Reserve Bank warns that cyber attacks risk financial stability

April 9, 2021

The Reserve Bank of Australia has highlighted cyber attacks as being a challenge for financial institutions. The report stated:

The Australian financial system has remained resilient through a tumultuous year for the economy and financial markets.

After a substantial decline in the first half of 2020, banks’ profitability recovered in the second half and analysts expect it to strengthen further in 2021. This has helped raise banks’ capital positions from already strong levels. Banks have abundant liquidity and funding. Measures of banks’ asset quality have deteriorated a little in recent months as loan repayment deferrals have come to an end and support for households and businesses has tapered. However, banks had increased their provision balances to absorb the impact of future defaults.

Available information also points to other financial institutions being resilient. The financial impacts of the pandemic tested the liquidity management of superannuation funds, but their systems proved effective in navigating this challenge (see ‘Box C: What did 2020 Reveal about Liquidity Challenges Facing Superannuation Funds?’). General insurers remain well capitalised and have increased their provisions for potential business interruption claims arising from the pandemic. However, the life insurance industry has to address longstanding issues that continue to result in losses. Financial market infrastructures have recently experienced some operational disruptions, underscoring the importance of continually assessing and improving their resilience.

There are a number of other longer-term challenges for financial institutions to manage. The risks posed by information technology (IT) malfunctions and malicious cyber attacks are growing and a significant event could threaten financial stability. Another challenge will be to manage the broad range of risks arising from climate change. These do not currently pose a substantial risk to financial stability, but they could over time if climate change risks to Australian financial institutions grow and are left unaddressed. And financial institutions need to continue to maintain a focus on governance and embed a healthy culture to address the misconduct that has become apparent over the past few years.


Financial institutions need to carefully manage technology risks …

Risks to financial institutions’ IT systems – from both malicious attacks and malfunction – require ongoing attention and robust management, both globally (see ‘Chapter 1: The Global Financial Environment’) and domestically. These risks have grown as digital platforms and service channels become more ingrained and more complex and as a result of the increased incidence of remote working arrangements. They have recently been highlighted by a data breach involving a legacy file sharing service run by Accellion, a third-party technology provider, which affected a wide range of entities including ASIC and the Reserve Bank of New Zealand. The operational disruptions experienced by ASX in November (discussed above) also demonstrate the risks associated with technology malfunction. The constantly evolving nature of cyber risks means it is critical that financial institutions regularly update and upgrade their defences. In recognition of this, Australian regulators have a number of initiatives to support financial institutions’ efforts to strengthen cyber resilience (see ‘Chapter 4: Domestic Regulatory Developments’).

Cyber attacks and incidents are most likely to involve manageable financial losses for specific institutions, but they could have systemic implications in certain circumstances. To be systemic, the impact of cyber attacks and incidents would have to affect multiple institutions, either directly or indirectly. This could occur if they affect third-party providers or software used widely across the financial system. Similarly, if such an incident affected critical nodes, such as an FMI (including payment systems or CCPs) for a prolonged period it could directly impact the ability of firms and households to engage in economic activity and manage risk. The integrity of data is particularly important since it dictates the ability of banks to disburse funds or collect on monies due and, in the extreme, if violated it could raise questions about the institution’s solvency. More generally, any data breaches that cause consumers and creditors to lose confidence in the security of the financial system could see banks face liquidity challenges.

(Emphasis added)

What the RBA is saying is of course true.  It has been said before.  What is lacking is Read the rest of this entry »

Facebook suffers significant data breach all the while the Government proposes to require people to provide more personal information to it

April 7, 2021

Facebook, hardly the paragon of virtue, has had a data breach involving more than 500 million people. The latest firm estimate is it involved 533 million.  The data published on line includes names, phone numbers, email addresses, account IDs and biographies.  According to the Record the information leaked included phone numbers which are not public for most profiles.  Plenty of material to doing a bit of identity theft. 

