A recent late announcement of a data breach by Australian Clinical Labs will not be the last. The latest is the Australian Defence Department caught up in a ransomware attack. Expect more announcements before Australian privacy laws are amended
November 1, 2022 |
The ABC in Australian Clinical Labs accused of ‘sitting on’ hack that saw patient data posted to the dark web reports on Australian Clinical Labs having bneen hit by a data breach in February but only advised patients five months later. This is not an isolated event. Bleeping Computer reports in See Tickets discloses 2.5 years-long credit card theft breach that hackers had accessed customers payment card details via a skimmer on its website. The breach was detected in April 2021 but the malicious code was only fully removed on 8 January 2022. After further analysis that See Tickets finally concluded on 12 September 2022 that the hackers made accessed customer credit information including full names, . An internal investigation determined that the initial breach occured on 25 June 2019. In total an exposure of 2.5 years. It is not uncommon with sophisticated attacks that it can take considerable time to detect an intruder, particularly if a company does not have software designed to monitor unusual activities within a site. But 2.5 years indicates a woeful level of cyber security.
The latest significant data breach has been a ransomware attack on the Department of Defence, specifically a communications platform used by the military. Hackers accessed the ForceNet service which is operated by an external information provider. It is reported in Australian Defence Department caught up in ransomware attack. Given the function of the platform communications between the current and former Australian defence members have been compromised. The dataset extends back to 2018. It will be interesting to determine whether data was retained long after it should have been deleted. That is a constant problem in Australian data management. I am not surprised the hackers targeted an ICT contractor. Third party providers are often the weak link for organisations. They are commonly less rigorous in their deployment of a cyber security programs and practices. They often are lax in their connections with organisations, keeping portals open and having easily accessed authorisations. That is the responsibility of the organisation. If an organisation contracts out a service it does it as much because of the expertise of the third party provider but also because it is cheaper to do so. That all too often means the provider spends less on data security, both in software and the all important training.
As many as 40,000 records could be at risk in the Defence Department ransomware attack.
The ABC article provides:
The Department of Defence fears the personal data of personnel, such as dates of birth, may have been compromised after a communications platform used by the military was hit by a ransomware attack
Hackers have targeted the ForceNet service, which is run by an external information and communications technology (ICT) provider, with the company initially telling Defence no data of current or former personnel appeared to have been compromised.
However, a source with knowledge of the investigation said Defence believed some private details such as dates of birth and dates of enlisting may have been stolen, despite early indications to the contrary from the external provider.
In a message to all staff, the defence secretary and defence chief said the matter was being taken “very seriously”.
There has been a spate of cyber attacks in recent weeks, from telecommunication companies to health insurers.
Medibank last week confirmed a criminal entity behind the cyber attack on the company had access to the data of at least 4 million customers, some of which included health claims.
A month earlier, Optus announced a cyber attack had exposed the data of almost 10 million Australians, with significant amounts of data stolen from 2.8 million people.
Minister for Defence Personnel Matt Keogh said ForceNet held up to 40,000 records.
“I think all Australians, and rightly the Australian government, is quite concerned about this sort of cyber activity that’s occurring, people seeking through nefarious means to get access to others’ personal data,” he said.
In their email to staff, the Defence bosses were adamant the hack of ForceNet was not an attack on the department’s IT systems.
“We are taking this matter very seriously and working with the provider to determine the extent of the attack and if the data of current and former APS [Australian public service] staff and ADF personnel has been impacted,” they wrote.
“If you had a ForceNet account in 2018, we urge you to be vigilant but not alarmed.
“Initial discussions with the service provider indicate there is no evidence that the data of current and former APS staff and ADF personnel has been compromised.
“We are nevertheless examining the contents of the 2018 ForceNet dataset and what personal information it contains.
The note to staff warned that Defence expected the frequency, intensity and sophistication of hacks to grow with time. It reminded staff they were not immune from attacks.
Assistant Minister for Defence Matt Thistlethwaite said the attack was being taken “very seriously”, with the ADF in the process of contacting members.
“They’re suggesting considering changing passwords and moving to two-factor authentication and the like, but importantly, the aim will be to support ADF personnel,” he said.
“There is no evidence of a dataset being breached at this stage.”
October has been mensis horribilis (a horrible month) for Australian data breaches. Medibank now says that 4 million customers have been accessed by hackers. The Sydney Morning Herald in yesterdays piece posits why there cyber attacks are being reported in There’s a reason you’re hearing about so many hacks. The arguments made are correct but incomplete. Yes the laws are tightening, increasing the need to notify data breaches. But even then the notification requirements relating to critical infrastructure are less stringent than they should be. Another factor is the poor level of regulation. The regulator could have been more assertive.
The Sydney Morning Herald article provides:
Late last month, Marcus Thompson, who was Australia’s first head of information warfare, was musing about the Optus hack at the end of an interview. He wasn’t shocked that such a breach had happened, Thompson said, but he was surprised the public had suddenly started to care.
