As the Northern Hemisphere summer draws to a close, we have been tracking another busy month in the world of cyber security. We've brought together the top cyber-related news for August, so you don't have to, including:
- an update on the fallout of the MOVEit breach, a freeze on bonuses for Medibank executives following its cyber breach, and Tesla revealing that two former staff were responsible for leaked information in connection with its data breach;
- an advisory released by the ACSC on 2022's top routinely exploited vulnerabilities and commentary on its role to support organisations in the event of a cyber-attack;
- regulatory developments including CISA's new 3-year cyber security strategic plan and NIST's Cybersecurity Framework 2.0; and
- insights into how prepared Australians are for cyber-attacks, attack trends in the last year and the increasing focus of data breaches as today's biggest privacy risk.
News from HSF
AFR Cyber Summit (18 September)
HSF is sponsoring the Australian Financial Review's inaugural Cyber Summit on 18 September in Sydney. The Cyber Summit is likely to be one of the most significant cyber conferences of the year, focusing on safeguarding Australian businesses and managing cyber incidents. The Hon Clare O'Neil MP, Minister for Cyber Security will deliver the key note and HSF's Cam Whittfield (Lead Partner, APAC Cybersecurity) is presenting on a panel titled, 'How to deal with hackers'. We will also hear from Air Marshal Darren Goldie AM CSC, National Cyber Security Co-ordinator, Andy Penn, Chair of the Cyber Security Strategy Expert Advisory Board and Michael Mestrovich, Former CISO, The CIA, and Deputy CIO, U.S. Department of State and CISO Rubrik. Executive roundtables will be held, and HSF's Managing Cyber Risk Survey 2023 will be released on this date.
Managing Cyber Risk Survey 2023
HSF has surveyed legal leaders from over 120 organisations, who provide insights into the proficiencies, processes, and preparedness of Australian businesses in the event of a cyber-attack. We unpack the views of in-house counsel on various cyber hot topics including cyber extortion, board readiness, cyber resilience, incident response, threat actor negotiations, the regulation of cyber and cyber insurance. If you are interested in receiving a copy of our Managing Cyber Risk Survey 2023 (to be published on 18 September), please register here.
Regulatory and industry news
The State of Security 2023: Key Trends, Challenges and Threats
IT News – 28 August 2023
IT News has released a report that examines the issues facing the cyber security sector from the perspective of CIOs and CISOs. The report contains insights on various segments of cyber security, including cloud security, identity and access management, network and infrastructure, endpoint security and XDR (extended detection response), which collects threat data from various security tools across an organisation's technology for faster investigation. Through research, opinion from industry analysts and end user CISO case studies, a comprehensive overview of the key trends, challenges and threats in the cyber security market in the last 12 months is provided to assist companies navigate the rapidly evolving IT security landscape.
Medibank axes exec bonuses, freezes CEO pay, following cyber-attack
The Australian – 24 August 2023
Following last year's cyber-attack, Medibank has cut bonuses for its executive leadership team. CEO David Koczkar will also receive no pay rise despite the company's annual profit increasing 29.8% to $511.1 million. Medibank expended $46.4 million last year in the aftermath of the cyber-attack and is expected to spend a further $30 to $35 million in the year ahead.
49% of organisations paid out $1.5 million following security incident
Security Brief – 24 August 2023
Cloudflare has released a new report that provided insights into how organisations are coping with rising volumes of cyber security incidents, their preparedness levels and the outcomes experienced. The study revealed that cyber security incidents were experienced by 76% of Australian organisations in the past year, comprising phishing, web attacks and Distributed Denial-of-Service (DDoS) attacks. However, when compared to its APAC neighbours, Australian organisations are reportedly dealing with less frequent cyber-attacks.
APRA – 22 August 2023
Member Therese McCarthy Hockey recently gave a speech to GRC2023 in Sydney where she spoke about how the increasing dependence of banks, insurers and superannuation funds, and their customers, on technology is creating new risks that need to be managed to ensure critical financial services remain available. Critically, Ms McCarthy Hockey stated that "APRA has observed a long period of insufficient investment in both cyber security technology...especially among smaller organisations." In relation to CPS 230, she said that "APRA won't be waiting for the implementation date to examine industry readiness. We will be assessing entities' preparedness for the new standard throughout 2023, starting in less than six months."
