Breaches – Page 6 – Cyber Law Watch

Major privacy and security breaches confirmed this week: Westpac, the ANU and Princess Polly targeted

Jun 07 2019

By Cameron Abbott, Allison Wallace and Rebecca Gill

It’s been a chilly start to winter for three Australian organisations, who’ve this week reported major privacy and security breaches.

Up to 100,000 Australians’ personal information has been exposed in a hack affecting Westpac Bank. Westpac confirmed on Monday that details of Australian bank customers (not just those of Westpac) were exposed in a cyberattack on real time payments platform PayID. The banking giant says it noted a high volume of PayID lookups in 2019 on a semi-daily basis, which was a result of attackers trying to guess phone numbers, which, if guessed correctly, would give them the name of the account holder to which the number is linked. Despite the hack, Westpac says that no customer bank account details were compromised as a result of this cyberattack. Nevertheless, experts warn that the details accessed could still be used to commit fraud.

PwC’s Enforcement Tracker finds a large increase in fines for privacy breaches in the UK

Jun 03 2019

By Cameron Abbott and Rebecca Gill

PwC’s UK Privacy & Security Enforcement Tracker has found that fines in the UK over data protection law violations totalled £6.5 million in 2018, a £2 million increase from 2017.

The Tracker analysed data protection enforcement actions by the UK Information Commissioner’s Office (ICO), including monetary fines, prosecutions and undertakings. The Tracker shows that the total sum of fines increased from 2017, but the number of ICO enforcements fell to 67 in 2018 from 91 in 2017.

Surveillance software targets WhatsApp users

May 15 2019

By Cameron Abbott, Rob Pulham and Michelle Aggromito

Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.

This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.

Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report

Apr 30 2019

By Cameron Abbott and Rebecca Gill

Australian businesses and consumers were duped into paying scammers with nearly half a billion dollars in 2018 according to the ACCC’s Targeting Scams: Report of the ACCC on scam activity 2018 (Report). The Report also highlights the use of sophisticated technology by scammers.

According to the Report, the most financially harmful scam affecting Australian businesses was the ‘business email compromise’ (BEC) scam. This involved a scammer gaining access to a business’s entire email or IT system. The scammer would then impersonate the business and send emails to suppliers and customers of the business, advising changes to payment details.

PROPOSAL TO INCREASE PENALTIES FOR PRIVACY BREACHES

Mar 26 2019

By Cameron Abbott and Rebecca Gill

In light of concerns over how personal data is being used by social media platforms and tech companies, the Commonwealth Government has proposed amendments to the Privacy Act in order to more harshly penalise companies for privacy breaches. The new regime, which aims to update Australia’s privacy laws in line with increased social media use, will see tougher penalties for all entities that are subject to the Privacy Act, not just the headline companies like Google and Facebook.

The Commonwealth Government proposes to increase the penalties for serious or repeated breaches by such entities from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater value.

Tourists aren’t the only thing visiting London’s hotspots

Mar 22 2019

By Cameron Abbott and Ella Richards

Over 100 million cyber-attacks have hit London’s top tourist attractions over the past few years, signalling hackers turning their attention to the treasure trove of customer’s personal data and related opportunities for ransomware attacks.

Kew Gardens experienced an incredible 86 million attacks during 2018 and has seen a 438% increase in attacks year-on-year. Personal and financial details of over 100,000 of its members and over 800 staff are highly sought after, with 82 million spyware attempts and 1.6 million information-stealing attempts last financial year alone. Although Kew Gardens have performed admirably in mitigating the attacks, a major server breach in 2017-2018 and an incident involving a compromised email address managed to slip through.

Imperial War Museum was the next highest target; with over 10 million cyber security incidents spread over three years and 8 successful ransomware attacks within that time. The Natural History Museum tallied 875,414 cyber-attacks over three years, of which 26,610 were considered ‘unmitigated’ threats.

Lastly, Tate Gallery (which oversees the Tate Modern Tate Britain Galleries) was subject to 494,709 attacks last year alone, however only four attacks featuring malware and phishing software were successful.