“If large-scale cyberattacks are still generating surprise within the Australian community, then we’re in more trouble than I thought,” he wrote later.
While it feels like Australian businesses are in the midst of a hacking wave that has seen about 17 million records stolen in a spate that includes breaches on Optus, the particularly pernicious Medibank hack, and several others, this country has been swimming in a perilous ocean for years.
Last year, organisations notified the regulator of 900 data breaches “likely to result in serious harm.” That figure, experts believe, is a fraction of the total attacks because the Privacy Act excludes many organisations such as small businesses and state agencies. Globally, more than 11 billion records have been exposed over the last decade, Bloomberg found, and the severity of hacks are only getting worse.
But there are reasons things feel particularly bad right now.
Previous major hacks have not had the same personal angle. Nine, which owns The Sydney Morning Herald and The Age, was hit with a crippling hack early last year. A property valuation firm, LandMark White, suffered a breach so severe in 2019 that the chief executive and two board members resigned. But those breaches damaged companies, shutting down their systems, rather than directly going after the data of millions of Australians. Given the volume of data exposed in the Optus and Medibank scams, many people will now be worried about what lies ahead, as scammers weaponise the stolen information to launch a torrent of scam calls, texts and emails.
Then there is the media dynamic, with how the companies chose to disclose the breaches to the public becoming just as big a story as how the digital break-ins were carried out. Optus disclosed the breach on the public holiday to mourn the Queen’s death. In a day with little non-royal news around, the story took off, aided by the government’s subsequent fury at the company’s handling of the breach. Its size too, at about 10 million people’s records exposed, was revealed almost immediately. That has not often been the case with past breaches. Once the attacks were in the headlines, the issue was anchored in the minds of editors and readers, and the affected companies had an incentive to speak up to avoid the critical coverage that Optus endured. It is quite possible that the increased media attention has encouraged hackers to set their sights on Australia, which is a country with plenty of firms wealthy enough to pay and a corporate set that some have seen as complacent.
Another factor to consider are legal changes, which have slowly but steadily made it harder for affected companies to stay silent on breaches. In July, laws came into effect requiring 11 critical sectors – such as broadcasting, data processing, freight, hospitals and major food stores – to swiftly report data breaches to the government. The new directives cover a lot more ground, compared up to the initial four sectors legislated in 2018. That was the same year that organisations were compelled to tell the privacy and information regulator about data breaches.
Before these changes, the odds of a company paying a ransom, which are still high, without telling customers and authorities were even higher. Even with the strengthened laws one company, Australian Clinical Labs’ Medlab pathology business, did not publicly disclose a hack that hit 223,000 people for five months after the government warned the firm that sensitive information from the breach was being sold on the dark web.
This week Attorney-General Mark Dreyfus introduced new laws to Parliament that will give the privacy and information commissioner power to compel companies to go public with data breaches. If those laws pass, then the public will get a better sense of how deep the ocean really is.
The ABC article provides:
Cybersecurity experts are questioning why it took one of Australia’s biggest pathology services five months to tell its patients that data had been stolen and posted to the dark web.
Australian Clinical Labs (ACL) yesterday revealed it was hit by a cyber attack eight months ago, in February, and that since then it had found out the data of 223,000 people had been accessed and some of it posted to the dark web.
The company — which carries out COVID-19 testing among other services — went public to the ASX about the situation just one day after the full extent of the hacking crisis at Medibank was unearthed.
ACL said the breach affected its subsidiary, Medlab, and that the most-concerning breaches included the leaking of medical and health records, credit card numbers and Medicare numbers.
It said it had been notified by relevant authorities as early as March with concerns that it had been the victim of a ransomware incident, and that it had been told by those same relevant authorities in June that some Medlab data had appeared on the deep recesses of the internet.
“They’ve been sitting on this for a very long time,” Richard Buckland from the University of New South Wales told ABC News.
“Even when they found that [data] had been taken, it seems to have been months before they actually told the public who lost all their information, credit card details, and so on. “It’s most peculiar.”
Medlab describes itself as one of Australia’s largest, privately owned independent pathology practices. Its pathology services include medical testing in New South Wales and Queensland.
As with the Medibank leak, this breach is concerning, not just because of the credit card information but also because of the deeply personal healthcare data that could now be out there publicly.
What was ACL’s obligation to disclose?
The publicly listed company with an annual revenue of almost $1 billion said it first learned of the attack in February but believed no data had been stolen.
“At the time, the external forensic specialists did not find any evidence that information had been compromised,” it said in a statement.
It said it was then contacted by the Australian Cyber Security Centre (ACSC) in March and was told the authority had received intelligence that Medlab might have been the victim of a ransomware incident.
“The company responded to the request for information and confirmed that, to its knowledge, the company did not believe that any data had been compromised,” ACL said in its statement.
ACL said it was then contacted again by the ACSC in June and was told that it believed some Medlab information was on the dark web.
Professor Buckland said the posting of the data to the dark web, which is a hidden part of the internet, would suggest that it had been posted up for sale.
