- full details on our 2023 Cyber Risk Survey and our podcast on cyber class action risks;
- highlights from the AFR Cyber Summit, including announcements relating to Australia’s Cyber Security Strategy by Minister Clare O’Neil MP, some warnings from ASIC Chair Joe Longo, and insights from industry experts;
- various industry reports on the cyber threat landscape;
- the OAIC’s latest Notifiable Data Breaches Report, highlighting the leading sources of data breaches and emerging issues; and
- recent reported cyber incidents.
HSF has surveyed legal leaders from over 100 organisations (including 80 plus General Counsel) who provided insights into the proficiencies, processes and preparedness of Australian businesses in the event of a cyber-attack. We unpack the views of in-house counsel on various cyber hot topics including cyber extortion, board readiness, cyber resilience, incident response, threat actor negotiations, the regulation of cyber and cyber insurance. The results of our Cyber Risk Survey 2023 (published on 18 September) can be viewed here. See also LawyersWeekly article (26 September), Lawyerly article (18 September), and AFR article (18 September)
This month, Christine Tran, Christine Wong and Brendan Donohue discuss the growing area of cyber class actions in Australia and the associated regulatory investigation risks, including current activity, challenges, areas of reform and practical tips. Have a listen to what they have to say here.
The AFR Cyber Summit, sponsored by HSF, took place on 18 September in Sydney. It focussed on providing insights to senior management, including what they need to know in order to safeguard businesses and manage cyber incidents. HSF’s Cameron Whittfield (Lead Partner, APAC Cybersecurity) presented on a panel titled ‘How to deal with hackers.’
Key media reports on, and keynote speakers at, the Cyber Summit are summarised or extracted below.
AFR – 18 September 2023
This article looks at the preparedness of boards and references the HSF Cyber Risk Survey, noting that half of Australian boards remain undecided on whether they would be open to paying a ransom. Cameron Whittfield, HSF Partner, discusses how boards could be left vulnerable “in the heat of the battle” if they failed to consider these issues beforehand. See also The AFR (print edition), CFOtech Australia, SecurityBrief Australia, Australian Cyber Security Magazine, and National Cyber Security.
AFR – 19 September 2023
This article focuses on a key theme of the Cyber Summit, cyber resilience, and analyses challenges in achieving national cyber resilience. It shares the views of Clare O’Neil MP, Minister for Home Affairs and Cyber Security, and of industry experts, that, while Australia cannot prevent all attacks, businesses and government agencies could do more to be prepared and recover from attacks quickly. The article also notes that the confusion, uncertainty and conflicting expectations arising out of divergent regulatory forces undermine national resilience.
AFR – 18 September 2023
This article looks at recent high profile cyber incidents and the flow on impacts to Australian businesses. It also looks at the issues associated with information sharing and transparency.
AFR – 18 September 2023
This article presents the views of security experts on why critical infrastructure operators should adopt an ‘adversary mindset’ to protect their systems, including when hunting down vulnerabilities, vetting suppliers and reviewing stored data regularly. It also considers how changes to the geostrategic landscape (eg the Russo-Ukrainian conflict) translate into the cyberthreat environment.
AFR – 18 September 2023
This article presents observations from chief security officers at top Australian organisations on the importance and challenges of threat information sharing and their views on how the Australian Government should use information that companies collect on hackers to fight cybercriminals, actively block cyber threats and minimise system disruption.
AFR – 18 September 2023
This article shares insights from industry experts and Australia’s National Cyber Security Coordinator on how cyber criminals’ existing use of generative AI, including to craft more persuasive scams, has been changing the nature of cybercrime, and the emerging cyber threats posed by AI and other technological advances such as quantum computing.
|Our summary of the AFR Summit keynotes. Summarised for your benefit here.|
Clare O’Neil MP, Minister for Home Affairs and Cyber Security
Clare O’Neill MP, Minister for Home Affairs and Cyber Security, discussed various policy actions initiated by the Federal Government since last October, and outlined six “cyber-shields” (the basis of the proposed Cyber Security Strategy) ahead of the strategy release. More details on the “shields” will reportedly be provided when the 2023-30 Australia’s Cyber Security Strategy is released, anticipated to be before the end of the year. The Minister also addressed the question of cyber security standards for connected devices.
