Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem
September 16, 2021 |
A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.
It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached. Of that number T Mobile suffered a hack which affected 53 million records.
Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher. Probably much higher.
The statement by the Assistant Defence minister provides:
Today the Assistant Minister for Defence released the second ACSC Annual Cyber Threat Report: July 2020 to June 2021 in Perth.
The ACSC Annual Cyber Threat Report details the key cyber threats Australians face, and provides critical advice on how to protect yourself online, jointly compiled by the Australian Cyber Security Centre (ACSC), the Australian Federal Police and the Australian Criminal Intelligence Commission.
As Australians in record numbers worked remotely in response to the coronavirus pandemic, the ACSC received over 67,500 cybercrime reports over the last financial year – or one every eight minutes. This is an increase of nearly 13 per cent from the previous year.
Malicious cyber actors have pivoted to exploit the COVID-19 pandemic and are actively targeting vulnerable Australians and health services to conduct espionage, and steal money and sensitive data.
Ransomware-related cybercrime reports increased nearly 15 per cent from the previous financial year, and ransomware remains one of the most serious cyber threats due to its financial and disruptive impacts.
The Assistant Minister for Defence, The Hon Andrew Hastie MP, said that cyber is the new battleground, and it is a team effort and a shared responsibility to lift the nation’s cyber defences by implementing cyber security measures.
“The Morrison Government’s first priority is to keep Australians safe both in the physical world and online,” Assistant Minister Hastie said.
“Malicious cyber criminals are escalating their attacks on Australians. We need all Australians to be vigilant by taking simple cyber security steps including using strong passphrases, enabling two-factor authentication, updating software and devices and maintaining regular data backups, as well as being on guard against malicious emails and texts.”
“Approximately one-quarter of reported cyber security incidents affected critical infrastructure organisations, including essential services that all Australians require, such as education, communications, electricity, water, and transport.”
“The health sector reported the second highest number of ransomware incidents, right at a time when Australians are most reliant on our health workers to help us respond and recover through the pandemic.”
“The Government is taking action, we have introduced legislations to ensure that in the event of a large-scale cyber attack on our critical infrastructure, our cyber and law enforcement agencies are empowered to provide greater and more immediate support to the victims. While our agencies will continue undertake cyber offensive operations against those who would seek to do us harm.”
During the 12-month period from July 2020 to June 2021, the ACSC received over 1,500 cybercrime reports per month that related to the COVID-19 pandemic, and removed more than 110 malicious COVID-19 themed websites, with assistance from Telstra and Services Australia.
“Through effective reporting and partnerships with foreign and domestic agencies, the ACSC was able to provide advice and assistance for over 1,630 cyber security incidents, and run 18 cyber security exercises involving over 50 organisations to strengthen Australia’s cyber resilience,” Assistant Minister Hastie said.
“I encourage every Australian business, organisation and family to report cybercrime through ReportCyber and subscribe to the ACSC’s alert service to receive free vital advice – or even better – become a Partner of the ACSC.”
The ACSC Annual Cyber Threat Report is available at http://www.cyber.gov.au/acsc/view-all-content/publications/acsc-annual-cyber-threat-report-2021.
The ACSC regularly posts cyber advice and step-by-step guides tailored for all Australians and Australian businesses and organisations, available through cyber.gov.au.
The ACSC is contactable 24/7 via email (asd.assist@defence.gov.au) or by calling the Australian Cyber Security Hotline on 1300 CYBER1 (1300 292 371).
Quick facts for the 2020-21 financial year:
-
- The ACSC received over 22,000 calls on the Cyber Security Hotline – an increase of over 310% from the previous financial year.
- The ACSC issued 39 alerts and advisories to help combat urgent and critical threats, which were viewed over 7.8 million times.
- The ACSC removed from the internet over 7,700 websites hosting cybercrime activity.
- Business email compromise was one of the top five cybercrime categories, responsible for over 4,600 reports to ReportCyber, nearly 7 per cent of total cybercrime reports received. The average reported loss from business email compromise was around $50,600, up 54 per cent from the previous financial year
- Cybercrime reported through ReportCyber cost on average:
- Small business – almost $9,000
- Medium business – over $33,000
- Large organisation – over $19,000
- Commonwealth, state, territory, and local government accounted for around 35 per cent of cyber security incidents.
- Category 4 ‘substantial incidents’ accounted for 49% of the total number of incidents, broadly indicating that the cyber security incidents received by the ACSC increased in impact and severity from the previous financial year.
It is a useful document in that it identifies particular trends in cyber attacks.
In terms of attacks Victoria and Queensland together account for 59% of the reported incidents. The top three forms of cyber crime are fraud, at 23%, shopping (at 17%) and online banking, at 12%. Medium businesses are the biggest category of victims losing on average $33,442.
Ransomeware featured significantly, with a 15% increase in the number of incidents over last year. The top targets are:
- Professional, Scientific and Technical Services
- Health Care and Social Assistance
- Manufacturing
- Education and Training
- State, Territory and Local Government
Business Email Compromise (BEC) is featuring as a significant category of cybercrime. It comes to the attention of legal practitioners as clients attempt to recoup funds lost this way. It is particularly profitable with the average reported loss per successful attack being $50,673.
COVID has given cybercriminals new opportunities to attack the health sector as new points of entry have been created and there has been stresses on the industry.
Security vulnerabilities continues to be the gift that keeps on giving for state sponsored actors and fast acting criminals who take advantage of slow responses by organisations to patching and with weak cyber security practices. Software supply chain compromises constitute a very significant threat which are difficult to detect and defend against.
The constant prescription to each problem is for organisations to maintain minimum standards of privacy and cyber security. Which is fairly dismal at the moment.
Given the numbers produced it is interesting to see the Office of the Australian Information Commissioner’s recent Notifiable Data Breaches Report for the period January to June 2021 where there were 446 notifications, down 16% on the previous 6 months, in the first half of 2021. How does that tally with 67,500 reports received by the ACSC. One possibility is that the Privacy Act only covers organisations with a turnover of over $3 million so a lot of small traders might be affected but not covered by the obligations of the Act. As for those covered by the Act it could show that the bar set by the mandatory data breach notification legislation is too high or the weighing exercise the affected organisation has to go through often permits a decision not to notify.
What is clear is that the Report on data breach notifications bears little resemblence to reality.
As flawed as this document is it does make some interesting findings:
- 65% of data breaches affect 100 people or fewer.
- while most data breaches were caused by malicious attack, 289 incidents, 30%, or 134, were due to human error.
- ransomware made up 24% of the incidents with 30% being phishing. Brute force attacks only accounted for 5% of incidents and hacking only 9%.
- Contact information remains the most common type of personal information involved in data breaches.
- the main industry affected, by a significant margin, is the health sector followed by Finance then legal accounting and management service and then in equal fifth position was the Australian Government and insurance.
- for human error sending personal information to the wrong address was the most common means of breaching however unauthorised disclosure, while less prevalent, affected by far the most individuals some 523,998.
The Commissioner’s reports have evolved into a very detailed analysis which is a useful insight. The flaw is that it is not even close to a reflection of what is happening in the community.