This is dangerous, he said, because it could lead to identity theft or criminals impersonating people to get cash in their name or carry out crimes.
“Every piece of information about you can be combined with other pieces to increase the chance that someone can impersonate you and steal your identity,” he said.
“And, in this case, credit card numbers and CVV numbers allow them to impersonate you and carry out card numbers and transactions. That’s an immediate cost.”
He emphasised that waiting to tell customers meant those people were only now being given the opportunity to change their credit card details or other identifying information.
Professor Buckland said the point where ACL knew information was on the dark web was not the first but the third opportunity where the major company could have told its customers.
“You have a moral duty, an ethical duty as a company, especially one entrusted with medical records and looking after our health.”
In its statement on Thursday, ACL said it had been analysing the data downloaded from the dark web to figure out who it belonged to so it could tell them.
“ACL took immediate steps to find and download this highly complex and unstructured data-set from the dark web and made efforts to permanently remove it,” the company said in a statement.
“This highly detailed and lengthy process took a large team of external data-analysis experts several months to complete, and was necessary to ensure that we did not cause undue alarm and concern for Medlab customers.
“This is why we haven’t been able to notify involved individuals until now.”
The company was contacted by ABC News about the allegation that it sat on the data breach, which it denied.
What was ACL’s legal obligation to disclose?
Under the Privacy Act, companies with a turnover of more than $3 million — and, specifically, healthcare companies including pathology labs — need to tell the Office of the Australian Information Commissioner (OAIC) about a data breach that is “likely to cause serious harm”.
The OAIC confirmed to ABC News that ACL’s subsidiary Medlab fits that definition, and the company’s website also notes that it is required to comply with the Privacy Act.
ACL confirmed to ABC News that it had notified the OAIC of the data breach in early July. That is, shortly after it was told data was on the dark web.
“The OAIC has ongoing preliminary inquiries with Medlab to ensure compliance with the requirements of the Notifiable Data Breaches (NDB) scheme,” the OAIC said in a statement to ABC News.
Another cybersecurity expert, UNSW’s Professor Lyria Bennett Moses, told ABC News that the issue with the Privacy Act was that, as it stands, it did not specify what exactly constituted a leak that would cause “serious harm”.
“Harm from disclosure of information can often be deeply personal to both individuals and result from factors specific to those individuals, about which the organisation generally won’t know,” she said.
Professor Bennett Moses gave one example of a victim of family violence who was living at a location unknown to their abuser for safety reasons.
“The release of that person’s address is likely to result in serious harm in a way that the organisation wouldn’t necessarily conclude by itself,” Professor Bennett Moses said.
“It’s the organisation that makes the assessment about serious harm, but they’re not really in the best position to do so.”
Professor Bennett Moses said clarifying the act’s meaning of serious harm was one area that should be addressed.
“I would almost like the framing of it reversed,” she said, adding that this would mean companies had to prove that no harm had been done to not report.
On Thursday, Mr Dreyfus also introduced a bill to parliament to amend parts of the act until the full overhaul is completed, to bump up fines for companies that do not adequately protect data or report breaches, from $2.2 million to $50 million.
“Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset,” Mr Dreyfus said when introducing the bill in parliament.
The higher fines would not be retrospective, he said, so none of the recent headline-making breaches — including Optus, Medibank, or ACL — would be up for heftier fines if these major companies were found to have been non-compliant.
Professor Buckland said that, in his experience, companies often paid ransoms to criminal entities when hacked and did not disclose the breach.
“[The companies] don’t want to talk about it,” he said.
“And the payment of the ransom is, often as not, not only to protect the customers data but to protect the reputation and share price of the organisation.
“Rather than protecting and hiding the problems, it’s [better to] bring them out to the sunlight and actually do something about fixing them.”
Professor Buckland said he wanted more-serious penalties at a board and chief executive level for non-compliant companies, better protection requirements for data as well as clarity on how long data can be held, and for governments to better protect collected data too.
“I’d like to see the wording changed from saying when data has to be kept, to changing to prohibiting data from being kept, and requiring people [who] collect data to then delete it [when it’s no longer needed].”
Other cyber experts have told the ABC that steps could include giving the OAIC the power to investigate breaches of privacy law and apply fines.
To apply a penalty, the regulator must apply to the Federal Court. So far, this has occurred only once, when the OAIC launched an action against Facebook over the Cambridge Analytica scandal.
ACL declined an interview, however, in a statement, chief executive Melinda McGrath apologised yesterday “on behalf of Medlab”.
“On behalf of Medlab, we apologise sincerely and deeply regret that this incident occurred,” she said.
“We recognise the concern and inconvenience this incident may cause those who have used Medlab’s services and have taken steps to identify individuals affected.”
ACL said it would start contacting impacted people on Thursday, and Medlab customers should monitor their email and postal mail over the coming weeks.
It has also set up a crisis hotline for people to call once they received confirmation that they had been impacted. That number is 1800 433 980.