Over the past year, Australia has seen some of its largest corporations and national institutions targeted by cyberattacks, orchestrated by a wide range of cyber threat actors.
Data published by the Australian Cyber Security Centre (ACSC) indicates cyber incidents were up 13% year on year, with over 76,000 separate incidents being reported. In recent months, IPH, Latitude, Medibank, and Optus have fallen victim to cyberattacks that have impacted more than half the country’s population. As a result, both customers and shareholders have become victims of a failure to adequately secure sensitive data.
The escalation in cyberattacks is obviously cause for concern, but so are the revelations of poor cybersecurity practices. A robust cybersecurity strategy contains key elements of prevention and protection technologies. Or course, this is no guarantee that a breach will not occur; but it is one this to be attacked and another thing entirely to have unencrypted data stolen or held for ransom.
Failures to protect data through encryption are just asking for trouble. Would Medicare, Optus, IPH, and Latitude customers have suffered the same way had their highly sensitive identity, financial and medical records been encrypted? Unlikely. Strictly speaking, if a breach involves encrypted data, it does not automatically become notifiable under recent legislation. “Was the data encrypted?” and “If not, why not?” are essential questions that must be asked.
In March 2023, IPH became the latest in a long line of businesses declaring a data breach. In this instance, IPH an IP services provider detected unauthorised access to one of the document management systems that handle potentially sensitive data at its head office, plus the practice management systems of two of its members. As an immediate result, the business halted trading on the ASX and launched an investigation into the incident.
Scant comfort was to be had following IPH’s announcement that the compromised data included “documents relating to the administration of these entities” and “client documents and correspondence”. IPH went on to admit that functionality had been affected in some areas but that alternative systems were in place that were “working adequately”. Not, perhaps, the most reassuring of statements. Unsurprisingly, the IPH share price subsequently took a 12% hit.
The Latitude Finance breach was one of the largest ever declared in Australia, with a total of 14 million customers affected. Following the breach notification, it too halted trading on the ASX. Whilst the business is engaged in a major breach response program, changes in legislation could see firms penalised with fines of up to $50m (up from the previous cap of just $2.2m) and further misery could be heaped on the business in the form of a class action suit involving many of the affected customers.
The story will be a familiar one for Optus, which suffered its own major breach compromising the identity records of some 11 million customers back in October 2022. Hackers gained access to sensitive data and published samples on the web, demanding $1.5m in ransom. The aftermath of the breach prompted much discussion, a class action suit, and the aforementioned legislative changes.
In late 2022, Australian health insurer Medibank suffered a similar breach of sensitive, personally identifiable data, impacting almost 10 million customers. Immediately after the incident, Medibank’s share price plummeted. In the following months, the company would be issued with three class action suits and admit that remediation costs could reach $45m in the second half of this year. The pain has been felt by Medibank, its customers, and shareholders. It will be some time before the full costs of remediation, litigation, penalties, and lost reputation are known.
Notifiable breaches on the rise
The Office of the Australian Information Commissioner publishes a 6-monthly notifiable breach report with detailed statistics of the number and nature of disclosed breaches. In the second half of 2022, the OAIC listed 497 notifications (up 26% on the previous period); bringing the annual total to 890. 40 of these were categorised as “large scale” – impacting more than 5,000 individuals. Healthcare, finance, and professional services companies were the most likely to suffer notifiable breaches.
The situation in Europe is different. The EU’s GDPR has been in place for 5 years and has proven on several occasions that its bite is every bit as bad as its bark. Just ask Equifax, Marriott, and British Airways, which were fined $575 million, $124 million, and $230 million respectively. This scale of penalty tends to focus the mind, and there has been a subsequent fall in notifiable breaches across the region.
What next?
Despite legislative changes and more severe penalties being put in place, there seem to be few lessons learned so far in Australia. The ultimate cost of a breach of unencrypted data continues to rise, with share prices plummeting, customers leaving, remediation costs mounting, regulatory fines on the rise, class action lawsuits, and even individual executives facing charges. It all begs the question, just what will it take for things to change?
IT security is frequently listed as a “top priority” by CTOs, but businesses need to do more than pay lip service to the idea of zero-trust architecture. Employees and supply chain organisations are frequently a point of weakness. A robust cybersecurity stance should consider all edges, and secure not just the infrastructure but the data that travels across it. “Risky” file-sharing practices, such as emailing sensitive information, need to be abolished in favour of secure alternatives. A proactive approach to ransomware needs to be adopted and sensitive data needs to be encrypted at all times, whether in motion or at rest. If you are in doubt as to what data is sensitive, the default position recommended by security experts is to encrypt everything.
If the severity of successful data breaches continues to grow it’s likely that consumer and shareholder advocacy groups will increase pressure on the federal government to adopt a ‘gloves-off’ approach such as GDPR-like legislation. There is no need for Australia to reinvent the wheel to ensure data protection is taken seriously.