Cyber security: A month in retrospect (Australia) - November 2024

November was a momentous month, as Australia welcomed significant cyber law reform, including the Cyber Security Act 2024. Tranche 1 of Australia’s privacy law reform also passed both houses of Parliament and, the government of Western Australia pushed through new privacy and information sharing laws.

Check out our practical summaries of the law reform, to get up to speed:

• Australia’s 2024 Cyber Security Reforms: A high-level guide to the November 2024 cyber law reforms
• Australian Privacy Reform Bill Tranche 1 passed Parliament: Key impacts for your business
• Privacy and Responsible Information Sharing Bill: Implications for the Public Sector in Western Australia

In its Annual Cyber Threat Report 2023-2024, the Australian Signals Directorate (ASD) confirmed there has been no slowdown in cyber threat activity, and provided some interesting commentary and statistics regarding critical infrastructure, supply chain risk and AI. ASIC’s enforcement priorities for 2025 include focusing on AFS licensees with inadequate cyber security protections.

The AICD released version 2 of its Cyber Security Governance Principles. Melbourne played host to cyber and privacy experts at AISA’s Australian Cyber Conference and the IAPP ANZ Summit. A new report discussed the interplay between ransom payments and insurance, and Australian banks were criticised for their poor scam protection measures.

Internationally, the hacker behind the Ticketmaster attack faced court in the United States. The Hong Kong Monetary Authority released a new Supervisory Policy Manual module regarding cyber risk management. The physical location of world leaders was inadvertently leaked by Strava, and cybercriminals impersonate OpenAI. The US releases guidelines for the safe and secure development and deployment of AI in critical infrastructure.

Cyber incidents that made headlines in November include AC Laser, Australian National University Enterprise, ASIC compliance firm Waive, ATF Services, Samsung Electronics Korea, Australian Nursing Home Foundation, equipment provider LEE,  Goodline, courts across Washington USA, South Korean Defence Ministry, South Korean courts, Singtel, Followmont Transport, Newpark Resources, financial services and debt relief firm Set Forth, JewishCare NSW, Instagram, T-Mobile, ADT Freight Services, Government of Mexico, Ford Motor Company, Snow Brand Australia, Finsure, Maxar Space Systems, Triton Sourcing & Distribution and Telstra. Nokia and Tesla were impacted by third party attacks. A second threat actor has claimed responsibility for the Cisco data breach, while global energy company Schneider Electric suffered a second attack within one year.

Contents

1. News from HSF

   1. Podcast: Cross Examining Cyber with Carly Kind

   2. Caitlyn Bellis named a finalist in Lawyers Weekly 30 Under 30 Awards 2025 

2. Law making and regulatory news

3. Industry news

4. World news

Podcast: Cross Examining Cyber with Carly Kind

In this episode, Cameron Whittfield is joined by Kaman Tsoi, one of the country’s most experienced and respected privacy lawyers, and Australia’s Privacy Commissioner, Carly Kind.

The podcast explores Australia’s privacy reform agenda, the Office of the Australian Information Commissioner’s strategic approach to enforcement, the efficacy of the notifiable data breach regime, the role of the board, including the Commissioner’s view on the extortion demand ‘conundrum’. The two-part episode can be accessed here.

Caitlyn Bellis named a finalist in Lawyers Weekly 30 Under 30 Awards 2025 

HSF Solicitor, Caitlyn Bellis, has been named a finalist in the ‘Cyber Security’ category for the Lawyers Weekly 30 Under 30 Awards 2025. The full list of finalists is here. Good luck, Caitlyn!

Australia’s first Cybersecurity Bill passes Parliament – Innovation Aus – 26 November 2024

The Cyber Security Legislative Package, consisting of the Cyber Security Bill 2024, the Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024  and the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024, has become law. Key components are ‘limited use’ obligations, ransom payment reporting obligations, new cyber security standards for smart devices, the establishment of a Cyber Incident Review Board, and amendments to the Security of Critical Infrastructure Act 2018 (notably, consolidating security regulation for the telecommunications sector under the regime).

