Follow us

May was a monumental month in the cyber industry due to the increasing risk of cyberattacks as well as the release of the 2024-25 Australian Federal Budget. The Attorney-General also announced the Privacy Act amendments would be brought forward to August.

Despite switching tactics, state-based cyber-actors are a rising threat, leading many breached companies, including law firms, to paying ransoms. In fact, Sophos has reported that Australians are willing to pay ‘top-dollars’ to cybercriminals, conveyed through a 297% increase in ransomware payments in Australia in 2024.

There has been a recent rise in deepfake audio, video and text being used to create more realistic attacks. The rise in use of AI-deepfakes as a tool for cybercriminals has led to companies introducing new rules to prevent its use. Both Facebook and Instagram have introduced new policies in that regard.

Below are some of the most noteworthy Australian cyber incidents and regulatory developments which made headlines across the past month:

  1. Optus has been hit with a Federal Court order to release information regarding their 2022 cyber-attack following their request to keep a detail forensic report confidential. The Federal Court’s decision aims to provide transparency and access to critical material of legal proceedings despite Optus’ concerns that confidential information about its security program will now be available to lawyers.
  2. Lawyers have expressed frustration over a year-old investigation by the OAIC into a data breach that impacted Latitude Financial Services. The breach exposed sensitive customer information, and the delay in resolving the investigation is causing concern.
  3. The Office of the Australian Information Commissioner (OAIC) is cracking the whip with a zero-tolerance policy on late data breach reporting. No more dilly-dallying; organisations now have a strict 30-day window to spill the beans on breaches under the Notifiable Data Breach (NDB) scheme.
  4. Australia has been identified as one of the top 10 global sources of phishing attacks. AI-driven phishing attacks, including voice phishing (vishing) and deepfake phishing, are also on the rise globally.
  5. The Australian Government passed the Digital ID Bill, a crucial step toward enhancing online security and streamlining government services. The legislation establishes a framework for secure digital identification, with provisions for stronger security protocols and privacy safeguards.
  6. Thousands of Australians have allegedly been affected by a data breach impacting Shell. Details about the breach and its impact on customers are emerging, and investigations are underway to assess the extent of the incident.
  7. The hacking group ShinyHunters claims responsibility for a data breach affecting Ticketmaster and Live Nation. They’re selling 1.3TB of stolen data for US$500,000 on their leak site.
  8. Western Sydney University experienced a data breach affecting its Microsoft 365 and SharePoint sites. Over 7,500 individuals were affected, and the exposed data included email communications and documents. No ransom demands have been made.

Cyber Risk Survey 2024

We have launched our Cyber Risk Survey for 2024! Following the success of our inaugural Cyber Risk Survey in 2023, we are once again surveying in-house lawyers to better understand their cyber-related experiences and concerns. We would love your insights!

This survey takes a little longer (7-10 minutes), and to thank you for your time, you can choose to receive a summary of your responses benchmarked against the responses received from all survey participants. Complete the Cyber Risk Survey 2024 here.

 

Cross Examining Cyber: Episode 6 with Andy Penn

In this episode of Cross Examining Cyber, we finish our cross examination of Andy Penn, previously CEO of Telstra and more recently the Chair of the Government’s Expert Advisory Board. Andy makes some insightful comments about the similarities between our physical world and our digital world, and how this should guide our measure of success.

We also take a closer look at the Cyber Strategy, the value in placing responsibility on those best placed to take responsibility, what does "good" look like, the value in managing data holdings, threat sharing / locking, and the benefit of transparency and reporting (rather than banning extortion).

Andy also makes some incredibly relevant (and sobering) observations on the impact that computer power and quantum computing will have on our security settings (“…a Y2K event when don’t know the date…”). Finally, I ask Andy “what makes a great lawyer”? Luckily, we come out of that question relatively unscathed. This is Episode 6 of our podcast series, give it a listen here.  


Australia

Clare O’Neil calls out MediSecure over delay in breach reporting

Cyber Daily – 31 May 2024

This article discusses Home Affairs Minister Clare O’Neil’s criticisms of e-prescription company MediSecure for its delay in reporting a data breach that saw 6.5TB of stolen prescription data leaked onto a Russian hacking forum. Minister O’Neil has called on MediSecure to clarify the extent of the breach and provide notification to potentially affected people. The incident first came to light on May 16, and on May 23, a Russian hacker posted a sample of the data for sale for $50,000. The data includes information on citizens, insurance numbers, phone numbers, addresses, full names, supplier information, contractor information, emails, and more.