The leak involved an attacker using a vulnerability in the Facebook contacts importer features.  The attackers were able to link random phone numbers to specific users.  As is commonly the case these days the attacker remained and collected data until Facebook detected the process and cut of access. The attack occurred 2 years ago, though Read the rest of this entry »

New South Wales parliamentary committee recommends overhaul of Government cyber security strategy..Another report

April 1, 2021

It has been an ordinary 12 months for New South Wales in the data protection world.  Services NSW suffered a massive data breach in April, which was first reported in May 2020, with 180,000 customer’s personal information exposed. The breach was affected through a phishing attack on 47 emails of Services NSW.  Being a secretive government department, as most Australian departments are, it resisted providing information about the breach, even resisting a Freedom of Information request in July. There is nothing much unusual about that.  Regrettable, but not unusual.

The public affected only started to be notified in September 2020 which is seriously odd.  Why wait 4 months? It is still to notify 18,500 customers affected by the breach, almost a year after the breach was detected.  It can be difficult to locate people particularly those who live a transient lifestyle or have mental health issues but 18,500 is still a large number of people and it has been almost a year.  That bespeaks a poor response plan and a lack of resources being put into the task.  The cost of this data breach is reportedly $30 million.

Meanwhile in March the hacking group Clop  put up stolen data taken from the NSW transport department on the dark web and Read the rest of this entry »

How do you improve data security in Australia? Have an iconic media organisation hit with a cyber attack. Except that is probably not going to happen. Lots of talking and little action

March 31, 2021

On day 4 after the attack on Nine the media is still churning out bromides of advice together with dark warnings of things to come.  Because all of this was unknown until now! Yeah right. That involves running around looking for a talking head to give a standard form warning.  And the Australan does just that with Cyber attacks: banks, super ‘only a matter of time’, warns APRA.  It is a better than average Henny Penny piece with the end is nigh being a strong theme.  Good dramatic reading but not all that rewarding journalism.  What is not done, and journalists should be doing, is looking at the state of regulation, inadequate, the effectiveness of the regulator, lacking and what needs to be done, a long list that has been repeated with montonous regularity in Law Reform Commission reports, an ACCC report and by commentators such as myself for years.  Meanwhile at the Age, a Nine publication, there is a “Feel our Pain” piece titled How the Nine cyber attack is affecting The Age and a quasi investigative piece as to the source of the attack with Is a nation state or disruptive criminals behind the Nine cyber attack? And the Age editorial Cyber attack on Nine sends a broader warning is a waffly piece about cyber attacks and then proceeds to do an analysis of “..the deeper threats they pose.”  As if this hasn’t been a significant problem for years.  And typical of many Australian organisations refers to the Government response, in the form of the Cyber Security Strategy and cash for security agencies. Yes that is important but ultimately the key is that organisations must have adequate protections, strategies in place.  The most relevant sentence is the last, “All businesses …should assume that their systems may someday be targeted for attack and make sure they have the proper protective measures and training in place.”  And that is where Nine is coy.  It is unlikely that the hackers would have successful placed malware into Nine’s systems without there being a failure in Nine’s cybersecurity; a failure to patch, a successful phishing or spear fishing attack or access via a trusted secondary supplier which had access privileges.  Put simply, Nine was successfully attacked because of its negligence in one way or another. It should be candid and explain what happened in detail so others can learn.  That is common practice overseas. It is also a fair bet that Nine did not have a comprehensible Date Breach Response Plan.  Not uncommon but still unforgiveable.  So the response, no doubt heroic, was a cobbled together hot mess of on the fly responses.  Nine has probably been poorly served by its Board of Directors in not putting enough effort and money into its cyber security defences and strategies, its managers in not having a Data Breach Response Plan (which has been wargamed on a regular basis to see how well it operates) and its lawyers in not having a review of its compliance with APP 11 of the Privacy Act 1988, which requires organisations to maintain proper data security (not just of the cyber variety).  My sympathy for Nine is very limited.  Outside of a few industries, too many organisations regard privacy as an afterthought and the legal obligations in protecting personal information as a secondary matter.

The editorial provides:

For the employees of The Age and the wider Nine Entertainment group, the cyber attack that began in the early hours of Sunday morning has been disruptive and challenging. The attack targeted Nine’s corporate network, but has affected Channel Nine in Sydney and mastheads including The Age. We have managed to improvise solutions using back-up technology at every turn but, as such attacks on companies and online platforms become more frequent, it is important to look beyond the drama they cause to grasp the deeper threats they pose.

