Last week, a ransomware attack on the world’s largest meatpacking company caused a temporary shut-down of its operations in Australia and North America. The attack infiltrated the company’s quality assurance systems and ultimately prevented normal production.Read More
News reports have revealed that Lion Beer Australia has suffered a second cyberattack within a week of falling victim to a ransomware attack. While Lion continues to recover from the first cyberattack, it must now investigate, respond and recover from this second attack.
Today, Lion announced it had received reports of Lion document lists posted online in recent days. It is continuing to investigate if any data has been removed from its system. Lion has also advised relevant authorities and regulators of the first incident.Read More
The Federal Court of Australia has suffered a catastrophic data breach in which the names of individuals seeking protection visas in Australia have been published on the publicly available Commonwealth Courts Portal database for years.
Ordinarily, the files of such applicants are listed by pseudonyms which are a collection of numbers and letters.Read More
Optus has been fined $504,000 by the Australian Communications and Media Authority (ACMA) for breaching spam laws, according to articles by the ABC and the SMH. The fine is the second largest in ACMA’s history to be awarded, being just $6,000 shy of the $510,000 fine which was slapped on Telstra in 2014 for missing service standards for urban landline connections.
Despite customers notifying Optus of their wish to opt-out or unsubscribe from such messages, an ACMA investigation found that customers still received the relevant messages, resulting in more than 2 million breaches to the Spam Act 2003 (Cth). Rather than a ‘one-off’ issue, it was found that Optus had systemic deficiencies with their compliance procedures and governance.Read More
By Cameron Abbott and Karla Hodgson
The Office of the Australian Information Commissioner has released its Q2 statistics on notifications received under the Notifiable Data Breach (NDB) scheme. The 245 breach notifications in Q2 are on par with each other quarter since the scheme was introduced in July 2018 and while the majority of NDBs (62%) are attributed to malicious or criminal attacks, we noted with interest that a staggering 34% are due to human error – that is, mostly avoidable errors made by staff. A consistent theme of our blogs is reinforcing the message that employees are the front line of defence for organisations.
There are 3 key statistics we took away from these human error NDBs.Read More
It’s been a chilly start to winter for three Australian organisations, who’ve this week reported major privacy and security breaches.
Up to 100,000 Australians’ personal information has been exposed in a hack affecting Westpac Bank. Westpac confirmed on Monday that details of Australian bank customers (not just those of Westpac) were exposed in a cyberattack on real time payments platform PayID. The banking giant says it noted a high volume of PayID lookups in 2019 on a semi-daily basis, which was a result of attackers trying to guess phone numbers, which, if guessed correctly, would give them the name of the account holder to which the number is linked. Despite the hack, Westpac says that no customer bank account details were compromised as a result of this cyberattack. Nevertheless, experts warn that the details accessed could still be used to commit fraud.Read More
The Office of the Australian Information Commissioner (OAIC) has released its fourth quarter report of notifiable data breaches between October – December 2018.
The report exposed that the OAIC received 262 notifications of data breaches, which has increased from the 245 notifications that were reported the previous quarter. Below are the key findings from their report:
- The OAIC report identified the top five sectors who reported data breaches. Private health service providers reported 54 breaches, the finance sector reported 40 breaches, professional services reported 23 breaches, private education providers reported 21 breaches and the mining and manufacturing industry has made its first appearance with a reported 12 breaches.
- 85% of data breaches involved individual’s contact details, 47% involved financial details, 36% involved identity details, 27% involved health details, 18% involved tax file numbers, and 9% involved other types of personal information.
- The sources of breach varied, with 64% of data breaches due to malicious or criminal attack, 33% due to human error, and 3% due to system faults.
- The report also breaks down the breach types per industry. Interestingly, the finance sector experienced the most malicious cyber attacks, and human error dominated the healthcare sector.
Even though 60% of the total breaches involved personal information of 100 individuals or fewer, there were a couple of notifications affecting a significantly higher number of individuals (including one that affected more than 1 million individuals). Human error breaches resulting in the unauthorised disclosure of personal information (via unintended release or publication) impacted an average of more than 17,000 individuals per breach (though this average seems likely to have been skewed by some particularly large breaches), and the failure to securely dispose of personal information affected an average of 300 individuals per breach.
Most data breaches resulted from malicious attacks which gain access through compromised credentials (such as phishing emails or stolen username and passwords). So, if you believe that the email from your CEO requesting your bank details for your exorbitant raise is legitimate, think again!
By Cameron Abbott and Wendy Mansell
It has been a fairly turbulent week in the cyber-espionage space following accusations that China’s Ministry of Security Services is behind the surge of intellectual property theft from Australian companies.
The news that the persistent attacks on Australian IP are perhaps a State sponsored campaign by the Chinese government is concerning as it suggests that China are in breach of several international and bilateral agreements.
In 2015, an agreement was made between Chinese President Xi Jinping and former President Obama, that the U.S and China would not steal intellectual property from one another for commercial gain. This was furthered at the November 2015, G20 Summit, where the cyber-theft of IP was accepted as the norm.
Following on from this in September 2017, former Prime Minister Malcolm Turnbull and Chinese Premier Li Kequiang promised that neither country would engage in cyber-theft of intellectual property and commercial secrets.
Reports of cyber-theft declined immediately after these agreements, however in recent months they have ramped up again.
A U.S Trade Representative report released this week confirms that despite any international agreements, China has continued engaging in cyber-espionage and the theft of intellectual property. Further the report states that not only is China likely to be in breach of these agreements, but the attacks have “increased in frequency and sophistication”.
Notably in July of this year, China was linked to the cyber-breach of Australian National University. This attack was particularly disturbing given that ANU is a leading university involved in key areas of Australian technological, scientific, defence and commercial research. It is fascinating that cyber attacks and theft are a “norm” that is accepted within our overall international relationships. Physical acts of a similar nature would not be so easily accepted.
By Cameron Abbott and Colette Légeret
In response to a cyber-attack on the administrative systems of Bristol airport, believed to be ransomware, the airport took a number of applications down as a precautionary measure, including the application that provides flight data for flight information screens.
Navigating the political terrain and party politics can be a treacherous journey for any politician.
Recently, we have been captivated by a political misstep that involved the tabling of approximately 80,000 confidential and unredacted Cabinet documents of a former Government in the Victoria Parliament. In usual circumstances, these documents would have remained confidential for 30 years, unless the former Government consented to the release of the documents. However, in an attempt to seek an advantage in the political arena, the Victorian Government of the day decided to release these documents in Parliament and online.