June started off with a bang! The OAIC launched proceedings against Medibank, and other regulators were busy too, with ACMA pursuing Optus for non-compliance in relation to its 2022 data breach and APRA clarifying its expectations regarding the adequacy of backups.
Data stolen from Ticketek and Victoria Racing Club has reportedly been leaked, and MediSecure has demonstrated the financial distress that a cyber-attack can cause. More generally, hacks continue to cause disruption and damage in Australia and around the world.
There has been interesting discussion about the cyber resilience of the mining and maritime sectors, and attacks on the healthcare sector continue to attract attention. Research shows that investment in cyber security can reduce cyber insurance premiums.
Internationally, the US is banning Russian antivirus software and sanctioned senior executives, China is set to implement stringent cyber abuse regulations, and Poland bolsters cyber security funding following a recent cyber-attack. The UN has introduced new Principles for Information Integrity, and G20 leaders have advocated for global cyber regulators.
The cyber-attacks making headlines in June are linked below:
- Victoria Racing Club is investigating data dumped online by hacking group, Medusa – Cyber Daily – 26 June 2024
- Medusa hacks Australian fuel distributor, North Coast Petroleum, demanding ransom – Cyber Daily – 25 June 2024
- Ticketek data leaked following data breach impacting account holder information; hacking group Sp1d3r claims to have 30 million records – Cyber Daily – 24 June 2024
- Indonesia refuses to pay ransom in connection with a cyber-attack compromising its national data centre – Time – 25 June 2024
- New complaint against HWL Ebsworth Lawyers filed with the OAIC on behalf of a NDIS participant – Cyber Daily – 28 June 2024.
- NASDAQ-listed chipmaker, AMD, investigates a data breach following an announcement by hacking group, IntelBroker, that it was selling AMD data – Security Week – 19 June 2024
- Accidental download led to ransomware attack on US healthcare company, Ascension – Cyber Daily – 14 June 2024
- Cyber security company, Cylance, confirms third party breach by hacking group Sp1d3r, impacting customer and employee data – Bleeping Computer – 10 June 2024
- MediSecure appoints administrators following cyber-attack impacting patient and physician data – IT News – 5 June 2024
- Chinese state-backed cyber espionage group, Crimson Palace, targets south-east Asian government – The Hacker News – 5 June 2024
- ‘Have I Been Pwned’ adds 361 million entries to its database of compromised email addresses – Cyber Daily – 5 June 2024 (Also: https://haveibeenpwned.com/)
- Major London hospitals disrupted by cyber-attack on pathology and diagnostic service provider, Synnovis – Bleeping Computer – 4 June 2024
Hong Kong Cyber Simulation
On Tuesday 18 June, we had a full house at our Hong Kong offices, as Cameron Whittfield took clients through an immersive cyber simulation. With the help of an expert panel – Tim Toa from Blackpanda, Seulah Han from FTI Consulting, Kenneth Fok from Marriott, and Hannah Cassidy and Annie Zhang from HSF – we worked through examples of decision-making faced by a company grappling with a ransomware and data extortion attack.
Cyber Risk Survey
We have launched our Cyber Risk Survey for 2024! We are surveying in-house lawyers again, to better understand their cyber-related experiences and concerns, and would love your insights.
This survey takes 7-10 mins to complete. To thank you for your time, you can choose to receive a summary of your responses benchmarked against the responses received from all survey participants.
The Cyber Risk Survey is available here.
Cyber Podcast
In our next podcast, we interview Dr Marcus Thompson. Stay tuned – it is due to be released next week.
Continuous Disclosure Obligations during a Data Breach
Click here to access our summary of the recent update to ASX Guidance Note 8. The update included a much-anticipated example of managing continuous disclosure obligations during a fast-moving cyber incident. The updates took effect from 27 May 2024.
OAIC files proceedings against Medibank, alleging breach of Australian Privacy Principles – Office of the Australian Information Commissioner – 5 June 2024
The Office of the Australian Information Commissioner (OAIC) has filed civil penalty proceedings in the Federal Court against Medibank in relation to its 2022 data breach. The OAIC claims Medibank failed to take reasonable steps to protect personal information from misuse and unauthorised access or disclosure, in breach of the Privacy Act 1988, and this resulted in a serious interference with the privacy of a large number of individuals. Amongst other things, the OAIC alleges Medibank had inadequate multi-factor authentication systems in place.
APRA articulates its expectations regarding security and adequacy of backups – APRA – 3 June 2024
Australian Prudential Regulation Authority (APRA) has emphasised its commitment to cyber resilience, clarifying its expectations of regulated entities regarding cyber security and the adequacy of backups. Amongst other things, APRA reminds regulated entities to self-assess compliance against Prudential Standard CPS 234 (Information Security).
