Follow us

We celebrated Corporate Plan season in August, with each of APRA and ASIC noting that cyber resilience is a key area of focus and investment for the 2024-25 period. In the context of persistent delays to Privacy Act reform, the OAIC is focusing on preserving its regulatory remit regarding the NDB scheme.

We learned that Abigail Bradshaw, head of the Australian Cyber Security Centre and recently a guest on our 'Cross Examining Cyber' podcast will take over as the new head of the Australian Signals Directorate from September, and the National Cybersecurity Coordinator signalled a new cyber industry advisory board would be appointed in the coming months.

The legal fallout from the CrowdStrike outage continued, as a shareholder class action was filed in Texas, while Delta Air Lines announced it is seeking damages.

An injunction was granted in NSW following the Wattle Range Council hack. This is the first time we have seen an Australian court issue an injunction to restrain unknown hackers from interacting with stolen data since the injunction granted in favour of HWL Ebsworth in April 2023.

Internationally, concerns were raised regarding Hong Kong’s proposed critical infrastructure laws, Australia endorsed the US-led Framework to Counter Foreign State Information Manipulation, and the Cybercrime Convention progressed to the UN’s General Assembly despite fierce opposition from human rights groups and tech companies.

The cyber incidents that made headlines in Australia and around the world in August are linked below:


In case you missed it…

We are still waiting for privacy reforms to drop. In the meantime, our team has created a one-stop Privacy Hub, to help you navigate the upcoming reforms with confidence. Check it out here.

 

Podcast:  Cross Examining Cyber with Abigail Bradshaw

In Episodes 8 and 9, we talk with Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC) at the time of recording. Abi talks about her career, the role of the ACSC, the benefit of threat intelligence sharing and the way in which the ACSC can assist an entity. Abi also calls out her top 6 non-negotiables for building cyber resilience. Listen here

You can catch up on past episodes in our podcast series here. In our ‘Cross Examining Cyber’ series, we explore all things cyber, including the legal, regulatory and policy developments that impact corporates in Australia and around the world. We speak to the people who are shaping the legal and regulatory environment, who are on the front line, raising cyber resilience and protecting our clients from cyber incidents. Recent episodes include interviews with Dr Marcus Thompson, Andrew Penn, Bill Siegel and Hamish Hansford.

 

2024 Financial Review Cyber Summit

Thank you to those who participated in our Cyber Risk Survey for 2024. We are collating the results and look forward to launching our Cyber Risk Survey report at the 2024 Financial Review Cyber Summit in Sydney on 17 September. HSF is proud to be returning as the event’s Platinum Partner.

Join the summit (in person, or virtually) to hear from the brightest minds in cyber, including HSF’s Cameron Whittfield joining a panel discussion about “the data dilemma”.

 


Australian Cyber Security Centre head Abigail Bradshaw to lead ASDIT News – 27 August 2024

From early September, Abigail Bradshaw, the current head of the Australian Cyber Security Centre, will be promoted to head of the Australian Signals Directorate. Bradshaw will replace current head, Rachel Noble. Bradshaw’s cyber security and incident response experience is noted as ‘valuable’ by Minister for Defence, Richard Marles.

 

Supreme Court of NSW grants injunction in Wattle Range Council hack – Cyber Daily – 5 August 2024

Following a July data breach on the Wattle Range Council by hacking group LockBit, the council sought and was granted an injunction by the Supreme Court of New South Wales, to prevent the access, dissemination, or publication of council data that has been or may be posted on the dark web by any third-party injunction on its website. The council investigation is ongoing, but at this stage it believes the impacted data primarily relates to publicly available information and internal working documents.

 

APRA Corporate Plan 2024-25Australian Prudential Regulation Authority – 28 August 2024

Cyber risk management features among APRA’s top priorities in its 2024-25 Corporate Plan, noting it presents a “heightened risk to system resilience”. APRA is committed to strengthening the cyber risk management practices of regulated entities and partnering with peer agencies as part of a whole-of-government approach to minimise cyber risk.

 

ASIC Corporate Plan 2024-25Australian Securities & Investments Commission – 22 August 2024

The Plan notes that “cyber security remains an area of acute focus at ASIC”. During the period, ASIC intends to prioritise managing and minimising technology, cyber and data-related risks, among other things. Key activities include the implementation of a supervisory cyber and operational resilience program.

 

OAIC Corporate Plan 2024-25Office of the Australian Information Commissioner – 29 August 2024

The OAIC supports a whole-of-government approach to reducing cyber risk as a measure to mitigating privacy risk. The agency will push to preserve its regulatory remit, particularly in relation to the notifiable data breach scheme. The agency also clarified that it will not be waiting for anticipated law reform to pursue “egregious privacy breaches”.

 

New cyber industry advisory board incomingInnovationAus – 28 August 2024

The National Cybersecurity Coordinator, Lieutenant General Michelle McGuinness, shared plans to appoint a new cybersecurity industry advisory board before the end of the year, to support the delivery of the Commonwealth Cyber Uplift Plan. This initiative forms part of the 2023 – 2030 Australian Cyber Security Strategy, which among other things aims to improve government cyber maturity and protect against cyber attacks.

 

Australian Signals Directorate warns of scammers posing as the ACSCCyber Daily – 29 August 2024

ASD and ACSC logos have been used in an email scam that recommends readers click on a link to download malware posing as antivirus software. The campaign coincided with ScamWatch’s Scams Awareness Week.