Darren Goldie AM CSC, National Cyber Security Coordinator
During his keynote, Darren Goldie AM CSC outlined his role in leading the country’s response to major incidents, including how he assisted law firm HWL Ebsworth over a 16-week period in response to the breach impacting the firm.
To read the keynote, please see Air Marshal Darren Goldie address. See also HWL Ebsworth attack impacted 65 government entities (19 September), NCSC concludes formal response to HWL Ebsworth hack (18 September) and Transparency challenges (18 September).
Joe Longo, Australian Securities and Investments Commission (ASIC) Chairman
ASIC Chair Joe Longo’s address concentrated on the importance for organisations of proactively managing cyber risks, particularly third-party risks. He stressed that cyber security and cyber resilience, including the oversight of cyber risks throughout the supply chain, must be a “top priority” for boards, and warned that failure to ensure adequate measures are in place exposes directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.
Mr Longo emphasised the need to go beyond security alone to build up resilience, and that a company’s ability to mitigate against cyber threats requires regular testing (including re. third parties), alongside an ongoing reassessment of cyber risks, in order to ensure the response and recovery from an incident is sufficient.
Cyber Security Connect – 8 September 2023
This article reports on Clare O’Neil MP’s announcement that 87 new ‘critical infrastructure assets’ have been declared as systems of national significance, bringing the total to 186 across the communications, energy, transport, financial services and IT sectors.
Technology Decisions – 25 September 2023
This article reports that the Australian Prudential Regulation Authority (APRA) has spotlighted the need for financial institutions to better manage third-party risks that cause cyber-attacks. As a part of an organisation’s third-party cybersecurity strategy, APRA encourages the undertaking of annual reviews to enhance security training and awareness, as well as facilitating a continuous third-party and internal program to detect, mitigate and responds to threats.
The West Australian – 23 September 2023
This article reports that the Australian Federal Police (AFP) has managed to recoup $45 million from online thieves originating in Africa and Eastern Europe who targeted Australian businesses. The money has been returned to businesses in the past three years and represents almost half of cyber criminals’ haul from email scams in 2021/22 alone. The AFP published a media release further discussing how investigators were able to thwart onshore and offshore cyber criminals.
The Daily Telegraph – 20 September 2023
This article presents the views of Accenture ANZ security lead Jacqui Kernot contending that sacking staff who have clicked on a malicious link will do more harm than good for cyber security, stressing that cyber security awareness teams should use staff mistakes to educate on how to avoid phishing scams in the future. This is in response to an opinion expressed at the Cyber Summit. See also Sack staff who repeatedly click on dodgy emails: IT boss.
Australian Government – Department of Finance Latest News – 29 September 2023
The Department of Finance has released, and is seeking feedback, on the draft Digital Identity Bill 2023, which if adopted will establish a digital identify system allowing Australians to verify their ID to access government and other services without having to repeatedly provide copies of identity documents such as driving licences and passports. Consultation on the Bill is now open and runs until 10 October 2023.
AFR – 15 September 2023
This article presents the view of Central Intelligence Agency’s former chief information security officer Michael Mestrovich that Australia’s mineral resources make for an attractive target for China. Mr Mestrovich shares his knowledge of modern-day espionage, with a particular focus on the cyber surveillance measures, and the importance of Australians taking cybersecurity more seriously.
AFR – 5 September 2023
The articles includes interviews with four women with leading roles in cyber security about their careers, where they think Australia has made the most progress in terms of cyber security, and their key concerns. The four interviewees: Stephanie Crowe (Head of the ASD’s Cyber Security Resilience division), Narelle Devine (CISO of Telstra), Maryam Bechtel (CISO of AGL Energy) and Lynwen Connick (CISO of ANZ).