 

Court Orders Optus to Release Data Breach Report to Lawyers

Data Breach Today – 27 May 2024

This article details that the Federal Court has rejected Optus' request to keep private a forensic investigation report into a data breach that affected up to 9.8 million customers. The court ruled that Optus could not claim legal professional privilege to keep secret the details of the report it commissioned Deloitte to conduct. The verdict opens the doors to class action lawyers seeking access to the report, though Optus contends that keeping some of the information contained in the report confidential remains integral to the efficacy of its corporate security program. See also Sky News article (27 May) and iTnews article (28 May).

 

Australia ranks among top 10 global sources of phishing attacks

Insurance Business Magazine – 30 May 2024

This article provides that according to the 2024 Phishing Report by ThreatLabz, Australia has been named among the top 10 sources of phishing attacks. The report cites a notable 479.3% increase in the volume of phishing content hosted within Australia. The manufacturing industry in Australia was the hardest hit, experiencing over 5.9 million phishing attacks from January to December 2023. The report also highlighted a global rise in AI-driven phishing attacks, which increased by nearly 60% year-over-year. Attackers are increasingly using generative AI technologies, such as voice phishing (vishing) and deepfake phishing, to enhance their social engineering tactics.

 

Everyone’s a target: Australia grapples with surge in cyberattacks

News.com.au – 26 May 2024

This article explores the surge in cyberattacks which Australia is currently facing, with both government departments and businesses being targeted. Recent breaches include MediSecure, where hackers accessed Medicare data and doctors' information, and Western Sydney University, impacting 7,500 individuals. Industry experts emphasise that all Australians are potential targets of profit-seeking cybercriminals. The federal government has introduced a seven-year cybersecurity strategy, but experts argue that medium and small businesses remain inadequately protected.

 

Digital ID Bill passes federal parliament

Cyber Daily – 17 May 2024

This article shares that the Australian Government passed a Digital ID Bill, signalling a significant step toward digital identity management. The newly introduced legislation aims to enhance online security and streamline government services by establishing a framework for secure digital identification. Some key provisions include stronger security protocols, privacy safeguards, and widespread standards to ensure the adoption of the legislation.

 

2024-25 Federal Budget

Australian Federal Government – 14 May 2024

The Australian government released the 2024-25 Federal Budget on May 14, and despite no major or unexpected new cybersecurity initiatives being announced, the Government and its agencies appear to be leading by example and enhancing their own cybersecurity position. A further notable cyber investment comes in the form of quantum computing, which lies in the heart of Australia’s cyber defence, and can lead to an overhaul of security strategies as this technology unfolds. The budget also provides investments into clean energy technologies, robotics, Australia’s Digital ID System, and responsible Artificial Intelligence.

 

Lawyers express frustration over one year-old OAIC investigation into Latitude hack

Cyber Daily – 10 May 2024

This article outlines that lawyers representing a 75,000-person class action are frustrated over the lack of information regarding the Latitude data breach. The Australian and New Zealand Privacy Commissioners’ investigation has gone quiet, and lawyers have made several attempts to get an update on the progress of the investigation.

 

Third-party providers a customer data ‘weak spot’, Australian privacy commissioner says

The Guardian – 6 May 2024

This article shares the concerns of the Australian Privacy Commissioner regarding third-party providers being a weak spot for customer data security. Many Australian businesses rely on third-party providers for various services, which exposes customer data to potential breaches. The risks regarding third-party handling of data can be seen with recent incidents like the data breaches at Firstmac and the Australian Red Cross Lifeblood. The Privacy Commissioner emphasises the need for businesses to conduct thorough due diligence when engaging third-party providers. Businesses should prioritise data protection measures and ensure compliance with privacy regulations to safeguard customer data from potential breaches through third-party channels.

 

The Hon Mark Dreyfus – Privacy by Design Awards 2024 Speech

Attorney-General’s Portfolio – 2 May 2024

This speech by the Australian Attorney-General Mark Dreyfus discusses how the Government’s amendments to the Privacy Act are now expected to be introduced in August.  Dreyfus emphasised that recent data breaches and cyber incidents impacting Australian entities have led to the need for reforms to the existing framework. He further stated that the Privacy Act remains outdated and unfit for the digital age, and Australians need a stronger legislative model to protect their personal information. Dreyfus also discussed how the rise in digitalisation and advanced technologies has made data more readily accessible for cybercriminals, reinforcing the need for an overhaul of current legislation to protect data.