In June last year Prime Minister Scott Morrison held an impromptu press conference in Parliament House’s Blue Room to warn that “Australian organisations across a range of sectors” were being targeted by “a sophisticated state-based cyber actor”. The vagueness of that warning is understandable given it is often difficult to definitively prove who is behind such attacks. But while his words resonated in the corporate world, the careful language diluted the strength of his intended message for the wider community.

Part of the problem is that these attacks come from a world of shadows – of encryption, false identities and espionage trade craft. At this stage neither the identity nor the motive of Nine’s attacker can be known for certain, though there has been unconfirmed speculation that a foreign regime is indicating its displeasure with Nine’s coverage of its actions. It’s welcome that the Australian Federal Police is now engaged in trying to answer these questions.

To some it might seem fanciful that an Australian media company would be singled out in this way by a major world power such as Russia or China, or a pariah dictatorship such as North Korea. It is not known whether these countries were involved, and no demands for a ransom have been made. But it is precisely on such powers’ peripheries, where their control of information is weakest, that they may resort to outlandish and visible measures. Countries such as Ukraine and Estonia have long known what it is like for every part of their online infrastructure to come under sustained attack. Estonia’s response was to set up a digital vault in Luxembourg so the country could “reboot” if its systems failed.

After sounding the alarm in June, the Morrison government updated its Cyber Security Strategy in August, having pledged $1.35 billion to security agencies to tackle cyber threats and $35 million for a platform allowing government and industry to share intelligence and block emerging threats. But despite reports that there might soon be a cabinet minister for cyber security, a December reshuffle left then home affairs minister Peter Dutton with the portfolio in his sprawling department. Presumably that arrangement will continue under the new minister, Karen Andrews.

There are lessons for the government and the private sector in Nine’s experiences this week. For the government, it is perhaps time to sharpen its narrative around cyber security and appoint a dedicated official. Treasurer Josh Frydenberg is right when he says the threat is “more pervasive than people think” and it is “not going away”.

These attacks are not new. But for companies, universities and other organisations around Australia, Nine’s experience is another warning about the power that state and non-state actors increasingly have to interfere in all our affairs. All businesses from winemakers to film festivals should assume that their systems may someday be targeted for attack and make sure they have the proper protective measures and training in place.

Rather than having garment rentng jeremiads about the state of the world and why people are being mean to the media publications like the Age should engage in more serious coverage.  Stories along those lines would go to the state of the nation’ cybersecurity and discover that organisations do little to protect themselves because the perceived risk is small and the consequences of not complying with inadequate legislation are minimal.  Perhaps a start would be to review an article such as the US article In wake of giant software hacks, application security tactics due for an overhaul.  This piece descends into some detail at least.

Part of any proper investigation would look at the ineffectiveness of the Australian Information Commissioner’s office, a governmental backwater if there ever was one.  Businesses and agencies don’t comply with the law because they know the cop on the beat is in the station house asleep at his desk. When ASIC falls down in its regulatory duties it is called to account.  The Australian Information Commission doesn’t even engage with its obligations and receives no scrutiny.  It has polished its image to a fine sheen and that has gulled the media.  No one every said the Privacy Commissioners and then Information Commissioners weren’t nice.  They were and are.  Its just that they have been not much good.

Unfortunately in terms of data protection and enforcement Australia is the land of the lotus eaters.  Nothing much has Read the rest of this entry »

Channel Nine cyber attack is a watershed moment…supposedly..or at least that is what the scribes say

March 30, 2021

It is quite the month where things “have to change” according to the modern day seers, journalists of our national dailies. I will confine my observation to the cyber attack on Nine last weekend. It has spurred a flurry of reporting fizzing with excited commentary on this Ransomware thing that causes such chaos as knocking live Sunday morning programming out of the park. We are now into day 3 of the media’s voyage of discovery that behind the headline and bland unimaginative by the numbers reporting cyber attacks are serious and can do real damage. Damage like in the analog world if a semi trailer drove through the front gate of Nine’s headquarters and onto the main studio and then blew up. So now Nine has been attacked it embarks upon a serious analysis of what happened and why with Why was Nine hacked and how do cyber attacks actually work?  And the Australian runs a piece Nine hack a ‘wake up call’ because, I guess, the threat wasn’t known before. I mean, Really!  And being the serious media types as they are the ABC gives a quick tutorial on the ups and downs of cyber attack (The sort of thing I have been doing for a decade) as if it were a first year undergrad reading from newly acquired lecture notes.  It is all rather confected outrage.  The problem has been well known for a very long time, digitally speaking, and the players Read the rest of this entry »

The cost of the Nine cyber attack could top $1million

March 29, 2021

For the proverbial 15 minutes cyber attacks are now the focus of Australian media in light of the cyber attack that laid low Channel Nine in Sydney on Sunday.  Perhaps a slight exaggeration.  But data security issues are dealt with quite superficially in the main.

