CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.


Tourists aren’t the only thing visiting London’s hotspots
Thailand joins the party of legislated Data Protection
IoT (internet of things) legislation makes an appearance in the U.S Senate
Ransomware attack hits the state of Georgia
Un-“tapped” Potential: Gen Z and transactions
Ratings agency starting to factor in Cyber risk profile
Cyber attacks becoming common place: Different industries, similar methods
Major political parties join the Federal Parliament in the February data breach


By Cameron Abbott, Rob Pulham and Rebecca Gill

Telstra’s 2019 Security Report has found that majority of the respondents who have been victims of ransomware attacks have paid the attackers to unlock files. Many of these respondents successfully retrieved their data after paying the ransom.

Of the 320 Australian respondents, 51 per cent said that they had paid ransomware attackers to regain access to encrypted files. Further, the Report found that 77 per cent of Australian businesses that had paid a ransom were able to retrieve their data after making the payment. Whilst this was the lowest rate of data retrieval post-payment out of the 13 countries in the survey, 79 per cent of the Australian respondents still said that they would pay the ransom again if they had no back-up files available.

The Report also found that the number of ransomware attacks on Australian businesses was relatively higher than other developed countries such as the United Kingdom, Germany and France. Thirty two per cent of the Australian respondents indicated that their business had been interrupted ‘on a weekly or monthly basis’ from ransomware attacks.

It explains why ransomware is such a lucrative business for hackers, though we’d recommend having clear and tested backup and recovery processes, and strong cybersecurity measures, as your best fall-back in the event of a ransomware attack – and to save your cryptocurrency for the next market rise!

A copy of the full Report can be accessed here.


By Cameron Abbott and Rebecca Gill

In light of concerns over how personal data is being used by social media platforms and tech companies, the Commonwealth Government has proposed amendments to the Privacy Act in order to more harshly penalise companies for privacy breaches. The new regime, which aims to update Australia’s privacy laws in line with increased social media use, will see tougher penalties for all entities that are subject to the Privacy Act, not just the headline companies like Google and Facebook.

The Commonwealth Government proposes to increase the penalties for serious or repeated breaches by such entities from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater value.

Further, the Office of the Australian Information Commissioner (OAIC) will be given greater powers to pursue and impose penalties on such entities under these reforms. These include the power to issue infringement notices with penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches.

The OAIC will also employ other methods to address breaches effectively, such as third-party reviews and published notices advising of specific breaches. The OAIC could also direct social media and online platforms to stop using or disclosing an individual’s personal information upon request.

The OAIC has welcomed the proposed changes with open arms. The Commonwealth Government and the OAIC hope that these reforms will result in greater accountability and transparency from social media and online platforms without hindering innovation in the online world.

The Attorney-General, Mr Christian Porter, and the Minister for Communications and the Arts, Mr Mitch Fifield, will draft legislation for consultation in the second half of 2019. These reforms will have a wide impact and organisations should consider making submissions during the consultation period given the harsh penalties that can apply. The flood of privacy breaches makes these reforms a significant risk to all corporates.

Tourists aren’t the only thing visiting London’s hotspots

By Cameron Abbott and Ella Richards

Over 100 million cyber-attacks have hit London’s top tourist attractions over the past few years, signalling hackers turning their attention to the treasure trove of customer’s personal data and related opportunities for ransomware attacks.

Kew Gardens experienced an incredible 86 million attacks during 2018 and has seen a 438% increase in attacks year-on-year. Personal and financial details of over 100,000 of its members and over 800 staff are highly sought after, with 82 million spyware attempts and 1.6 million information-stealing attempts last financial year alone. Although Kew Gardens have performed admirably in mitigating the attacks, a major server breach in 2017-2018 and an incident involving a compromised email address managed to slip through.

Imperial War Museum was the next highest target; with over 10 million cyber security incidents spread over three years and 8 successful ransomware attacks within that time. The Natural History Museum tallied 875,414 cyber-attacks over three years, of which 26,610 were considered ‘unmitigated’ threats.

Lastly, Tate Gallery (which oversees the Tate Modern Tate Britain Galleries) was subject to 494,709 attacks last year alone, however only four attacks featuring malware and phishing software were successful.

These attacks demonstrate hacker’s increasing focus on personal and financial data, which tourist hotspots and museums collect in enormous volumes on a daily basis. Sheila Flavell (COO of FDM Group) points out that in the wake of these incidents, the UK needs to increase their level of cyber expertise by attracting more people into the tech industry. We agree there are not going to be many unemployed cybersecurity consultants with this sort of scale of activities!