These attacks demonstrate hacker’s increasing focus on personal and financial data, which tourist hotspots and museums collect in enormous volumes on a daily basis. Sheila Flavell (COO of FDM Group) points out that in the wake of these incidents, the UK needs to increase their level of cyber expertise by attracting more people into the tech industry. We agree there are not going to be many unemployed cybersecurity consultants with this sort of scale of activities!

Ransomware attack hits the state of Georgia

Mar 18 2019

By Cameron Abbott and Ella Richards

Jackson County in Georgia has been held ransom after cyber-attackers deployed ransomware that crippled the government’s IT network for 2 weeks. Government officials resorted to coughing up $400,000 in bitcoin to pay the ransom, desperately trying to get out of the offline ‘pen and paper’ situation the attack had left them in. The suspected ransomware, ‘Ryuk’, caught the eye of the authorities at the end of 2018 after it started affecting the printing presses of Tribune Publishing. Due to the highly problematic decryption tool that is provided once the ransom is paid, Ryuk has the frightening capacity to destroy businesses which cannot survive in downtime or do not have restorable backups.

Read further about the incident here: https://www.bankinfosecurity.com/georgia-county-pays-400000-to-ransomware-attackers-a-12159

Ratings agency starting to factor in Cyber risk profile

Mar 08 2019

By Cameron Abbott and Wendy Mansell

A recent report released by Moody’s Investors Services has shed some light on which business sectors are most at risk for cyberattacks.

After assessing 35 broad sectors it was concluded that banks, hospitals, security firms and market infrastructure providers face the highest risk. This was based on levels of vulnerability and the potential impact an attack would have.

The key determinative factor for these sectors is that they all rely strongly on technology and the vital role of confidential information in their operations.

The financial repercussions following a cyberattack in each of these sectors is extremely significant when considering the costs of insurance, penalties, consumer impact, potential litigation costs, R&D and technological impact to name a few.

The financial market is so high risk because of the financial and commercial data it holds and ever increasing fact that its services are being offered digitally, across multiple platforms i.e banking mobile/smart watch apps.

On a similar note because medical records are primarily collected and held in electronic form hospitals are very attractive to hackers given the sensitive nature of the data.

While the industries should not be a shock to the reader, it is important for participants in those industries and for suppliers to those participants to realise the risk profile that attaches to them and have procedures in place reflective of those risk levels. How one manages these risks in now likely to have indirect cost implications when you see ratings agencies like Moody’s assessing these sorts of areas.

Cyber attacks becoming common place: Different industries, similar methods

Feb 24 2019

By Cameron Abbott and Ella Richards

Popular car manufacturer Toyota has been hit by a malicious attack rendering their employees completely unable to access their emails. It is unclear whether any customer or employee data has been accessed, and Toyota is going to extensive efforts to discover the origin of the attack.

Staff who are powering on despite their access restrictions have been told to use face-to-face, phone and text communication until the emailing system is back online. Can you imagine!

Although the central server system is inaccessible, dealerships are continuing to operate normally besides being able to provide customers with the date they’ll receive their exciting new car.

Additionally, Melbourne Heart Group was subject to a cyber attack which completely locked them out of their filing system. 15,000 files were scrambled and held for ransom after a cyber crime syndicate hacked into their server, blocked all access to files and demanded a cryptocurrency payment be made.

Melbourne Heart Group is based at Cabrini Hospital in Malvern, but the separation of their systems ensured that no Cabrini operations were affected. Even though a payment was made to decrypt their servers, information including patient details and sensitive medical records are yet to be recovered.

Payment in these situations is always troubling, dealing with faceless individuals, having to trade in cryptocurrencies in order to chart a course to the fastest resolution.

Major political parties join the Federal Parliament in the February data breach

Feb 21 2019

By Cameron Abbott and Ella Richards

Following an unprecedented surge in cyber attacks against Australian businesses, an attack on Australia’s political infrastructure was imminent. New information reveals that the cyber attack against the Federal Parliament earlier this year was accompanied by yet another directed towards the Liberal, Labour and National parties.

Catagory:Breaches