The Australian reports that the Nine cyber attack could cost $1million in remediation costs.  The cyber attack was a ransomware attack without the ransom.  That is the malicious software encrypted files but the attackers did not demand payment, the ransom, in exchange for the decryption key.

I never cease to be amazed how the reporting of insights from experts on how the data breach may have occurred, the problems with data security and the need to improve has such a breathless quality.  It is as if it has been discovered for the first time.  I have been posting on this and other cyber security and privacy issues for more than a decade.

But now cyber security is a hot topic the Australian reports on another cyber attack, this time on Taylor wines.  As usual Read the rest of this entry »

The danger of cyber attack and need for proper cyber security highlighted by the attack on Nine which crippled its Sydney operation

March 28, 2021

The Australian magazine had a big piece on cyber security titled Why the world is under cyber-attack.  It touches all the bases, malicious attacks are on the rise, they are growing in sophistication, they are attacking infrastructure, ransomware is on the rise and governments are becoming ever bigger players.  Not too much new though it is quite an involved piece with a dystopian bent.

The unfortunate thing about pieces like this is that it does not seem to move governments to properly regulate through adequate legislation and then ensure the agency or whatever other body is charged with regulation actively regulates.  That is happening on a more adequate level in Europe and even in the United Kingdom.  In the United States the regulation is patchy.  In Australia it is lamentable.  The Privacy Act is replete with carve outs and over broad exemptions.  The Information Commissioner is congenitally timid and ineffective.  Which bodes badly for the state of cyber protection for Australian busineses.  And on that note it is relevant to see the Australian reports that Nine Network’s Sydney office has been hit by a cyber attack which Read the rest of this entry »

Assistant Defence Minister sounds alarm on cyber attacks

March 25, 2021

In today’s Australian Andrew Hastie, Assistant Defence Minister, has taken up the call in an Australian article, Cyber war puts business at risk of costly attack, that Australian businesses are at risk of being the subject of a cyber attack.  The context of this call is the continuing exploitation of  Microsoft Exchange zero day vulnerabilities that is causing real problems for businesses worldwide and leading to some spectacular ransomware attacks. The article is Read the rest of this entry »

Ransomware gangs targeting businesses which hold cyber insurance policies

March 23, 2021

I recently gave a presentation on data breaches where I highlighted as a trend the matuation of ransomeware strategies and attacks.  This is point raised in the Cyber Security Industry Advisory Committee report, I posted on recently, titled Locked Out: Tackling Australia’s ransomware threat. Hackers are known to target businesses with cyber insurance and make demands in line with the coverage of the policy. That presupposes knowledge of policy details, acquired from the target businesses or the insurer or its brokers.  

In a wide ranging, techy speak and a little shambolic interview on The Record  an anonymous member of  REvil, a hacking group,  confirms that businesses with cyber insurance are Read the rest of this entry »

Minister for Home Affairs releases ransomware paper by Cyber Security Industry Advisory Committee

March 22, 2021

When in doubt set up a committee.  Beyond meeting a committee should prepare a paper.  The Cyber Security Industry Advisory Committee is no different.  The Minister for Home Affairs announced the establishment of the Committee on 20 October 2020. Its specific role is to help guide the introduction of Australia’s Cyber Security Strategy 2020 which was announced on 6 August 2020.

The Committee has prepared a paper on Ransomware, Locked Out: Tackling Australia’s ransomware threat which was released by the the Minister for Home Affairs, Peter Dutton MP on 10 March 2021.

Even though Ransomware has been a favoured weapon by cyber criminals for some time the problem is now chronic.  As an example only, yesterday the BBC reported in Russian pleads guilty to Tesla ransomware plot where a Russian offered a Tesla employee a million dollars to infect the company with ransomware.

The report is Read the rest of this entry »