 

The breach of a face recognition firm reveals a hidden danger of biometrics

Wired – 2 May 2024

This article explores how the breach of Australian-based Outabox has led to further privacy concerns surrounding AI-powered facial recognition, especially as it becomes more readily available. The breach exposed facial images, names, and other personal data of individuals, which can now be exploited for malicious purposes such as identity theft and surveillance. Companies utilising such systems and technology must prioritise data protection and implement stronger security protocols to prevent future breaches. 

 

International

Russian hacking groups are switching tactics: here’s what to watch out for

Cyber Daily – 24 May 2024

This article explores how Russian hacking groups have shifted tactics from ‘wiper’ malware to spear phishing and credential theft. The groups are using a mix of custom and off-the-self malware, often purchased form illicit markets, and targeting entities beyond Ukraine, including organisations across North America and NATO entities.

 

SEC: financial organisations have 30 days to send data breach notifications

Bleeping Computer – 17 May 2024

This article states that the SEC now requires all financial organisations to notify affected individuals within 30 days of discovering data breaches. These amendments aim to improve data protection policies for financial entities including investment firms, broker-dealers, and registered investment advisors. Firms must develop and maintain incident response programs to detect, respond to, and recover from unauthorised access to customer information. These new rules are announced in the light of growing cybersecurity threats, aiming to protect consumer financial data.

 

IPAC wants to see acknowledgment of all cyber breaches against public figures

RNZ – 2 May 2024

This article outlines that the Inter-Parliamentary Alliance on China (IPAC) is petitioning for the official acknowledgment of all cyber breaches against public figures. IPAC emphasises the importance of transparency and accountability in addressing cyber threats, urging governments to openly acknowledge breaches in order to foster collaboration in cybersecurity efforts. The call comes amid increasing concerns regarding cyber espionage and hacking targeting public figures by state-backed actors.


How a new wave of deepfake driven cybercrime targets businesses

Security Intelligence – 17 May 2024

Security Intelligence has released an article exploring the rise in deepfake-driven cybercrime targeting businesses by leveraging AI to create realistic fake audio, video and text.  Financial institutions are particularly vulnerable, with deepfake voice cloning used to bypass security measures and commit fraud. The ease of accessibility of deepfake creation tools has lowered the barrier for cybercriminals, making sophisticated attacks more common. Real-time AI-based detection solutions are essential for protecting against deepfake threats, ensuring the integrity of financial and reputational interests of businesses.

 

2024 Data Breach Investigations Report

Verizon Business – 2 May 2024

Verizon Business released its annual report on data breaches, examining 20,458 security incidents. Key findings in the report include:

  • 68% of the breaches are due to inside errors or people falling for scams.
  • The exploitation of vulnerabilities accounted for 14% of breaches, 180% higher than in 2023.
  • 32% of breaches included a form of extortion, such as ransomware.
  • Over the last 10 years, 31% of breaches involved the use of stolen credentials.

 

Sophos Ransomware Reports Finds Australians Pay Top Dollar - Australian Cyber Security Magazine

Australian Cyber Security Magazine – 1 May 2024

Sophos has released its annual report on ransomware, alerting that the average ransom payment paid by Australian organisations in 2024 is US$6 million, a 297% increase from the US$1.51 million in 2023. The global average payment is US$3.96 million, over US$2 million less than the Australian average. Other findings include:

  • Reduction in rate of ransomware attacks, from 70% of Australian businesses in 2023 to 54% in 2024.
  • 76% of ransom demands made in Australia were for greater than US$ million.
  • Average Australian ransom payment came in at 101% of the original request.
  • Australian organisations recover slower from attacks, with 33% taking between one and six months to recover.

 

Your 2024 corporate guide to cyber security and data breaches

Wolters Kluwer – 1 May 2024

Wolters Kluwer have released a guide on cyber security and data breaches, particularly exploring the importance of being vigilant when protecting data. Some key areas explored includes the importance of collaboration, impact on companies’ profits, types of threats, and safeguarding customer data. New areas in the 2024 report are:

  • Directors’ duties regarding cyber security.
  • Interaction between cyber security and Artificial Intelligence.
  • Building a cyber resilient organisation.