Optus coding error to blame for 2022 attack, according to ACMA court filing – ABC News – 20 June 2024
The Australian Communications and Media Authority (ACMA) is claiming that the 2022 Optus data breach was caused by an access control coding error, and that the attack "was not highly sophisticated or one that required advanced skills or proprietary or internal knowledge”. Optus interim CEO Michael Venter confirmed that the attacker was able to exploit an unknown vulnerability in the company’s defences which arose from a historical coding oversight.
ACMA proceedings and consumer class action against Optus could merge – Lawyers Weekly – 14 June 2024
Justice Beach of the Federal Court has suggested advantages with merging ACMA’s proceedings against Optus with the class action brought by Slater & Gordon, noting overlapping issues. ACMA is alleging that Optus failed to adequately protect customer data as required under the Telecommunications (Interception and Access) Act 1979.
ASIC to launch threat intelligence platform – IT News – 4 June 2024
The Australian Securities and Investments Commission (ASIC) has announced that A$206.4 million will be directed towards a new threat intelligence platform that seeks to improve information collection and detection of cyber threats.
Qld public sector struggling with cyber readiness despite investment – Government News – 4 June 2024
A report by the Queensland Auditor General examined two unnamed Queensland public sector entities, noting ongoing vulnerabilities and room for improvement. A cyber response and recovery governance checklist, and a role capability checklist, were published – available here.
Government entities’ management of cyber security incidents – Australian National Audit Office – 14 June 2024
The Australian National Audit Office has published a report on its audit of select Australian Government entities, AUSTRAC and Services Australia, regarding their cyber resilience. The report included 19 recommendations aimed at improving the effective management of cyber security incidents at the agencies.
Cyber insurance premiums reduce after implementing proactive risk management strategies – Insurance Business Magazine – 13 June 2024
Tenable interviewed over 200 IT and cyber security leaders from Australia’s insurance, banking, education, healthcare and transport sectors. The report reveals that 44% of respondents experienced a reduction in insurance premiums by 5% to 15% after introducing preventive cyber security practices.
AUCloud launches its 2024 Cyber Security Healthcare Report – Cyber Daily – 21 June 2024
AUCloud’s 2024 Cyber Security Healthcare Report highlighted significant threats facing the healthcare sector. The report indicated a 71% year-on-year increase in cyber-attacks on healthcare organisations globally, and in Australia, 41% of healthcare organisations experienced a cyber-attack in 2023.
Securing the future: cyber security imperatives for Australian miners – Australian Mining – 19 June 2024
The mining industry in Australia is purportedly facing an increase in cyber-attacks, threatening productivity, safety and data security.
Trends in maritime cyber security – The Maritime Executive – 24 June 2024
The global maritime industry is purportedly facing growing cyber threats, due to increased digital connectivity and smart technologies being implemented on ships.
Critical infrastructure protection market projected to surge to US$162 billion – Verified Market Research – 17 June 2024
Verified Market Research reported that the value of the global Critical Infrastructure Protection (CIP) market is expected to increase from US$143 billion in 2024 to US$162 billion in 2031. This increase is being driven by, amongst other things, increasing cyber threats, which has intensified the demand for improved security solutions.
Insights from CrowdStrike CEO George Kurtz – WebProNews – 7 June 2024
CrowdStrike CEO George Kurtz offered a comprehensive overview of the current cyber security landscape in a recent interview with the Wall Street Journal.
US bans Russian antivirus software and sanctions senior executives – IT News – 24 June 2024
The Biden administration has announced a ban on the sale of Kaspersky Lab antivirus software, citing cyber security risks due to the company’s ties to Russia. The company will also be prohibited from delivering updates to its existing customers. The US has also sanctioned 12 individuals in senior leadership roles.
China’s cyber abuse regulation to take effect from 1 August – People’s Daily Online – 15 June 2024
China’s new cyber abuse regulations aim to safeguard public interests and create a safer online environment. The rules require cyber information service providers to manage online content and propose mechanisms for addressing online violent information.
Poland to spend US$760 million on digital security – Security Intelligence – 24 June 2024
This investment follows a disinformation attack in May 2024, in which false information about a military mobilisation was spread prior to national elections. The funding is intended to create a ‘cyber shield’ which will be used to enhance security reviews and resilience of critical infrastructure.
G20 leaders call for global cyber regulators – Cyber Daily – 12 June 2024
The G20 Digital Economy Working Group meeting in Brazil discussed the need to address the rising issue of cyber crime, emphasising the importance of having global standards and regulations to protect vulnerable parties such as children and elderly. Other areas of focus centred around connectivity, information integrity, digital government and AI.
UN launches principles to combat spread of misinformation – United Nations – 24 June 2024
The UN has launched its Global Principles for Information Integrity to combat online misinformation and hate speech. At the launch, UN Secretary-General António Guterres emphasised the threat posed by misinformation to democracy and human rights.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.