AFR – 5 September 2023
This article looks at the Optus, Medibank and Latitude Financial cyber incidents and the regulatory, HR, legal, and business-process complexities arising from the attacks.
Bank Info Security – 5 September 2023
This article shares observations of Australian Information and Privacy Commissioner, Angelene Falk, who has urged organisations to quicken the process of notifying those affected by data breaches instead of spending months analysing each incident. The OAIC reported that one organisation compromised by a ransomware attack took more than five months to notify affected customers about the breach because it chose to perform a forensic investigation and assessments sequentially rather than in parallel. See also IT News article (5 September).
Barracuda – 20 September 2023
This article reports on how attackers can misappropriate inbox rules in order to infiltrate an email account and exfiltrate information out of the corporate network without being detected. It explains that the process occurs without victims receiving security warnings, as hackers will file messages in obscure folders and delete messages from senior executives they are impersonating in order to extract money. See also Cyber attackers exploiting inbox rules to evade detection (21 September).
SecurityBrief – 13 September 2023
This brief includes an interview of Kaspersky expert Saurabh Sharma who flags a prevailing cybersecurity talent gap in APAC, with the region lacking a total of 2.1 million cybersecurity professionals as of 2022. Sharma has pointed to AI as a useful alternative in order to address and boost current defences against evolving threats throughout the region.
BankInfoSecurity – 13 September 2023
This articles reports that a threat actor used the ShadowPad Trojan, a remote access tool, to target an Asian country’s national power grid earlier this year. The Redfly APT group, who focusses exclusively on targeting critical national infrastructure, was inside the unnamed power grid network for up to six months, compromising multiple computers and stealing credentials.
Insurance News – 11 September 2023
This article presents findings by teams from Guy Carpenter and Marsh McLennan Cyber Risk Intelligence Center indicating that insurance-linked securities (ILS) are key sources of potential new cyber reinsurance capacity. The teams argue that that issuers need to put aside concern over a “perceived correlation” between cyber events and stock market performance, and a widespread belief that cyber risk correlates to financial market risk remains a hurdle in attracting new cyber market capacity, with many ILS funds being reluctant to deploy capital in cyber transactions.
Proofpoint – September 2023
This article claims that Chinese-speaking hackers have been targeting compatriots with malware using remote access trojans (RATs).
OAIC – 5 September 2023
The OAIC has published its periodic report about notifications received under the Notifiable Data Breaches (NDB) scheme for the period 1 January to 30 June 2023.
Key findings for this report include:
- 409 breaches were notified compared with 486 in July to December 2022 – a 16% decrease;
- malicious or criminal attacks remained the leading cause of data breaches (70%);
- human error breaches were the fastest to be identified with 81% identified in 30 days or fewer;
- the health and finance sectors remained the top reporters of data breaches. Health reported 63 breaches (15% of all notifications) and finance 54 breaches (13% of all notifications); and
- the majority of breaches (63%) affected 100 or fewer people.
See further media release.
Sophos – May 2023
Sophos’ annual study of the real-world ransomware experiences of IT and cybersecurity leaders has revealed exploited vulnerability is the most common root cause of attacks and explains how the experiences of organisations differs largely based on their company’s revenue.
Key findings from the report include:
- 66% of respondent organisations were hit by ransomware in 2023;
- The rate of ransomware attacks affecting Australian organisations reduced by 10% from 2022 to 2023; and
- Singapore reported the highest rate of ransomware attacks with 84% of surveyed entities being hit.
Cyber Security Connect – 21 September 2023
This article reports on an incident involving the ransom gang, Cactus, involving an Australian data management company.
ABC News – 20 September 2023
This article reports that Pizza Hut revealed that it became aware of a cyber incident in early September, where an unauthorised third party accessed some of the company’s data, resulting in the data breach of almost 200,000 Australian customers.
IT News – 18 September 2023
This article reports that Dymocks has identified the source of its data breach that affected 1.24 million customer records as an ‘external data partner.’ The company stated that it had engaged independent forensic experts and is continuing to cooperate with authorities. See also IT News article (11 September) and Cyber Security Connect article(8 September).
