Inside Australia’s data breach endemic

The second half of 2022 has witnessed a cascade of data breaches targeting Australia. Some of the country’s most prominent organisations, with sophisticated approaches to preventing cybercrime, have come under attack. 

In September, telecommunications giant Optus was hit by one of the worst data breach in Australia’s history, with about 10 million customers – about 40% of the population – having personal data stolen.

The following month, just two weeks after Optus, Australia’s largest telecoms firm Telstra said an intrusion of a third-party organisation exposed some parts of employee data going back to 2017. Then online marketplace MyDeal – a subsidiary of retail giant Woolworths – had a breach that exposed the data of some 2.2 million customers.

In November, private health insurance provider Medibank revealed that it had data stolen belonging to 9.7 million past and present customers and the files included health claims data for almost half a million people.

There have been other attacks in the same period, with EnergyAustralia stating that 323 residential and small business customers were impacted by unauthorised access to their online platform. Wine dealer Vinomofo also experienced a cybersecurity incident where an unauthorised third party accessed its database.

The frequency and sometimes scale of the breaches left the country reeling from the impact, but also fearful that the pattern may continue for the rest of the year and into 2023.

Why are Australian firms being targeted?

“This is a time for all Australians – the community, business and law enforcement – to stand together and refuse to give these criminals the notoriety they seek,” said Australian Federal Police commissioner Reece Kershaw in the wake of the Medibank attack.

“Can I make a plea to business: Ensure your systems are protected. Cybercrime is the break and enter of the 21st Century and personal information is being used as currency,” added Kershaw.

So what does this increase in data breach activity in Australia mean? Are Australian organisations being targeted for specific reasons? And how can risk managers in the region become more resilient?

“It’s difficult to definitively say whether or not there has been an absolute increase in data breaches – no one person or organisation anywhere has a total view of all incidents,” said Jim Fitzsimmons, principal, Control Risks.

“We do know that Australia’s regulations on reporting data breaches have become more stringent. What is different in the second half of 2022 is the high profile of the companies that were successfully attacked.”

Fitzsimmons said that when critical infrastructure operators or health care services are successfully attacked, a sizeable percentage of Australians are impacted. “It is not about an increase in data breaches, it is about the volume and nature of the data of the specific firms who are attacked,” he said.

As for a shared nature of the breaches, Fitzsimmons said the most important commonality was that they are all holders of significant volumes of personal information and, in the case of Optus and Telstra, are furthermore considered as critical national infrastructure (CNI).

“CNI and lots of consumer data attract hackers, at least cybercriminals, as they hope that fear of disruption and public release of information will drive the victim to pay,” he said.

State-sponsored attacks

For Wayne Tufek, director of CyberRisk, a Melbourne-based cyber security advisory, the cause might be more specific: “Some of the activity relates to Russian cybercriminal gangs taking an interest in Australia due to our support for Ukraine following Russia’s invasion.

“The Optus breach was caused – we think, we must wait for the Commissioner’s report – by a test API [application program interface] accidentally exposed to the internet. Telstra’s breach was with a third-party organisation that supplied a platform for employee offers and rewards,” said Tufek.

While we wait for further details on the specifics of the attacks, with detailed reports in the pipeline, Tufek said that from the information which have been released, the Medibank incident was likely enacted by a ransomware gang.

“Credentials were purchased on the Dark Web and used to gain access to the Medibank network. Various controls had undoubtedly been circumvented, if they were in place at all, but I think everything at the moment is speculation until the report comes out. Then we can unpack what happened and understand the root causes,” he said.

Outdated regulations

Tufek explained that what is common between these incidents is likely not IT-related but specific to the country’s antiquated Privacy Act, written in 1988.

“Things have changed a fair bit since then, and the law should be updated to reflect the present. I applaud the government for introducing measures to increase the fines payable for breaches of the act, but more needs to be done to update our Australian Privacy Principles and to ensure they are actively enforced by the regulator,” said Tufek.

The Australian government has been quick to respond to the data breaches. Its new legislation exponentially increases the financial penalties that entities face for repeated or serious privacy breaches. The current maximum penalty is A$2.22 million set down by the Privacy Act 1988.

However, under the proposed Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, the penalty will increase to whichever is the greater of an A$50 million fine, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.

“From my experience working with our clients over the last few weeks, senior management has a great deal of interest in understanding their organisation’s cybersecurity posture, especially API security,” said Tufek.

“I think that the Privacy Act will be completely revised. The new fine regime, hopefully passed by the Senate soon, should encourage organisations to invest more in cybersecurity. The government should also seriously consider introducing Director’s liability for data breaches to drive appropriate behaviours from the top.”

Time for zero trust

Risk managers should accept that this kind of risk cannot be eliminated. “The focus for many years in cyber security has been on the mitigating controls with relatively little attention paid to managing the business impact of cyber security incidents,” said Fitzsimmons.

“Controls are limited and it is a losing race to try to keep up with and manage all the known and unknown vulnerabilities the controls are subject to. More mature risk teams understand that while controls are important, so is planning and preparing for cyber security incidents.”

This means identifying and documenting relevant, real-world cyber risks, developing plans to manage the business impact and exercising those response protocols and practices.

“We see most organisations have invested time and planning with developing technical response and business continuity plans, but have no planning at all for the business leadership that must manage the financial, operational, reputational and regulatory impacts of incidents,” said Fitzsimmons.

“Technical problems are relatively straightforward to solve, but as we have seen in the incidents this year, managing the business impact is a complex process with its own inherent risks.”

Too many companies treat cyber security incidents as technical problems. As a result, they are unprepared to manage the impact to their business in the face of operational disruption, reputational damage, regulatory sanction and the financial fallout of all of those.

Cybersecurity is an increasingly complex problem, but the right mix of controls can substantially mitigate the risk of a data breach and ransomware attack.

“Data breaches are inevitable, but data loss is not, and a comprehensive security program that addresses both technical and human risk must be considered the norm now,” said Tufek.

“To begin, I recommend organisations work through the Five Knows developed by Telstra and start there, adopt a control framework like ISO 27001, continually test their security posture and educate their people on safe cyber practices,” added Tufek.