Click here to access HSF’s practical guide to the reforms.

Annual Cyber Threat Report 2023-24 – Australian Signals Directorate – 20 November 2024

Some notable commentary and statistics coming out of the ASD’s report include:

• The top 3 self-reported cybercrime types for businesses are email compromises resulting in no financial loss (20%), online banking fraud (13%), and business email compromise fraud resulting in financial loss (13%).
• Ransomware continues to pose significant operational, financial and reputational risk to Australia. 11% of cyber incidents included ransomware, up 3% from 2023.
• 11% of cyber incidents involved critical infrastructure; of these, 21% occurred through the exploitation of a public-facing application, 15% were as a result of brute-force activities and 23% occurred through phishing. The most frequently impacted sectors were electricity, gas, water and waste services (30%), education and training (17%) and transport, postal and warehousing (15%).
• The ASD responded to 107 cyber supply chain incidents, representing 9% of all cyber security incidents responded to by ASD in 2023-2024.
• Denial of Service and Distributed Denial of Service attacks on critical infrastructure were observed more than twice as often when compared to other incidents responded to by the ASD.
• The ASD projects that state-sponsored cyber actors will continue targeting Australian governments, critical infrastructure and businesses, as well as connected systems and their supply chains.
• The ASD is observing that operational technology is a vulnerable target for malicious cyber actors, given their interconnectedness with ICT networks.
• The ASD has emphasised the importance of due diligence on supplier products and cyber security practices, and securing AI systems.

Delivering stronger privacy protections for Australians – Attorney-General’s Department – 29 November 2024

Legislation to reform Australia’s privacy laws has now passed both houses of Parliament, implementing the first tranche of recommendations from the Privacy Act Review and new criminal offences to outlaw doxxing.

HSF’s summary of the reforms is available here.

ASIC announces new enforcement priorities with a focus on cost of living pressures – Australian Security & Investments Commission – 14 November 2024

The Australian Securities & Investments Commission (ASIC) announced its enforcement priorities for 2025. These reflect the increased risks which consumers face due to the rise in cost-of-living pressures. Notably, one of ASIC’s 2025 enforcement priorities will focus on Australian Financial Services licensee failures to have adequate cyber security protections.

WA squeezes privacy bill through in the Parliament’s last breath – WA Government – 28 November 2024

The WA Parliament passed the Privacy and Responsible Information Sharing Bill 2024 and Information Commissioner Bill 2024, which establish a mandatory data breach reporting scheme, legislate for the Office of the Information Commissioner, and introduce new privacy principles to guide WA's public sector agencies on approved systems and processes to handle personal information.

2023 top routinely exploited vulnerabilities – Australian Cyber Security Centre – 13 November 2024

The Australian Cyber Security Centre (ACSC) released an advisory detailing the most regularly exploited vulnerabilities, after a sharp rise in zero-day exploits by threat actors since 2022.

Cyber Security Governance Principles | Version 2 – Australian Institute of Company Directors – 25 November 2024

The Australian Institute of Company Directors (AICD) has released an updated version of its Cyber Security Governance Principles. The refreshed principles touch on digital supply chain risk and data governance. It reflects regulatory and legislative shifts, discusses the evolving threat environment and includes incident response case studies and reflections from leading directors including Catherine Brenner FAICD, Andy Penn AO and John Mullen.

Australian banks criticised for weak email scam defences – Security Brief – 26 November 2024

Research by Proofpoint has revealed that 66% of Australia’s banks are yet to adopt the most secure level of Domain-based Message Authentication, Reporting and Conformance (DMARC) protection, which plays a key role in preventing threat actors from identity spoofing. Australian banks significantly lag behind US counterparts, according to the research. Proofpoint’s research considered 85 banks, including Australian-owned and foreign subsidiary banks operating in Australia.