Strong practical help for firms hit by cyber-attack
AFR – 21 August 2023
The Australian Cyber Security Centre (ACSC) has assured companies and public agencies that they can expect to receive swift help to minimise harm to their customers in the event they experience a cyber-attack. Abigail Bradshaw, the head of the ACSC, emphasised that the agency "[is] not a regulatory, so the primary purpose for the ACSC's assistance is harm minimisation." Ms Bradshaw also encouraged infrastructure players to join a threat intelligence sharing platform, and for SMEs to join a partnership program aimed at uplifting cyber defences.
Report: Australia not doing enough when it comes to cyber security
Cyber Security Connect – 10 August 2023
92% of professionals don't believe the average Australian's cyber skills are sufficient to protect themselves from cyber-attacks, according to research conducted by cloud security provider AUCloud. A further 94% of professionals believe that Australian businesses are not taking enough steps to become cyber secure, while 90% felt that there was insufficient funding from the federal government to protect the nation. See also CyberSecurity Connect article (10 August).
CrowdStrike – 9 August 2023
CrowdStrike released its sixth annual edition of its Threat Hunting Report on 8 August. This year's report covers the company's observations on attack trends between July 2022 and June 2023. Key findings reveal that, within the Asia-Pacific region, technology companies were the most targeted (comprising 26% of all attacks). The report also found that the average time it takes an adversary to move from initial comprise to other hosts in the victim environment is 79 minutes (down from 84 minutes in 2022).
Data breaches seen as number one privacy concern, survey shows
OAIC – 8 August 2023
According to the 2023 Australian Community Attitudes to Privacy Survey, there has been a sharp increase in the number of Australians who regard data breaches as today's biggest privacy risk. The survey provides an analysis of Australians' privacy attitudes and how recent events have impacted their experiences. Key findings from the survey reveal:
- 62% of Australians see the protection of their personal information as a major concern in their life;
- only 32% of Australians feel in control of their data privacy and 84% want more control and choice over the collection and use of their personal information;
- 74% of Australians feel data breaches are one of the biggest privacy risks they face today (an increase of 13 percentage points since 2020); and
- 70% of Australians regard privacy as extremely important when choosing a product or service and 26% state it is very important.
NIST drafts major update to its widely used cybersecurity framework
National Institute of Standards and Technology (NIST) – 8 August 2023
NIST has released a draft version of the Cybersecurity Framework (CSF) 2.0, following a year-long consultation/ feedback process from the community. This framework , first released in 2014, helps organisations understand, reduce and communicate about cyber security risk. The draft aims to make it easier for all organisations to put the CSF into practice and reflects changes in the cyber security landscape.
Medibank, Optus hacks hurt, but Aussies still at risk
AFR – 8 August 2023
Air Marshal Darren Goldie AM CSC, Australia's first national cyber security co-ordinator, says Australians need to be alert to risky behaviour putting their personal information at risk online, including clicking on links without thinking and having weak passwords. Mr Goldie states that individuals must integrate protection against threat actors into their daily lives and called upon companies to approach cyber security as a central risk. See full speech here.
CISA reveals 3-year cyber security strategic plan
Cyber Security Connect – 8 August 2023
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new plan to address increased cyber threats across government and industry. Three core pillars inform the three-year plan: (1) address immediate threats, (2) harden the terrain and (3) drive security at scale. The plan aims to provide a blueprint for organisations to increase their security and resilience against cyber-attacks.
Don't ban paying cyber ransoms, ex-US spy chief warns Australia
AFR – 6 August 2023
Australia should adopt a risk-based approach that considers a set of key criteria, instead of imposing a blanket ban on paying cyber ransoms, says retired Admiral Michael Rogers (former U.S. National Security Agency Director). He called for businesses and policymakers to shift strategies to measuring success by how well they respond to attacks after they occur.
2022 top routinely exploited vulnerabilities
Australian Cyber Security Centre (ACSC) – 4 August 2023
The ACSC has released an advisory on the most frequently exploited vulnerabilities and exposures of 2022. Threat actors are more likely to target older vulnerabilities, with the exploits most effective in the first two years following identification as systems gradually become patched. See also Cyber Security Connect article (7 August).