Medibank’s cyber costs to reach $126m by next year as cyber uplift reaches completionCyber Daily – 22 August 2024

According to its 2024 financial year results, Medibank spent $39.8 million in FY24 to remediate and rebuild following the cyber incident that impacted the organisation in October 2022. Medibank estimates a similar amount will be spent on related initiatives in FY25, having spent $46.4 million in FY23.

 

Ransomware gangs increasingly weaponising stolen dataCyber Daily – 7 August 2024

Ransomware gangs are increasingly using stolen data to blackmail victims, beyond just threatening to publish personal information. Gangs have been recently exploiting sensitive data such as child abuse material searches by employees and personal details of executives’ families, in order to increase pressure on victims to pay ransoms.

 

CrowdStrike is sued by shareholders over huge software outageIT News – 6 August 2024

In a class action filed in Austin, Texas, CrowdStrike is being sued by its shareholders over the software outage on the basis that the company did not disclose the potential impact of inadequate software testing.

 

Delta Air Lines to pursue damages claims against Microsoft and CrowdStrike Cyber Daily – 13 August 2024

Delta Air Lines revealed the extent of damage caused by the CrowdStrike outage in a Form 8-K filed with the Securities and Exchange Commission. While the company has since restored its operations, Delta Air Lines has blamed the CrowdStrike outage for approximately 7,000 flight cancellations over five days, costing the airline approximately USD380 million. Delta Air Lines is seeking damages from CrowdStrike and Microsoft.

 

CrowdStrike releases root cause analysis of the global Microsoft breakdownABC News7 August 2024

CrowdStrike has shared its root cause analysis for the global IT outage on 19 July, claiming that an undetected sensor written into its Falcon software update caused the outage which impacted approximately 8.5 million systems running on Windows.


Australia and US sign Memorandum of Understanding to fight disinformationUS Department of State – 5 August 2024

Australia and the US have signed a bilateral Memorandum of Understanding (MoU), in which Australia endorses the United States’ Framework to Counter Foreign State Information Manipulation. The framework is a tool intended to combat foreign state information manipulation, by sharing best practices and tools, building resilience in civil society and institutions, and strengthening information integrity across the digital ecosystem. Australia is the 20th country to join the US-led initiative.

 

US Firms Warn Against ‘Unprecedented’ Hong Kong Cyber RulesBloomberg – 20 August 2024

Amazon, Google, and Meta are among firms who have called out the proposed cyber regulations in Hong Kong as they would allow the government ‘unusual’ access to computer systems. Hong Kong officials believe the cybersecurity bill would protect the city’s economy, safety, and national security. Under the newly proposed regulations, companies would need to secure their systems and disclose any serious breaches within two hours. Fines would be as high as HK$5 million.

 

UN cybercrime treaty passes in unanimous vote – The Record – 9 August 2024

The United Nations’ Ad Hoc Committee on Cybercrime adopted the Cybercrime Convention, meaning it will go to the General Assembly for a final vote later in the year. The treaty establishes a global framework to tackle cybercrime and facilitate data access. It is opposed by human rights groups and tech companies, on the basis that the treaty does not adequately protect against misuse of digital investigation and digital evidence powers.

 

Suspected head of prolific cybercrime groups arrested and extraditedNational Crime Agency – 13 August 2024

The leader of the Ransom Cartel and Reveton ransomware operations, a Belarusian-Ukrainian national who goes by “J.P. Morgan”, “lansky” and “xxx”, was arrested in Spain in July and extradited to the United States in August. Two other individuals are also facing charges for allegedly playing key roles in J.P. Morgan’s crime group. Reveton is believed to have been the first ever ransomware-as-a-service (RaaS) business model.

Cameron Whittfield photo

Cameron Whittfield

Partner, Melbourne

Cameron Whittfield
Peter Jones photo

Peter Jones

Partner, Sydney

Peter Jones
Merryn Quayle photo

Merryn Quayle

Partner, Melbourne

Merryn Quayle
Brendan Donohue photo

Brendan Donohue

Senior Associate, Melbourne

Brendan Donohue
Josh Kain photo

Josh Kain

Senior Associate, Melbourne

Josh Kain
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong
Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

Kaman Tsoi
Anne Hoffmann photo

Anne Hoffmann

Partner, Sydney

Anne Hoffmann

Key contacts

Cameron Whittfield photo

Cameron Whittfield

Partner, Melbourne

Cameron Whittfield
Peter Jones photo

Peter Jones

Partner, Sydney

Peter Jones
Merryn Quayle photo

Merryn Quayle

Partner, Melbourne

Merryn Quayle
Brendan Donohue photo

Brendan Donohue

Senior Associate, Melbourne

Brendan Donohue
Josh Kain photo

Josh Kain

Senior Associate, Melbourne

Josh Kain
Christine Wong photo

Christine Wong

Partner, Sydney

Christine Wong
Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

Kaman Tsoi
Anne Hoffmann photo

Anne Hoffmann

Partner, Sydney

Anne Hoffmann
Laura Newton photo

Laura Newton

Senior Associate, Sydney

Laura Newton
Heather Kelly photo

Heather Kelly

Senior Associate, Melbourne

Heather Kelly
Annie Zhang photo

Annie Zhang

Solicitor, Melbourne

Annie Zhang
Cameron Whittfield Peter Jones Merryn Quayle Brendan Donohue Josh Kain Christine Wong Kaman Tsoi Anne Hoffmann Laura Newton Heather Kelly Annie Zhang