The Australian government introduced its Cyber Security Legislative Package, which sets in motion key reforms contemplated by the 2023 – 2030 Australian Cyber Security Strategy. It is also considering whether the ACL is fit for purpose in an AI era, it launched the Small Business Cyber Resilience Service, and it appointed the ACCC as the initial Digital ID regulator. Additionally, government agencies have been staying busy: ASIC is increasingly concerned about reports of stolen shares, the OAIC released various guidance dealing with charities and NFPs and commercial use of AI, and the ASD released a joint advisory regarding ongoing Iran-backed cyber campaigns. The NSW government responds to reports of its own cyber security.
It is not surprising that Australian businesses consider they do not have the budget to meet their cyber security needs, and that ransomware is a growing problem for providers of financial services.
Enforcement action has been strong. The Australian government has again imposed targeted financial sanctions and travel bans on three Russian citizens, and Operation Cronos has led to more arrests.
Internationally, the NIS2 Directive has taken effect, and the US government has proposed a new rule prohibiting certain US data transfers to specified ‘countries of concern’. The European Securities and Markets Authority wants crypto companies to demonstrate improved cyber security. Delta’s legal battle with CrowdStrike continues.
Cyber incidents that made headlines in Australia and around the world in October include American Water, Cisco, video game developers Red Barrels and Game Freak, Deloitte, The Plastic Bag Company, fresh produce company Perfection Fresh, Fidelity Investments, Casio, Universal Music Group, entertainment company Funlab, Liberal Democratic Party of Japan, blockchain identity firm Fractal ID, Ultra Tune, Italy's latest football club Juventus Football Club, aged care organisations Respect and TPG Aged Care, US fashion retailer Hot Topic, Dutch Police, Japan Aerospace Exploration Agency, crypto payment processor Transak and Nidec Corporation. IBM has refused to comment on an alleged breach. Western Sydney University and ADT each confirmed they had been impacted again in 2024, while Internet Archive suffered three attacks in October alone. Australia’s Department of Home Affairs announced it was caught up in the February breach of its data management vendor, ZircoDATA. The UnitedHealth data breach in June 2024 has been confirmed as the largest healthcare data breach in the US. Ecovacs acknowledges their Ecovacs Deebot X2s suffered from a significant security flaw which led to devices being hacked and purportedly chasing pets while shouting racial slurs.
Podcast: Cross Examining Cyber with David Thodey
Cameron Whittfield and Carolyn Pugsley continued their discussion with David Thodey, one of Australia’s most respected company directors and current Chair of Xero and Ramsay Healthcare. After we discussed his fascinating career, David provided some valuable insights into the role of a director and board in a cyber incident. The two-part episode can be accessed here.
Look out for our next episode, featuring a rich discussion with Australia’s Privacy Commissioner, Carly Kind.
HSF webinar: Implications of the Cyber Security Bill 2024
On 21 October 2024, we hosted a webinar discussing how the proposed changes might affect businesses if passed into law, and what further reforms we expect to see in the months ahead as the Government seeks to implement its 2023 – 2030 Australian Cyber Security Strategy. Wouter Veugelen (FTI Consulting) and Derek Bopping (ASD) joined the HSF panel, consisting of Christine Wong, Peter Jones, Magda Blanch-de Wilt and Cameron Whittfield. You can watch it here.
Podcast: How to Keep Data Safe in the Digital Age
Bigger is not always better, especially when it comes to data. In a digitised world, it is possible to collect reams of data on customers, but at what cost? Many companies don’t even realise they’re suffering an extreme case of ‘bad data hygiene’ which in the face of a cyber incident, could be critical. Laura Newton, a regulatory lawyer and Cyber Lead at Herbert Smith Freehills, explains best practices for managing customer data, how to prepare for a cyber incident, and what to do if an incident breaks out. Watch here.
HSF Cyber Risk Report 2024
Our Cyber Risk Report 2024 was launched at the Australian Financial Review Cyber Summit in Sydney last month (an event proudly sponsored by HSF).
The report reflects on data captured in the only survey in Australia to seek the views of legal leaders in relation to an evolving cyber risk landscape. We hope it prompts some provocative discussions regarding cyber engagement and investment.
Cyber Security Bill 2024 – Parliament of Australia – 9 October 2024
The government introduced three bills into federal Parliament in October, including the Cyber Security Bill 2024. This package bill proposes mandatory ransomware payment reporting obligations, limited use obligations for the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator, new security standards for smart devices, a new Cyber Incident Review Board, and various amendments to the Security of Critical Infrastructure Act 2018.
