The CrowdStrike/Microsoft outage naturally dominated headlines in July. It will likely have a short-term impact on the insurance market and the cybersecurity market more generally – a market in which one player notably decided to go it alone, after Wiz rejected Google’s takeover offer.
Before Minister Tony Burke assumed responsibility for the cyber security portfolio, Minister Clare O’Neil foreshadowed a new bill that would mandate the disclosure of ransom payments if passed. Earlier in the month, the Prime Minister announced a government partnership with AWS to build a new TS Cloud, but it appears the government is otherwise making slow progress against public sector targets in the 2023 – 2030 Australian Cyber Security Strategy.
ASIC announced an information sharing partnership with the OAIC, ACMA accepted an enforceable undertaking from Telstra, and the ASD made waves issuing advice about malicious activities pursued by a group known to be linked to China’s Ministry of State Security.
Internationally, US telco AT&T announced that an arrest has been made following a significant third-party breach impacting its customer data, and a security firm unwittingly hires a hacker. The King’s first speech of the new UK government introduced two technology and cyber bills, while new cybersecurity laws covering critical infrastructure are proposed in Hong Kong.
The cyber incidents that made headlines around the world in July are linked below:
- MediSecure confirms that 12.9 million Australians were impacted by the May data breach on the e-prescriptions company, noting its financial position limited its investigation – Cyber Daily – 18 July 2024
- Western Sydney University experiences unauthorised access to 580TB of data in its IT storage platform, impacting staff and students – IT News – 31 July 2024
- Government of India-owned telecoms company, BSNL, announces data breach; IMSI numbers, SIM card information, and Home Location Register (HLR) details potentially impacted – 25 July 2024 – The Hindu
- 1.1TB of Disney’s Slack messages leaked online by hacking group, Nullbulge – Wall Street Journal – 16 July 2024
- 4.6TB of Perth’s Harry Perkins Institute of Medical Research data has been leaked online by hacking group, Medusa, following ransom payment refusal – WA Today – 16 July 2024
- Car dealership software company, CDK Global, allegedly paid US$25 million ransom to hacking group, BlackSuit; systems restored – Cyber Daily – 15 July 2024
- Malware, not ransomware, was behind Fujitsu data breach in March 2023; data likely exfiltrated – Cyber Daily – 11 July 2024
- Hacking group, RansomHub, claims to have stolen 100GB of data from the Florida Department of Health, disrupting the department’s ability to issue certificates for births, deaths, divorces, marriages and apostilles – GovTech – 10 July 2024
- General Motors suffers a credential stuffing attack, impacting customer accounts – Cyber Daily – 10 July 2024
- Ransomware attack on Arkansas-based financial institution, Evolve Bank, by hacking group, LockBit, impacts more than 7.6 million individuals as data is posted on the dark web – Security Week – 9 July 2024
- Online gaming platform, Roblox, is impacted by a data breach for the second time in four years following a third-party breach – PC Magazine – 9 July 2024
- OpenAI’s internal messaging system hacked in 2023; AI technology design information stolen – IT News – 8 July 2024
- Fédération Internationale de l'Automobile (FIA), the governing body of various global motorsports including Formula 1, announces that personal data has been impacted following recent phishing attacks – FIA – 3 July 2024
- Alleged FBI server details, including IPs, server locations, organisations, and operating systems, as well as login pages shared on hacking forum – Cyber Daily – 2 July 2024
Was your business disrupted by the CrowdStrike/Microsoft outage in July? Our article, available here, will help you understand your legal position and mitigate cyber risk going forward.
Podcast: Cross Examining Cyber with Abigail Bradshaw
Watch out for our next episode of ‘Cross Examining Cyber’, dropping here soon. In Episode 8, we will talk with Ms Abigail Bradshaw, Head of the Australian Cyber Security Centre (ACSC).
You can catch up on past episodes in our podcast series here. In our ‘Cross Examining Cyber’ series, we explore all things cyber, including the legal, regulatory and policy developments that impact corporates in Australia and around the world. We speak to the people who are shaping the legal and regulatory environment, who are on the front line, raising cyber resilience and protecting our clients from cyber incidents. Recent episodes include interviews with Dr Marcus Thompson, Andrew Penn, Bill Siegel and Hamish Hansford.
