gained access to their customers data.
In a statement released to the Australian stock exchange, Medibank stated the cybercriminals had attempted to negotiate over the alleged removal of customer data. It is believed that 200GB of customer data was extracted in the attack and the attackers have provided 1,000 records. Aside from this, Medibank was initially tight lipped about the demands of the attackers.
The Mediabank cyberattack is believed to have been carried out by a Russian-backed ransomware group. The hackers demanded a ransom of US$10m or they would release the private medical records of some of the 10 million customer’s details that were compromised. Medibank refused and the attackers released what were described as the “good list” and the “naughty list”. The latter would include details of patients who had sought treatment for HIV, drug addiction or alcohol abuse. A day later, the attackers released a new data file containing abortion related data and again demanded US$10m to stop posting data to the dark web.
In related news the Australian census website published figures stating it had been struck by a billion attempted cyber-attacks in 2021. These astonishing figures were release by the Australian Bureau of Statistics (ABS) and came only days after the revelations around the Medibank and Optus ransomware attacks, and once again highlights the sheer volume of attacks organisations are facing.
A call for reform
The recent onslaught has acutely brought into focus the need for Australia to review and revise its national cybersecurity and data privacy policies. Speaking in September, the Australian Information Commissioner (Angelene Falk) said the ongoing review of the Australian Privacy Act represented an opportunity to raise the bar in terms of a deterrent, to place greater emphasis on organisations as custodians of data, and to penalize breaches of personally identifiable information.
There’s a phrase used across many commercial enterprises: “data is our most valuable asset”. If that truly is the case, organisations should spend less time exploiting it and more time protecting it. A modern cybersecurity policy cannot be naïve enough to rely solely on prevention technologies, or “border security”. Modern, borderless infrastructure is rife with vulnerabilities. This makes network and data breaches virtually inevitable. In the event of a breach, the only way to protect your sensitive customer data is with encryption.