On 21 October 2024, we hosted a webinar discussing how the proposed changes might affect businesses if passed into law, and what further reforms we expect to see in the months ahead as the Government seeks to implement its 2023 – 2030 Australian Cyber Security Strategy. Wouter Veugelen (FTI Consulting) and Derek Bopping (ASD) joined the panel. You can watch it here.
Guidance on privacy and the use of commercially available AI products – Office of the Australian Information Commissioner – 21 October 2024
The OAIC has released guidance targeting organisations that are deploying AI systems built to collect, store, use or disclose personal information, to assist those organisations to comply with their privacy obligations under Australian privacy laws.
Australian charities, not-for-profit organizations receive new privacy guidance from regulator – Office of the Australian Information Commissioner – 22 October 2024
The updated guidance follows several recent high-profile data breaches affecting charities and NFPs. It includes expanded advice on information security, steps that NFPs can implement to comply with their retention and destruction obligations, and considerations relevant to engaging third-party providers.
Cyber sanctions imposed on Russian citizens for cybercrime – Australian Minister of Defence – 2 October 2024
Australia has imposed targeted financial sanctions and travel bans on three Russian citizens for their involvement in the Evil Corp cybercrime group. This is the second instance of sanctions being imposed under the Autonomous Sanctions Act 2011. A sanction was previously imposed on Russian national, Aleksandr Ermakov, in January 2024 for his role in the compromise of Medibank Private in 2022.
Digital Identity – Australian Competition and Consumer Commission – 24 October 2024
The ACCC has been announced as the initial Digital ID regulator. The regulatory role will involve accrediting organisations and agencies that provide Digital ID services, screening and approving institutions for involvement in the Digital ID system and enforcing legislation for non-privacy aspects of Digital ID.
Investor alert: Reports of stolen shares due to identity theft on the rise – Australian Securities and Investments Commission – 15 October 2024
ASIC has released a warning to investors to be on high alert due to a significant increase in reports of stolen shares in the past three months. According to ASIC, ongoing data breaches that have compromised the personal information of Australians are leading to scammers being able to successfully use stolen credentials to access share portfolios.
Review of AI and the Australian Consumer Law – Australian Government Treasury – 15 October 2024
The Australian government has released a Discussion Paper regarding whether the Australian Consumer Law (ACL) is fit for purpose in the context of rising uptake of AI. The consultation process is open until Tuesday 12 November 2024.
Launch of Albanese Labor Government’s Small Business Cyber Resilience Service – Ministers Treasury Portfolio – 22 October 2024
In an effort to provide enhanced support to small businesses preventing and recovering from cyber incidents, the federal government launched the new Small Business Cyber Resilience Service. The Service, provided by IDCARE, will include free, one‑on‑one assistance to help small businesses navigate cyber challenges, bolster their cyber resilience, and recover from a cyber incident.
NSW govt cybersecurity review under way – Innovation Aus – 28 October 2024
The NSW Government is also conducting a structural review of its cyber hygiene, focusing particularly on small, lesser resourced agencies, to better defend itself against cyber threats. The review comes off the back of a report published by the Audit Office of New South Wales in October, which reveals that NSW government agencies are dealing with cyber risks outside acceptable tolerance levels. The NSW Cyber Security Policy was launched in 2019.
New South Wales IPC reports government, councils and universities suffered 52 data breaches in 7 months – Cyber Daily – 4 October 2024
The NSW IPC has released its annual Data breach report, which revealed that, of the 52 data breaches suffered in the first seven months of 2024, 34 impacted government agencies, nine impacted local councils, and nine impacted universities. Cyber attacks and malicious incidents accounted for 44% of breaches affecting universities, and 20% of breaches affecting government agencies.
Ransomware is a growing issue for Financial Services organisations – Thales – 16 October 2024
In its 2024 Data Threat Report for Financial Services Organisations, Thales announced that financial services providers continue to view ransomware as a major issue for the sector. The report confirms that the sector is seeing an increase in the rate of ransomware attacks.
Cyber security remains a top focus for Australian business, but budgets are a challenge – Cyber Daily – 7 October 2024
According to Datacom’s 5th Annual Cloud Report, fewer than 20 per cent of Australian businesses have adequate budgets to meet their cyber security targets.
