We celebrated Corporate Plan season in August, with each of APRA and ASIC noting that cyber resilience is a key area of focus and investment for the 2024-25 period. In the context of persistent delays to Privacy Act reform, the OAIC is focusing on preserving its regulatory remit regarding the NDB scheme.
We learned that Abigail Bradshaw, head of the Australian Cyber Security Centre and recently a guest on our 'Cross Examining Cyber' podcast will take over as the new head of the Australian Signals Directorate from September, and the National Cybersecurity Coordinator signalled a new cyber industry advisory board would be appointed in the coming months.
The legal fallout from the CrowdStrike outage continued, as a shareholder class action was filed in Texas, while Delta Air Lines announced it is seeking damages.
An injunction was granted in NSW following the Wattle Range Council hack. This is the first time we have seen an Australian court issue an injunction to restrain unknown hackers from interacting with stolen data since the injunction granted in favour of HWL Ebsworth in April 2023.
Internationally, concerns were raised regarding Hong Kong’s proposed critical infrastructure laws, Australia endorsed the US-led Framework to Counter Foreign State Information Manipulation, and the Cybercrime Convention progressed to the UN’s General Assembly despite fierce opposition from human rights groups and tech companies.
The cyber incidents that made headlines in Australia and around the world in August are linked below:
- RansomHub drops more than 4TB of data (including sensitive information) on the dark web, following separate attacks on Kempe Engineering, McDowall Affleck and Hudson Civil Engineering – Cyber Daily – 20 August 2024
- Widespread disruption after oil giant, Halliburton, becomes aware of unauthorised third party access to systems; frustrated customers disconnect due to lack of information – BleepingComputer – 29 August 2024
- ASX-listed Evolution Mining announces ransomware attack impacting its systems – Cyber Daily – 13 August 2024
- 90GB of sensitive personal and corporate information impacted in attack on Australian underwriting agency, All Parks Insurance, by Meow ransomware gang – Cyber Daily – 27 August 2024
- Background check company, National Public Data, impacted by a data breach exposing the personal information of nearly 3 billion individuals; class action filed – Mashable – 7 August 2024
- Hunters International claims attack on US Marshals Service, exfiltrating 386GB of data including confidential and sensitive case files and FBI documents – Cyber Daily – 27 August 2024
- Hacking group, TopiAx, posts data of 4.7 million civil servants from Indonesia's National Civil Service (BKM) Agency on the dark web – The Jakarta Post – 14 August 2024
- American security firm, ADT, confirms stolen customer order information has been published on hacking forum – Bleeping Computer – 8 August 2024
- Family safety and location sharing site, Life360, impacted by a data breach, exposing the personal information of 442,519 people; APIs security flaw to blame – SecurityBrief – 7 August 2024
- Australian furniture retailer, Early Settler, confirms a data breach impacting personal information of 1.1 million customers in archives – Cyber Daily – 6 August 2024
- Australian not-for-profit community support service, Meli, impacted by cyber attack by hacking group Qilin; over 215GB of data stolen – Cyber Daily – 26 August 2024
- American chipmaker, Microchip Technology, discloses cyber incident impacting manufacturing operations – BleepingComputer – 20 August 2024
- FlightAware announces a ‘data security incident’ resulting in a breach of customer personal information – Cyber Daily – 19 August 2024
- Hacking group, Rhysida, offering “exclusive” The Washington Times data available for sale on dark web – Cyber Daily – 15 August 2024
- French government cyber security agency, ANSSI, recorded 141 cyber incidents during the Paris 2024 Olympic Games – Cyber Daily – 14 August 2024
We are still waiting for privacy reforms to drop. In the meantime, our team has created a one-stop Privacy Hub, to help you navigate the upcoming reforms with confidence. Check it out here.
Podcast: Cross Examining Cyber with Abigail Bradshaw
In Episodes 8 and 9, we talk with Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC) at the time of recording. Abi talks about her career, the role of the ACSC, the benefit of threat intelligence sharing and the way in which the ACSC can assist an entity. Abi also calls out her top 6 non-negotiables for building cyber resilience. Listen here.
You can catch up on past episodes in our podcast series here. In our ‘Cross Examining Cyber’ series, we explore all things cyber, including the legal, regulatory and policy developments that impact corporates in Australia and around the world. We speak to the people who are shaping the legal and regulatory environment, who are on the front line, raising cyber resilience and protecting our clients from cyber incidents. Recent episodes include interviews with Dr Marcus Thompson, Andrew Penn, Bill Siegel and Hamish Hansford.
2024 Financial Review Cyber Summit
Thank you to those who participated in our Cyber Risk Survey for 2024. We are collating the results and look forward to launching our Cyber Risk Survey report at the 2024 Financial Review Cyber Summit in Sydney on 17 September. HSF is proud to be returning as the event’s Platinum Partner.
Join the summit (in person, or virtually) to hear from the brightest minds in cyber, including HSF’s Cameron Whittfield joining a panel discussion about “the data dilemma”.
Australian Cyber Security Centre head Abigail Bradshaw to lead ASD – IT News – 27 August 2024
From early September, Abigail Bradshaw, the current head of the Australian Cyber Security Centre, will be promoted to head of the Australian Signals Directorate. Bradshaw will replace current head, Rachel Noble. Bradshaw’s cyber security and incident response experience is noted as ‘valuable’ by Minister for Defence, Richard Marles.
Supreme Court of NSW grants injunction in Wattle Range Council hack – Cyber Daily – 5 August 2024
Following a July data breach on the Wattle Range Council by hacking group LockBit, the council sought and was granted an injunction by the Supreme Court of New South Wales, to prevent the access, dissemination, or publication of council data that has been or may be posted on the dark web by any third-party injunction on its website. The council investigation is ongoing, but at this stage it believes the impacted data primarily relates to publicly available information and internal working documents.