Australia

Aussies affected in alleged Shell fuel data breach

Cyber Daily – 30 May 2024

This article unpacks reports that Shell has suffered a data breach affecting almost a dozen countries, including Australia. A threat actor called 888 claimed to have uploaded 80,000 rows of data belonging to customers in Australia, the UK, France, India, Singapore, the Philippines, the Netherlands, Malaysia, and Canada. The data appears to show details of a customer loyalty program called Nectar. The breach was part of the MOVEit supply chain attack, which affected a third-party software from Progress.

 

Hackers claim Ticketmaster/Live Nation data breach, more than 500m compromised

Cyber Daily – 29 May 2024

This article provides that the infamous hacking group ShinyHunters has claimed to have executed a data breach affecting Ticketmaster and Live Nation. The group is currently selling the stolen data for a one-time price of US$500,000 on their leak site. The alleged breach involves 1.3TB of customer data, with ShinyHunters listing that they possess the details of 560 million Ticketmaster customers. The leaked data includes hashed credit card numbers, credit card expiration dates, and customer personal information.

 

Western Sydney University data breach exposed student data

Bleeping Computer – 21 May 2024

This article announces that Western Sydney University were the targets of a data breach affecting its Microsoft 365 and SharePoint sites. The unauthorised access began in May 2023, but was not discovered until January 2024, where it had already affected a total of over 7,500 individuals. The exposed data included email communications and documents. No ransom or extortion demands have been made yet, and university operations have not been impacted.

 

Largest non-bank lender in Australia warns of a data breach

Bleeping Computer – 12 May 2024

This article explains that Firstmac has issued a warning about a data breach due to a third-party supplier, where the personal information of loan applicants was potentially exposed. Accessed data includes names, contact details, and other sensitive information submitted during loan applications. However, no financial information or passwords have been compromised, and Firstmac is investigating the incident simultaneously while enhancing security measures.

 

6 Australian senators, MPs confirm being targeted by APT31 in IPAC cyber attack

Cyber Daily – 7 May 2024

This article explores the 2021 cyber-attack on six Australian senators and parliamentary ministers by Chinese state-sponsored hackers, where authorities, despite knowing of the attack, failed to notify the victims. APT31 targeted the Inter-Parliamentary Alliance on China with pixel tracking emails, aiming to gather information to be used in future attacks. Australia and New Zealand have joined the United States and United Kingdom in sanctioning the group.

 

Massive data breach affects victims of family violence and sexual assault in Victoria

The Cyber Express – 4 May 2024

This article states that ZicroDATA has suffered a data breach, which resulted in companies including Monash Health and Melbourne Polytechnic having data leaked. Personal data belonging to thousands of victims of both sexual assault and family violence, as well as the personal information of 60,000 current and former students at Melbourne Polytechnic were exposed.

 

Scammers use artificial intelligence to impersonate Sunshine Coast mayor as experts warn of video call cybercrime tactics

ABC News – 2 May 2024

This article explores the way scammers used AI to impersonate Sunshine Coast Mayor Rosanna Natoli in a live video call. Crimes involving AI have increased significantly, with experts issuing warnings on the escalation and frequency of these attacks. AI technology now enables real-time manipulation of facial features, making it difficult to identify fakes.

 

International

Courtroom Recording Software Hit by Supply Chain Attack

Data Breach Today – 24 May 2024

This article details that the provider of an audio-visual recording software has been hit by a supply chain attack where hackers swapped a legitimate version of the software for a version with a backdoor. The vulnerability in the software can be remotely exploited by an attacker to fully compromise an endpoint. The backdoored version includes information-stealing capabilities, such as the ability to scrape browser credentials being stored on the device, and was being used inside courtrooms, classrooms, and interrogation rooms.

 

Hackers exploit Chrome vulnerabilities, US cyber agency urging users to update

Cyber News – 17 May 2024

This article alerts individuals that hackers are exploiting vulnerabilities in Google Chrome, leading to users being urged to update their browsers in order to mitigate any risks. The vulnerabilities could allow hackers the ability to take control of any affected systems. The Cybersecurity and Infrastructure Security Agency (CISA) has emphasised the increasing frequency of exploits and attacks and underscores the importance of all Chrome users to update security measures often.