Delta Air Lines sues CrowdStrike over software update – IT News – 28 October 2024
Delta Air Lines filed proceedings against CrowdStrike in a Georgia state court in relation to the outage on 19 July 2024, which led to the airline cancelling approximately 7000 flights, impacting travel plans for approximately 1.3 million customers. Delta is claiming over US$500 million in out-of-pocket losses and an unspecified amount pertaining to lost profits, legal fees, reputational harm, and future revenue loss.
Irish Data Protection Commission fines LinkedIn Ireland €310 million – Data Protection Commission – 24 October 2024
The Irish Data Protection Commission (DPC) has found that LinkedIn Ireland Unlimited Company has breached the GDPR regarding the lawfulness, fairness, and transparency of its processing of personal data for the purposes of behavioural analysis and targeted advertising of its users. LinkedIn has been ordered to pay fines totalling €310 million.
Justice Department Issues Comprehensive Proposed Rule Addressing National Security Risks Posed to U.S. Sensitive Data – Office of Public Affairs, US Department of Justice – 21 October 2024
The proposed rule would establish categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern or covered persons access to government-related data or bulk US sensitive personal data.
New rules to boost cybersecurity of EU’s critical entities and networks – European Commission – 17 October 2024
The European Commission’s new Network and Information Security Directive 2 (NIS2 Directive) has been officially adopted. The NIS2 Directive specifies cyber security requirements that need to be implemented by entities that are considered to be critical infrastructure, based on their location, size or industry is a continuation and expansion of the previous EU cyber security directive, NIS. Member States must transpose the NIS2 Directive into national law from 18 October 2024.
Iranian cyber actors’ brute force and credential access activity compromises critical infrastructure – Australian Signals Directorate – 17 October 2024
A joint advisory has been released, regarding ongoing Iran-backed cyber campaigns targeting multiple critical infrastructure sectors worldwide, including the healthcare and public health, government, information technology, engineering, and energy sectors. The advisory recommends that organisations implement methods which have been provided, including implementing MFA and reviewing related settings, providing basic cyber security training to users, ensuring password policies align with NIST Digital Identity Guidelines, and more.
EU markets watchdog pushes for extra cyber defences in new crypto rules – Financial Times – 16 October 2024
The European Securities and Markets Authority is purportedly considering tougher rules on cyber protection for crypto companies from December 2024. The amendments would require crypto companies to conduct external audits of their cyber defences. This proposal follows a significant rise in cyber attacks impacting the crypto industry in recent years.
Malaysia ramps up cyber security defence to stem rising fraud and ransomware attacks – IT News – 15 October 2024
Malaysia is looking to strengthen its cyber security strategy, digital resilience, and global partnerships. CyberSecurity Malaysia, the nation’s cyber security specialist agency, believes a coordinated approach is essential to bolster resilience against sophisticated cyber adversaries.
Australian Federal Police continues to work with Thai counterparts to fight scams, organised crime – Cyber Daily – 8 October 2024
The Australia Room has been opened at the Royal Thai Police Forensic Facility by Australia’s ambassador to Thailand, which will serve as a forensics training hub for police scientists from Cambodia, Laos, Thailand and Vietnam. Australian Federal Police Assistant Commissioner David McLean stated that specialist forensic and digital forensic skills are crucial in a fight against organised crime (including cyber scams) perpetuated by groups originating in the region and target Australia.
AT&T, Verizon reportedly hacked to target US govt wiretapping platform – Bleeping Computer – 7 October 2024
A nation state attack perpetrated by China-linked group Salt Typhoon has impacted multiple US broadband providers, including AT&T, Verizon and Lumen Technologies. According to the Wall Street Journal, the hackers appear to have engaged in vast collection of internet traffic. The attack is being investigated by the U.S. government.
4 LockBit members arrested, major affiliates ousted in latest Operation Cronos activity – Cyber Daily – 2 October 2024
A global law enforcement operation, led by the FBI, Europol and the UK National Crime Agency (NCA), led to the arrest of four more individuals linked to the LockBit 3.0 ransomware gang, as part of Operation Cronos. As part of the arrests, the Spanish Guardia Civil was able to seize nine servers involved in LockBit infrastructure, which it believes will lead to further action. In connection with the arrests, the NCA revealed that Aleksandr Ryzhenkov is a member of Evil Corp, which is a significant affiliate of LockBit.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.