APRA Corporate Plan 2024-25 – Australian Prudential Regulation Authority – 28 August 2024
Cyber risk management features among APRA’s top priorities in its 2024-25 Corporate Plan, noting it presents a “heightened risk to system resilience”. APRA is committed to strengthening the cyber risk management practices of regulated entities and partnering with peer agencies as part of a whole-of-government approach to minimise cyber risk.
ASIC Corporate Plan 2024-25 – Australian Securities & Investments Commission – 22 August 2024
The Plan notes that “cyber security remains an area of acute focus at ASIC”. During the period, ASIC intends to prioritise managing and minimising technology, cyber and data-related risks, among other things. Key activities include the implementation of a supervisory cyber and operational resilience program.
OAIC Corporate Plan 2024-25 – Office of the Australian Information Commissioner – 29 August 2024
The OAIC supports a whole-of-government approach to reducing cyber risk as a measure to mitigating privacy risk. The agency will push to preserve its regulatory remit, particularly in relation to the notifiable data breach scheme. The agency also clarified that it will not be waiting for anticipated law reform to pursue “egregious privacy breaches”.
New cyber industry advisory board incoming – InnovationAus – 28 August 2024
The National Cybersecurity Coordinator, Lieutenant General Michelle McGuinness, shared plans to appoint a new cybersecurity industry advisory board before the end of the year, to support the delivery of the Commonwealth Cyber Uplift Plan. This initiative forms part of the 2023 – 2030 Australian Cyber Security Strategy, which among other things aims to improve government cyber maturity and protect against cyber attacks.
Australian Signals Directorate warns of scammers posing as the ACSC – Cyber Daily – 29 August 2024
ASD and ACSC logos have been used in an email scam that recommends readers click on a link to download malware posing as antivirus software. The campaign coincided with ScamWatch’s Scams Awareness Week.
Medibank’s cyber costs to reach $126m by next year as cyber uplift reaches completion – Cyber Daily – 22 August 2024
According to its 2024 financial year results, Medibank spent $39.8 million in FY24 to remediate and rebuild following the cyber incident that impacted the organisation in October 2022. Medibank estimates a similar amount will be spent on related initiatives in FY25, having spent $46.4 million in FY23.
Ransomware gangs increasingly weaponising stolen data – Cyber Daily – 7 August 2024
Ransomware gangs are increasingly using stolen data to blackmail victims, beyond just threatening to publish personal information. Gangs have been recently exploiting sensitive data such as child abuse material searches by employees and personal details of executives’ families, in order to increase pressure on victims to pay ransoms.
CrowdStrike is sued by shareholders over huge software outage – IT News – 6 August 2024
In a class action filed in Austin, Texas, CrowdStrike is being sued by its shareholders over the software outage on the basis that the company did not disclose the potential impact of inadequate software testing.
Delta Air Lines to pursue damages claims against Microsoft and CrowdStrike – Cyber Daily – 13 August 2024
Delta Air Lines revealed the extent of damage caused by the CrowdStrike outage in a Form 8-K filed with the Securities and Exchange Commission. While the company has since restored its operations, Delta Air Lines has blamed the CrowdStrike outage for approximately 7,000 flight cancellations over five days, costing the airline approximately USD380 million. Delta Air Lines is seeking damages from CrowdStrike and Microsoft.
CrowdStrike releases root cause analysis of the global Microsoft breakdown – ABC News – 7 August 2024
CrowdStrike has shared its root cause analysis for the global IT outage on 19 July, claiming that an undetected sensor written into its Falcon software update caused the outage which impacted approximately 8.5 million systems running on Windows.
Australia and US sign Memorandum of Understanding to fight disinformation – US Department of State – 5 August 2024
Australia and the US have signed a bilateral Memorandum of Understanding (MoU), in which Australia endorses the United States’ Framework to Counter Foreign State Information Manipulation. The framework is a tool intended to combat foreign state information manipulation, by sharing best practices and tools, building resilience in civil society and institutions, and strengthening information integrity across the digital ecosystem. Australia is the 20th country to join the US-led initiative.
US Firms Warn Against ‘Unprecedented’ Hong Kong Cyber Rules – Bloomberg – 20 August 2024
Amazon, Google, and Meta are among firms who have called out the proposed cyber regulations in Hong Kong as they would allow the government ‘unusual’ access to computer systems. Hong Kong officials believe the cybersecurity bill would protect the city’s economy, safety, and national security. Under the newly proposed regulations, companies would need to secure their systems and disclose any serious breaches within two hours. Fines would be as high as HK$5 million.
UN cybercrime treaty passes in unanimous vote – The Record – 9 August 2024
The United Nations’ Ad Hoc Committee on Cybercrime adopted the Cybercrime Convention, meaning it will go to the General Assembly for a final vote later in the year. The treaty establishes a global framework to tackle cybercrime and facilitate data access. It is opposed by human rights groups and tech companies, on the basis that the treaty does not adequately protect against misuse of digital investigation and digital evidence powers.
Suspected head of prolific cybercrime groups arrested and extradited – National Crime Agency – 13 August 2024
The leader of the Ransom Cartel and Reveton ransomware operations, a Belarusian-Ukrainian national who goes by “J.P. Morgan”, “lansky” and “xxx”, was arrested in Spain in July and extradited to the United States in August. Two other individuals are also facing charges for allegedly playing key roles in J.P. Morgan’s crime group. Reveton is believed to have been the first ever ransomware-as-a-service (RaaS) business model.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.