Cyber risk survey
Thank you to those who participated in our Cyber Risk Survey for 2024. We are collating the results and look forward to sharing our Cyber Risk Survey Report in September at the 2024 Financial Review Cyber Summit.
Government revamps cyber security leadership in ministerial shake-up – IT News – 28 July 2024
Prime Minister Anthony Albanese has appointed Tony Burke as Australia’s new Minister for Home Affairs and Minister for Cyber Security. Minister Clare O’Neil has been appointed Minister for Housing. The Prime Minister announced that Andrew Charlton MP will serve as a special envoy for cyber security and digital resilience.
‘Limited progress’ on public sector cyber uplift since strategy – Innovation Australia – 31 July 2024
The Department of Home Affairs confirmed it has made limited progress implementing three of the five actions focused on uplifting public sector cybersecurity, in response to questions from Liberal Senator and shadow cybersecurity minister James Paterson in the last round of Senate estimates. The Department also advised that actions relating to sovereign cybersecurity capabilities have also made “limited progress [or have] yet to be commenced”.
Cyber ransom payments will need to be disclosed by businesses under new laws – ABC News – 30 July 2024
The Australian government will soon introduce a bill which would require Australian entities to disclose cyber extortion payments. The no-fault regime is intended to reveal to policy makers the scale of payments being made. The bill is also expected to include standards for "Internet of Things" devices.
ASIC and OAIC sign information sharing MoU to accelerate data and privacy breach responses – ASIC – 19 July 2024
A memorandum of understanding has been signed between ASIC and the OAIC, allowing for the sharing of data and privacy breach information for the purpose of exercising powers or performing functions. According to ASIC, the approach contemplated by the MoU will help protect public interests efficiently and effectively.
Telstra penalised $1.5m for scam rule breaches – ACMA – 17 July 2024
The Australian Communications and Media Authority (ACMA) fined Telstra $1,551,000 for failing to perform required customer ID authentication processes, leaving customers vulnerable to scams. While ACMA did not find any evidence of direct loss, ACMA emphasised that customers need to be able to trust that their accounts are being protected from fraud. ACMA accepted a two-year enforceable undertaking from Telstra, committing it to an external review and to make improvements where necessary.
Government agencies issued with directives to eliminate foreign vulnerabilities – Australian Government Department of Home Affairs – 9 July 2024
Three protective security directions have been made under the Protective Security Policy Framework, to manage risks to the Commonwealth. The directions include a requirement for ‘Australian government entities to identify indicators of foreign ownership, control or influence risk as they relate to procurement and maintenance of technology assets’, a requirement for ‘Australian government entities to identify and actively manage the risks associated with vulnerable technologies they manage’, as well as a requirement for ‘Australian government entities using threat intelligence sharing platforms to share cyber threat information with the Australian Signals Directorate.’
Australian Government partners with Amazon Web Services to bolster national defence and security – Australia Government Department of Defence – 4 July 2024
The federal government has announced a new partnership with Amazon and the ASD to establish a purpose-built, sovereign TS Cloud in Australia. At least AU$2 billion will be invested over the next 10 years, to bolster Australia’s cyber capabilities. The TS Cloud builds on AWS’s planned AU$13.2 billion investment in Australian infrastructure to 2027.
Mandatory AI and automated risk reviews to land in Queensland – IT News – 4 July 2024
The Queensland public sector will soon be subject to both internal assessments and external reviews designed to evaluate and mitigate risks specific to their use of artificial intelligence and automated decision-making. The mandatory framework is expected to be released in the coming weeks.
What keeps Australia’s critical infrastructure boss up at night – Government News – 25 July 2024
Addressing the “Tech in Government” conference delegates in Canberra, the Deputy Secretary of Cyber and Infrastructure Security Group within Department of Home Affairs, Hamish Hansford, outlined that the CrowdStrike incident on 19 July highlighted existing challenges with cyber risk ownership, supply chain management, a protective security policy landscape marred by complexity and overlap, and interdependent risk.
