Archive: July 2021

1
Uber found to have breached Australian’s privacy following 2016 hack
2
To pay or not to pay the ransom? Organisations may find their decision easier with government guidance
3
Ransomware attacks – is there harm even when nothing is stolen?
4
Would mandatory reporting of ransomware payments cause more good or trouble?
5
New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems
6
New US / Aus cross-border data access regime

Uber found to have breached Australian’s privacy following 2016 hack

By Cameron Abbott and Jacqueline Patishman

In 2017, Uber disclosed to the Office of the Australian Information Commissioner (OAIC) a breach of its some 57 million global users and driver’s personal information (including approximately 1.2 million Australians). Last Friday, the OAIC determined that Uber had breached the Australian Privacy Act by failing to take reasonable steps to protect Australian’s personal information from unauthorised access.

Read More

To pay or not to pay the ransom? Organisations may find their decision easier with government guidance

By Cameron AbbottRob Pulham and Jacqueline Patishman

The Cyber Security Advisory Committee (an industry based advisory panel established by the Minister for Home Affairs to provide independent strategic advice on Australia’s cyber security challenges) has recommended in its annual report that the federal government develop a clearer policy position on the payment of ransoms by organisations that have suffered ransomware attacks.

Read More

Ransomware attacks – is there harm even when nothing is stolen?

By Cameron Abbott and Ella Richards

In November 2020, accounting and consulting firm Nexia Australia (Nexia) was alerted to a “REvil” ransomware attack taking place within its system. The attackers threatened to post personal information of Nexia’s clients, customers and staff online unless it paid a $1m ransom within 72 hours.

It was reported that the hackers appeared to have posted Nexia’s confidential files onto the dark web; however, further investigation revealed that the hackers had merely posted screenshots of Nexia’s files. Realising this, Nexia dismissed the threat and refused to pay the ransom.

But it didn’t end there.

Shortly after the attack, a news service found the Nexia screenshots on the dark web and publicised that the company’s confidential information had been stolen and shared. Not only did Nexia have to reassure panicking clients that their confidential information remained uncompromised, it had to convince the Australian Securities and Investments Commission, the Australian Federal Police and the Privacy Commissioner that nothing of concern had been taken.

It doesn’t help that ransomware-as-a-service is becoming an increasingly lucrative business for cybercriminals to launch this type of attack. All that is needed is off-the-shelf malware, a wallet of cryptocurrency and it’s ready to deploy against an unsuspecting organisation.

The attack on Nexia demonstrates that even if there is no evidence that confidential information has been leaked, organisations can still suffer significant damage. The cost of reassuring stakeholders and mitigating reputational harm can almost match the consequences of a full blown attack.

As Warren Buffet famously quoted, “It takes 20 years to build a reputation and 5 minutes to ruin it”.  While Nexia recovered valiantly, this serves as a lesson that even when unsuccessful, the public ramifications of a ransomware attack are not to be underestimated.

Would mandatory reporting of ransomware payments cause more good or trouble?

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

Last month, the federal opposition (Shadow Assistant Minister for Cyber Security) introduced the private member’s Ransomware Payments Bill (the Bill) that proposes to make it mandatory for all Australian businesses and government agencies to notify the Australian Cyber Security Centre (ACSC) before paying a ransom to a ransomware attacker. Failure to notify will attract a penalty of 1,000 penalty units ($181,740).

Read More

New Cyber Security Evaluation Tool released by US Homeland Security for organisations to self-test their security systems

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The United States Department of Homeland Security has developed the Cyber Security Evaluation Tool (CSET) which provides a systematic (and repeatable) process that critical infrastructure asset owners can use to assess and improve their cyber security management systems. This tool has a particular focus on the security of industrial control systems and information networks.

Read More

New US / Aus cross-border data access regime

By Cameron AbbottWarwick Andersen and Jacqueline Patishman

The Telecommunications Legislations Amendment (International Orders) Bill 2020 has just cleared both houses of parliament. The new bill establishes a reciprocal cross-border data access regime between the United States and Australia which will allow for cross-border communications between foreign governments for national security and law enforcement purposes.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.