Lawyerly – 14 September 2023
This article provides an update on the ongoing data breach class action against Optus and reports that Federal Court Justice Beach reserved its decision on whether Deloitte’s report into Optus’ data breach is protected by privilege, in light of a press release published in October last year giving the impression that CEO Kelly Bayer Rosmarin commissioned the Deloitte investigation for broader purposes rather than legal advice alone.
Lawyerly – 14 September 2023
The article reports that Maurice Blackburn has taken the OAIC to court after the Privacy Commissioner chose to proceed with a competing representative complaint in relation to the Optus data breach. Maurice Blackburn had filed its complaint on 7 October last year, seeking compensation for customers affected by the data breach. A similar complaint to the OAIC was brought three days earlier by Johnson Winter Slattery.
AFR – 6 September 2023
This article reports that TPG’s Australian pathology business, TissuPath, has suffered a data breach with a decade’s worth of patient request forms being released on the dark web by Russian threat actor BlackCat (ALPHV). TissuPath is believed to have been hit via one of its suppliers, IT firm Core Desktop, in a supply-chain attack. See also CyberSecurity Connect article (6 September).
CyberSecurity Connect – 11 September 2023
This article reports that a second ransomware gang, Rhysida, claims to have accessed the network of Melbourne-based IT firm Core Desktop. Core Desktop was also involved in the TissuPath data breach, which resulted in patients’ health records published on the dark web by threat actor LockBit.
AFR – 8 September 2023
This article reports that the FBI has credited the infamous ‘Lazarus Group’ (also known as APT38) as responsible for stealing $64.1 million from Australia-based cryptocurrency casino Stake.com. Lazarus is a widely known elite hacking group run by the North Korean government.
Lawyerly – 6 September 2023
This article reports that the Supreme Court approved a bid to consolidate two shareholder class actions against Medibank over a cyber-attack that affected 10 million customers. The Court noted that consolidation has the benefit of avoiding the delay, cost and inconvenience that would arise if a carriage contest between the two law firms was to go ahead.
Data Breach Today – 26 September 2023
This article reports that a ransomware group named ‘Ransomed.vc’ has claimed to have compromised Sony’s systems and published a 2-gigabyte compressed data sample on its online leak sites on the clear and dark nets. Sony is currently investigating the situation.
Data Breach Today – 25 September 2023
The number of organisations directly and indirectly affected by the Clop ransomware group’s mass attack campaign against MOVEit from earlier this year has now reached over 2,000. Hundreds of companies have now begun to notify individuals that hackers have stolen their personal information. Notably, the Housing Industry Association (HIA) had customer information it shared with PwC Australia stolen in the MOVEit hack.
IT News – 21 September 2023
MGM, which operates over 30 hotel and gaming venues around the world, said all its hotels and casinos were “operating normally” after it shut down some if its computer systems over cyber security issues earlier this month. The company was targeted by Scattered Spider, a ransomware group known to target an organisation’s information security system by pretending to be an employee needing their password reset. See also Cyber Security Connect article (15 September) and Forbes article(13 September).
ABC News – 20 September 2023
This article reports that the International Criminal Court (ICC) said its computer system had been hacked after detecting unusual activity on its networks, prompting an ongoing investigation. The types of documents stored in the ICC’s network could include anything from criminal evidence to the names of protected witnesses, and there has been no indication of who might be responsible for the system compromise. See also ICC to prosecute cyber war crimes (12 September).
Cyber Security Connect – 12 September 2023
This article reports that USDoD, a ransomware group, has claimed to have detailed information from an Airbus vendor database. The group posted the data on a popular clear web hacking forum on 12 September 2023 along with a small sample of the dataset, including details of high-ranking executives (from companies such as Thales Avionics and Aerolux).
Cybernews – 1 September 2023
This article reports that data of 2.6 million Duolingo customers has been made available on the cybercrime marketplace ‘BreachForums’. The information has been on sale in a hacker’s forum since January with a starting price of US$1,500.