6 minute read
EDITOR'S DESK: Australian Cyber Security Magazine, ISSUE 14, 2022
With the national attention on significant data breaches in recent months, between January to June 2022, the Office of the Australian Information Commissioner (OAIC) observed a 14 percent decrease in reported breaches compared to July to December 2021. This appears in contrast to the ACSC Annual Cyber Threat Report 2022 which reported the ACSC received over 76,000 cybercrime reports, an increase of nearly 13 percent from the previous financial year. This equates to one report every 7 minutes, up from 8 minutes last financial year.
In the first half of 2022, the OAIC was notified of 396 data breaches. Of these, 162 notifications (41 percent) were a result of a cyber security incident, of which the top sources were ransomware, phishing and compromised or stolen credentials.
Despite the overall fall in notifications, the data trended upwards in the later part of the period and draws attention to an increase in larger scale breaches and breaches affecting multiple entities. There were 24 data breaches reported to affect 5,000 or more Australians, four of which were reported to affect 100,000 or more Australians. All but one of these 24 breaches were caused by cyber security incidents.
An annual ransomware survey by McGrathNicol Advisory found that almost seven in ten (69 percent) businesses have now experienced a ransomware attack in the past five years which is a significant increase from 31 percent in 2021. In the event of a ransomware attack, four in five (79 percent) businesses chose to pay the ransom and the average cyber ransom amount paid was $1.01 million, consistent with the year prior. The average amount that businesses would be willing to pay almost doubled to $1,288,608 compared to $682,123 in 2021.
The research also found that many businesses are over-confident in their abilities to respond to a ransomware attack, but the reality is that many are still very unprepared. Almost four in five (78 percent) businesses believe that their organisation is ‘well prepared’ to respond to a cyber-attack, with half (51 percent) reporting that they are ‘very prepared’. However, this is at odds with other details in the research, which found that 13 percent of businesses said it took them two days or longer to inform all relevant stakeholders, whilst three in ten (28 percent) are unsure whether an attack would be reported to all stakeholders. Alarmingly, one in five (20 percent) large businesses with more than 1,000+ employees admit that they did not report the attack to all stakeholders. A potential indicator of under-reporting to the OAIC.
Alongside business, analysis of a survey of almost 3,500 adults during October 2022 by the Australian National University determined that 32.1 percent (or 1 in 3) said that they or a member of their household had been the victim of a data breach.
These statistics are not surprising. The Optus data breach in September was shaping up as Australia’s worst. Optus faced a USD1 million-dollar ransom demand, with the personal information of over 11 million Australians and 3.66 million driving licence numbers compromised.
To coincide, the Australian Government scrambled to introduce reforms and announced an increase to the existing maximum AU$2.22 million set down by the Privacy Act 1988. Under the bill, the penalty will increase to whichever is the greater of an AU$50 million fine; three times the value of any benefit obtained through the misuse of information; or 30 percent of a company’s adjusted turnover in the relevant period.
The significance of the Optus breach coincided with other serious breaches, including against online retailers, energy providers and defence contractors. Then came a tsunami, the Medibank Private breach.
In a series of WhatsApp messages and emails posted online, REvil, a ransomware group with ties to Russia, at war with Ukraine, threatened to “do everything in our power to inflict as much damage as possible for you, both financial and reputational,” if negotiations broke down and the health insurer refused to pay.
The Medibank breach represents the worst-case scenario in terms of the compromise and exposure of civilian personal information and medical records. Not paying the ransom was the correct decision. It is abhorrent to have this data posted onto the Darkweb, but serious questions need to be answered in how this data was stored and vulnerable to attack. This is the ‘Crown Jewels’ of Australia’s individual civilian data and should have been appropriately safe guarded. Allowing this information to be accessible and exfiltrated makes the Medibank Private Board of Directors and CEO culpable. Given recent findings into the Crown Casino business operations and the board, I’d suggest similar interrogation of Medibank Private and Optus is awaiting.
Practically, every relevant Australian Government agency is now involved. The REvil group has been active for some time and successful, including with significant attacks in the US and elsewhere. The combined operations between the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) to commence offensive cyber operations is not new either. They have had this cyber offensive capability since 2017. In addition, law enforcement and intelligence operations will be underlined by investigations by the OAIC and Australian Communications and Media Authority. But other than increasing penalties on the business community, the REvil group and ransomware gangs like them, will continue to be a scourge on the internet. This is the modern version of transnational organised crime – something we have been grappling for decades!
As Official Media Partners for Australian Cyber Week 2022, November 14-18, the national flagship event from Australia’s cyber security growth network, AustCyber, we’re pleased to release this latest digital edition. The week involves events around Australia generating awareness of our national cyber security industry, showcasing local innovation, risk and opportunities, and celebrating one of our most critical industries.
The return of Cyber Week is also centred around the release of AustCyber’s fourth Sector Competitiveness Plan (SCP). Developed with over 60 Australian Cyber Security companies and experts, the SCP represents a critical piece of research that will help shape and inform the cyber security sector in Australia for years to come.
Stay tuned with us and the community via the regular Cyber Risk Meetups and host of event partners across Australia and the Asia Pacific. We otherwise continue to take a deep dive into the cybersecurity domain, corporate risk management and throughout we have links through to our Tech & Sec Weekly Series and the latest Cyber Security Weekly podcasts.
On that note, as always, there is so much more to touch on and we trust you will enjoy this edition of Australian Cyber Security Magazine. Enjoy the reading, listening and viewing!
Chris Cubbage
GAICD, CPP, CISA
Executive Editor