 

CISA: Black Basta ransomware breached over 500 orgs worldwide

Bleeping Computer – 11 May 2024

This article states that the Black Basta ransomware group has breached over 500 organisations globally between April 2022 and May 2024, prominently targeting critical infrastructure sectors including healthcare. The ransomware gang encrypted and stole data from at least 12 of the 15 infrastructure sectors, with notable recent attacks including major US healthcare network Ascension. The Cybersecurity and Infrastructure Security Agency and the FBI have recommended organisations enhance security measures, including updated systems, and phishing awareness trainings.

 

Lawsuit filed against J.P. Morgan Chase over data breach

Teiss – 9 May 2024

This article provides that a lawsuit has been filed against J.P. Morgan Chase following a data breach affecting over 451,000 people, exposing sensitive information of participants provided to the bank’s retirement plan services. The plaintiff alleges that the bank failed to protect personal data adequately, claiming that the bank was negligent and failed to implement proper security measures, leading to the data exposure. The lawsuit is seeking compensation for all affected individuals and demands the J.P. Morgan Chase implement improved security protocols.

 

Ascension attack intensifies scrutiny of healthcare cyber defences

Forbes – 9 May 2024

This article explores how the cyber-attack on Ascension has intensified the scrutiny surrounding cyber defences within the healthcare sector. The attack led to major disruptions, including patients being diverted, as well as a halt in clinical operations. There has been a recent rise in cyberattacks on healthcare companies, alerting the industry of the necessity to protect sensitive data. Industry experts urge healthcare providers to implement comprehensive security measures to protect data and prevent future risks.

 

Microsoft announces raft of new cyber security initiatives

Cyber Daily – 7 May 2024

This article outlines the new security-first initiatives Microsoft is employing following a spike in recent cyber-attacks. Microsoft is shifting its focus towards security across all operations and are expanding their Secure Future Initiative, with an emphasis on secure design, default, and operations. They have further implemented a new security governance framework, enhancing accountability and regular progress reporting to senior leadership and the board of directors.

 

Germany accuses Russia of government party cyber attack

Cyber Daily – 3 May 2024  

This article provides that a major German political party was the target of a cyber-attack by Russian state-sponsored hacking group APT28. APT28 is known to target countries globally, recently aiming their attacks on Ukrainian and Polish entities, likely due to the ongoing conflict with Russia.

 

US government issues warning of new North Korea’s Kimsuky threat group activity

Cyber Daily – 3 May 2024

This article alerts that US government agencies have published an alert regarding a new threat actor, Kimsuky, which is backed by North Korea. The hacking group aims to exploit DNS Domain-based Message Authentication, Reporting and Conformance protocols. Their spear phishing activities transpire through the actor posing as journalists seeking comments on international events, aiming to create a sense of trust prior to the attack occurring.

 

Taiwan is experiencing millions of cyberattacks every day. The world should be paying attention

The Conversation – 3 May 2024

This article highlights that the Chinese Communist Party has been using cyber warfare to attack Taiwan, undermining their democratic processes and posing a significant national security threat. Approximately 5 million attacks occur daily in Taiwan, with an increase during the January 2024 elections.

Cameron Whittfield photo

Cameron Whittfield

Partner, Melbourne

Cameron Whittfield
Peter Jones photo

Peter Jones

Partner, Sydney

Peter Jones
Merryn Quayle photo

Merryn Quayle

Partner, Melbourne

Merryn Quayle
Brendan Donohue photo

Brendan Donohue

Senior Associate, Melbourne

Brendan Donohue
Josh Kain photo

Josh Kain

Senior Associate, Melbourne

Josh Kain
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong
Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

Kaman Tsoi
Anne Hoffmann photo

Anne Hoffmann

Partner, Sydney

Anne Hoffmann

Key contacts

Cameron Whittfield photo

Cameron Whittfield

Partner, Melbourne

Cameron Whittfield
Peter Jones photo

Peter Jones

Partner, Sydney

Peter Jones
Merryn Quayle photo

Merryn Quayle

Partner, Melbourne

Merryn Quayle
Brendan Donohue photo

Brendan Donohue

Senior Associate, Melbourne

Brendan Donohue
Josh Kain photo

Josh Kain

Senior Associate, Melbourne

Josh Kain
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong
Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

Kaman Tsoi
Anne Hoffmann photo

Anne Hoffmann

Partner, Sydney

Anne Hoffmann
Laura Newton photo

Laura Newton

Senior Associate, Sydney

Laura Newton
Cameron Whittfield Peter Jones Merryn Quayle Brendan Donohue Josh Kain Christine Wong Kaman Tsoi Anne Hoffmann Laura Newton