Australian small businesses are lagging behind on cyber security – Vanta – 19 November 2024

Vanta’s ‘State of Trust’ report reveals that only 44% of companies with under 50 employees have dedicated security budgets. Additionally, only 66% of small companies are confident they can explain the impact of any security program on their business.

Seniors and carers call for smart monitoring to safely age at home – Cyber Daily – 22 November 2024

A survey of 1,000 senior Australians and their carers has conveyed that older Australians would happily accept government-funded smart tech in their homes to monitor falls and other incidents, particularly if it means they can age in their own homes, without going into aged care facilities. Additionally, over 50% stated they would make financial contributions to support the technology.

Pressure points hackers use to get bigger payments than ever – Australian Financial Review – 27 November 2024

Hackers are increasingly targeting human resources, health, finance, and legal data held by employers to use as leverage in ransom negotiations, according to a report by McGrathNicol and YouGov. Over 80% of businesses surveyed said they would be willing to pay a ransom at an average of up to $1.4 million, just under the average insurance cover of $1.5 million. According to the report, the average ransom payment made by Australian companies has risen from $1 million in 2023 to $1.35 million in 2024.

Hackers are targeting private schools for blackmail – Australian Financial Review – 19 November 2024

Hackers are increasingly targeting private schools to steal personal information about students, to use to extort parents. Education providers comprised about 5 per cent of the 1100 incidents responded to by the ASD in 2023-2024.

CommBank reveals new anti-scam protections – Cyber Daily – 14 November 2024

Commonwealth Bank has announced new anti-scam protections which are being implemented, including security features for digital wallets, first-time payments, and cardless transactions. These changes will allow payments to be easily reviewed via the CommBank app, and remove any wallets they do not recognise.

New Supervisory Policy Manual (SPM) Module TM-C-1 on “Supervisory Approach on Cyber Risk Management – Hong Kong Monetary Authority – 29 November 2024

The HKMA issued a circular to inform authorised institutions that it had published a new Supervisory Policy Manual (SPM) module TM-C-1 'Supervisory Approach on Cyber Risk Management' following consultations with the industry associations (the Hong Kong Association of Banks and the DTC Association). This SPM module sets out the HKMA’s guidance and supervisory processes on cyber risk management, as well as its expectation for deeper collaboration between the banking sector and other stakeholders in the ecosystem. 

North Korean hackers steal US$10 million with AI-driven scams and malware on LinkedIn – The Hacker News – 23 November 2024

North Korean-linked threat actor, Sapphire Sleet, is thought to have stolen more than US$10 million worth of cryptocurrency over the last six months, according to Microsoft. Numerous threat actors have created fake profiles on LinkedIn, posing as both recruiters and job seekers, to generate revenue for North Korea. Other methods include posing as venture capitalists claiming an interest in a target user’s company to set up an online meeting, where the link to join leads to an error message, and the eventual downloading of malware onto the victim’s desktop. Sapphire Sleet has been active since 2020 and overlaps with other known threat actor groups, including APT38 (the Lazarus Group) and BlueNoroff.

CISA releases list of top 25 most dangerous software weaknesses for 2024 – Cyber Daily – 21 November 2024

The US Cybersecurity and Infrastructure Security Agency (CISA) and Homeland Security Systems Engineering and Development Institute collaborated to prepare a list of the most critically exploited weaknesses used by threat actors to steal data from companies, disrupt services, and compromise systems and networks. Cross-site scripting was the most exploited weakness.

Facebook users affected by data breach eligible for compensation in Germany – IT News – 19 November 2024

The German Federal Court of Justice ruled that those affected by a loss of control of basic data are eligible to seek compensation without proving specific damages or financial impact. The ruling was made following an incident in 2018-19, in which unknown third parties were able to access user accounts of approximately 533 million Facebook users, including 6 million in Germany, by guessing phone numbers. Meta has said the ruling is ‘inconsistent with the recent case law of the European Court of Justice’.