Insurers’ losses from global IT outage could reach billions – Financial Times – 23 July 2024
The CrowdStrike outage is believed to have affected over 8 million devices running Microsoft Windows. Claims under policies are expected for business interruption and system outages, as well as liability claims. Analysists at Jefferies argued that the incident acted as a ‘proof of concept’ for the value of cyber insurance, and Aon suggested the incident may become the most important cyber insurance loss event since the NotPetya malware attacks of 2017.
North Korean Hackers Shift from Cyber Espionage to Ransomware Attacks – Swap Update – 25 July 2024
A North Korea-linked threat actor with a history of carrying out espionage campaigns, has been observed carrying out financially-motivated attacks involving ransomware. APT45, which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima, has been frequently observed targeting critical infrastructure, such as the Kudankulam Nuclear Power Plant in India in 2019. Mandiant has commented that APT45 may be carrying out financially-motivated cyber crime “not only to support of its own operations but to generate funds for other North Korean state priorities”.
Japan, US and Australia join forces for first information warfare event – Cyber Daily – 17 July 2024
Sailors and officers from the Royal Australian Navy, the United States Navy, and the Japanese Maritime Self-Defense Force (JMSDF) gathered in Sydney for a cyber defence exercise, Exercise Blue Spectrum – the first such exercise since the signing of the memorandum of the JMSDF-US Pacific Fleet-Royal Australian Navy IW Cooperation in April 2024.
Labor under pressure to confront China over hacking – Australian Financial Review – 9 July 2024
The ASD published new advice about the activities of APT40, accusing the group of sustained attacks on Australian networks. According to the ASD, APT40 is a People’s Republic of China state-sponsored cyber group. APT40 is also known as Leviathan, TEMP.Periscope, Kryptonite Panda and Gingham Typhoon. China has firmly rejected the accusations.
Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4 – Dark Reading – 26 July 2024
KnowBe4, a security firm which provides security awareness and training, has discovered that a new hire was in fact a fake IT worker from North Korea. Suspicious activity on the software engineer's workstation was detected shortly after it was received. KnowBe4 believes that no data has been lost, compromised, or exfiltrated. An FBI investigation is underway.
Cyber-security firm rejects $23bn Google takeover – BBC News – 23 July 2024
Wiz has rejected a US$23 billion offer from Google’s parent company, Alphabet. In an internal memo to staff, Wiz founder and chief executive Assaf Rappaport advised that the company would instead continue along the path to pursuing an IPO and targeting US$1 billion in revenue. Had it been accepted, the transaction would have been Google’s largest-ever acquisition.
AT&T reveals arrest made following April cyberattack – Cyber Daily – 18 July 2024
AT&T announced that threat actors downloaded data pertaining to nearly all its 114.5 million customers from a third-party platform in April 2024. It was reported that records of calls and text messages were compromised. AT&T reported making a US$370,000 extortion payment and, within days, announced that law enforcement had made at least one arrest in connection with the attack.
The first King’s speech of the new Government sets economic growth as its most pressing priority – Tech UK – 17 July 2024
In the first King’s speech of the new UK Government, two pieces of technology-related legislation were introduced: the Cyber Security and Resilience Bill and the Digital Information and Smart Data Bill. The Cyber Security and Resilience Bill is intended to strengthen the UK’s cyber defences to protect and secure critical infrastructure and digital services. Notably, the Bill contemplates expanding incident reporting obligations including in relation to ransomware attacks.
Key computer system operators to be kept confidential under proposed cybersecurity law, security chief says – Hong Kong Free Press – 2 July
Hong Kong’s Security Bureau is launching a public consultation, with a view to introducing the Protection of Critical Infrastructure (Computer System) Bill into the Legislative Council in 2024. The regime is expected to cover eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, communications and broadcasting, and healthcare services.
US healthcare organisation fined nearly US$1 billion over 2017 ransomware incident – Cyber Daily – 5 July 2024
Heritage Valley Health System has been fined US$950,000 for HIPAA violations following investigations by the United States Department of Health and Human Services in the wake of a ransomware attack on the healthcare provider in 2017. Amongst other things, it was determined that Heritage Valley had failed to conduct a proper risk analysis of the data it was holding and how it was stored, and it did not have a proper contingency plan in place in case of such an attack.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.