Assistant Treasurer says the right against scams requires 'tough codes of practice'
Cyber Security Connect – 3 August 2023
An affecting code of conduct regarding scams within the next 18 months is to be expected, according to federal Assistant Treasurer Stephen Jones. The proposed code, which the Assistant Treasurer expects to see in 2024, could address various matters including compensation for victims of scams.
Recent cyber incidents
Optus asks court to stop release of Deloitte cyber-attack report
AFR – 30 August 2023
Optus has pleaded legal professional privilege to prevent the Deloitte report about the September 2022 cyber-attack being released. The privilege claim has been made in class action proceedings brought by Slater & Gordon in the Federal Court on behalf of Optus customers. See also Lawyerly articles (1 August and 9 August).
AMEX reports staff data breach after 'inadvertently' leaking payroll info
The Australian – 25 August 2023
Sensitive personal information of American Express' Australian staff was accidentally leaked to a former employee by a third-party payroll company, prompting American Express to inform current and former staff members about the breach. The leak, limited to the APAC region encompassing Australia, New Zealand, and parts of Asia, potentially includes bank details, tax file numbers, pay information, and personal data. American Express is offering identity-theft protection services and has notified regulatory authorities. This incident adds to the company's ongoing investigation by the Office of the Australian Information Commissioner following previous data breach complaints and technology system misuse concerns.
MOVEit health data breach tally keeps growing
Data Breach Today – 23 August 2023
An estimated 748 organisations have suffered data compromises by MOVEit data breaches instigated by Clop, the Russian-speaking threat actors behind the mass cyber-attack on 29 May this year. More than 44 million individuals worldwide have been affected. The largest health data breach arising from this attack has reportedly come from Colorado's Department of Health Care Policy & Financing, where 4.1 million individuals have had their personal information stolen. Government contractor Maximus, whose client victims include several healthcare and public health sector entities, has had 11 million individuals affected. See also Reuters article (9 August) and Cyber Security Connect article (18 August).
Tesla blames 2 former staff for data breach affecting 75k
Cyber Security Connect – 22 August 2023
Tesla announced that the actions of two ex-employees were responsible for a data breach that occurred in May, compromising the personal information of over 75,000 individuals. Over 100GB worth of data was stolen and leaked, including names, addresses, phone numbers and social security numbers. Tesla filed lawsuits against the two ex-employees and seized several devices thought to contain the data.
Energy One hit by cyber-attack, Australia and UK corporate systems affected
Cyber Security Connect – 22 August 2023
Energy One, an Australian energy and software provider, identified a cyber-attack on 18 August which affected corporate systems in Australia and the UK. The company issued an ASX release in which it said it was quick to respond and had contacted the relevant authorities in both Australia and the UK. The company has reportedly been performing ongoing analysis to identify which, if any, additional systems may have been affected by the cyber-attack.
Latitude Financial flags $76 million in cyber incident costs
IT News – 18 August 2023
Latitude Financial has reported $76 million of costs relating to its cyber-attack in mid-March which impacted 225,000 customers. The company reported an actual spend in cyber costs of $53 million. Bob Belan, Managing Director and CEO, said that even though the cyber-attack impacted business operations and affected first-half performance, the work done by the Latitude team "to quickly but safely restore systems and rebuild our business momentum has been extraordinary." See further IT News article (18 August).
Authorities warn health sector of attacks by Rhysida Group
Bank Info Security – 7 August 2023
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Centre issued an alert warning organisations of double-extortion attacks against healthcare and public health sector organisations by Rhysida. A new threat actor typically known for targeting the education, government, manufacturing, technology, and managed services sectors, it has recently expanded to targeting healthcare and public health sector organisations. The group has hit several hospital providers already who have been warned to be vigilant about protecting and monitoring their networks to avoid becoming victims.
Slater & Gordon cedes Medibank class action to Baker McKenzie
Lawyerly – 1 August 2023
Following a recent case management hearing in the Federal Court before Justice Jonathan Beach, Slater & Gordon has agreed to consolidate its data breach class action against Medibank with one brought by Baker McKenzie. Orders approved by the court reveal that Baker McKenzie will be named as sole solicitors for the consolidated proceeding, which will be funded by Omni Bridgeway and Balance Legal Capital.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