Groundbreaking framework for the safe and secure deployment of AI in critical infrastructure unveiled by Department of Homeland Security – Department of Homeland Security – 14 November 2024

New guidelines have been released by the US Department of Homeland Security for the safe and secure development and deployment of AI in critical infrastructure. The recommendations were developed by and for entities at each layer of the AI supply chain: cloud and compute providers, AI developers, and critical infrastructure owners and operators, as well as the civil society and public sector entities that protect and advocate for consumers. The framework responds to three primary categories of AI safety and security vulnerabilities in critical infrastructure: attacks using AI, attacks targeting AI systems, and design and implementation failures.

US calls on Russia to rein in ransomware operators – Cyber Daily – 13 November 2024

Anne Neuberger, the US deputy national security adviser, has accused Russia of tacitly supporting ransomware gangs in a UN Security Council briefing which focused on ransomware attacks in the healthcare sector. In the United States, there were over 1,500 attacks in 2023 against the healthcare sector, costing over US$1.1 billion in ransom payments, and a large amount of damage to life-saving supplies.

Accused Ticketmaster hacker Connor Moucka facing extradition and decades in jail – The Nightly – 12 November 2024

Canadian Connor Moucka, who allegedly stole the personal information of millions of Australian Ticketek and Ticketmaster customers, is facing decades behind bars if he is found guilty of the 20 charges against him filed in the United States District Court. The breach was one of the largest ever due to the scale of personal data which was stolen. The charges against Moucka, and Turkish citizen John Binns, include computer fraud and aggravated identity theft over the hack on cloud storage facility Snowflake.

INTERPOL financial crime operation makes record 5,500 arrests, seizures worth over USD 400 million – INTERPOL – 27 November 2024

A global law enforcement operation has led to the arrest of over 5,500 financial crime suspects and the seizure of more than USD 400 million in virtual assets and government-backed currencies. Operation HAECHI V focused on seven types of cyber-enabled frauds, including voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud.

New Zealand is one of the least cyber-prepared countries in the world – Cyber Daily – 11 November 2024

New research conducted by technology firm Psono has found that New Zealand is the third least-prepared country in the world when it comes to cyber security. The only countries ranked lower are Mexico and Egypt. Sweden, Singapore, Germany, Denmark and Czech Republic were the top five ranked countries. Australia was ranked 30^th.

South Korea fines Meta US$15 million for illegally collecting information on Facebook users – The Star – 6 November 2024

Following a four-year investigation, South Korea’s Personal Information Protection Commission has fined Meta for illegally collecting sensitive personal information of approximately 980,000 Facebook users, including data regarding their political views and sexual orientation, and sharing it with advertisers.

Strava leaks reveal locations of Biden, Putin, and Macron – Cyber Daily – 5 November 2024

The locations of world leaders, including US President Joe Biden, Russian President Vladimir Putin, and French President Emmanuel Macron, were inadvertently leaked through the fitness tracking app, Strava, after US Secret Service agents used the app to track their activities. In another circumstance, the location of President Biden and Chinese President Xi Jinping was also inadvertently revealed when an agent protecting President Biden uploaded a run from a hotel in San Francisco.

Cybercriminals impersonate OpenAI in large-scale phishing attack – Enterprise Times – 2 November 2024

Threat researchers unveiled a large-scale impersonation campaign of OpenAI, targeting organisation globally, The phishing attack involved urgent requests to update payment information to process a monthly subscription to the service. The requests, designed to mimic legitimate emails, closely resemble OpenAI communications but with different URLs.

Australia partners with the Philippines for ‘Cyber Boot Program’ – Cyber Daily – 4 November 2024

The Philippines and Australia have launched a program aiming to bolster the Philippines’ cyber defences with a ‘cyber boot program’ that will increase local awareness of how to best prepare for cyber-attacks and how to deal with them when they occur. The program follows the signing of a memorandum of understanding on Cyber and Critical Technology Cooperation between the two nations in February 2024.