Thailand joins the party of legislated Data Protection

By Cameron Abbott and Ella Richards

Following tireless attempts spanning over two decades, Thailand has finally approved the Thailand Personal Data Protection Act (“PDPA”), subject to royal endorsement and publication in the Government Gazette. Previously, the only right pertaining to personal privacy was located in the Thai Constitution, and while certain business sectors (such as telecommunications, healthcare and banking) had some protection, there was an absence of a singular consolidated data protection regime.

You may notice the broad similarity between the PDPA and the European Union’s GDPR; but don’t get too excited. Although various concepts have been drawn from the GDPR, the PDPA has been written with consideration of Thai perspectives, and therefor careful examination of compliance requirements of both regimes will be necessary.

Once the PDPA is published in the Government Gazette, Thailand will allow a transition period for businesses to adapt their practices (as the PDPA will apply to most entities onshore and offshore).

So, what can we do to prepare for the PDPA now?

Any company collecting data from residents of Thailand should ensure they’re in compliance before the PDPA comes into effect. Penalties for non-compliance will be severe, so an evaluation of business procedures will be necessary to determine if additional measures need to be adopted.

IoT (internet of things) legislation makes an appearance in the U.S Senate

By Cameron Abbott and Ella Richards

For those who are not familiar with the acronym, IoT or ‘Internet of things’ refers to the interconnection of network devices and everyday objects for increased control and ease of use.

The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.

As we have blogged previously, the implementation of IoT brings with it an array of potential security issues and vulnerabilities. If hackers are able to access one device, there’s the possibility for them to manipulate others connected on the same network. This could result in national security risks, citizen information breaches or high-scale ransom attacks.

Under the bill, the National Institute of Standards and Technology (NIST) will give recommendations to the federal government, including minimum security requirements and how the government should approach potential cybersecurity issues. These policies and recommendations would be revisited every five years to keep them fresh and responsive to ever-changing cyber threats.

The potential that such standards would provide more industry wide guidance is to be encouraged, as several years into the growth of IoT there remains huge variability in security. The internet of things is generally less of a focus than most people’s computers, but the impact and ability to propagate is arguably greater.

Ransomware attack hits the state of Georgia

By Cameron Abbott and Ella Richards

Jackson County in Georgia has been held ransom after cyber-attackers deployed ransomware that crippled the government’s IT network for 2 weeks. Government officials resorted to coughing up $400,000 in bitcoin to pay the ransom, desperately trying to get out of the offline ‘pen and paper’ situation the attack had left them in. The suspected ransomware, ‘Ryuk’, caught the eye of the authorities at the end of 2018 after it started affecting the printing presses of Tribune Publishing. Due to the highly problematic decryption tool that is provided once the ransom is paid, Ryuk has the frightening capacity to destroy businesses which cannot survive in downtime or do not have restorable backups.

Read further about the incident here:

Un-“tapped” Potential: Gen Z and transactions

By Cameron Abbott and Sara Zokaei Fard

Gen Z, those born between 1995 and 2005, are pushing innovation in the payment and transaction space with higher expectations from mobile experiences. Gone are the days that a credit card was swiped and bank transfers were used, transacting with an iPhone using Apple Pay and using PayPal is now taking the forefront.

American Express has released data showing that 68% of Gen Z’ers say they want instant person-to-person payments! This instantaneous requirement is also reflected in Gen Z’s use of membership programs. Membership cards are a thing of the past with digital rewards programs via apps now replacing cards.

The data also explores what factors would stop Gen Z from using a product or service in contrast to Gen Y. Interestingly, poor responsiveness on social media would stop 9% of Gen Y but more than double that figure, 21% for Gen Z. Even more stunningly four out of five Gen Z’ers are comfortable at openly conceding that they allow social media to influence their purchasing decisions!

The mobile phone is the ubiquitous device of this generation, try to drive their behaviour with yesterday’s technology and paradigms at your peril!

Ratings agency starting to factor in Cyber risk profile

By Cameron Abbott and Wendy Mansell

A recent report released by Moody’s Investors Services has shed some light on which business sectors are most at risk for cyberattacks.

After assessing 35 broad sectors it was concluded that banks, hospitals, security firms and market infrastructure providers face the highest risk. This was based on levels of vulnerability and the potential impact an attack would have.

The key determinative factor for these sectors is that they all rely strongly on technology and the vital role of confidential information in their operations.

The financial repercussions following a cyberattack in each of these sectors is extremely significant when considering the costs of insurance, penalties, consumer impact, potential litigation costs, R&D and technological impact to name a few.

The financial market is so high risk because of the financial and commercial data it holds and ever increasing fact that its services are being offered digitally, across multiple platforms i.e banking mobile/smart watch apps.

On a similar note because medical records are primarily collected and held in electronic form hospitals are very attractive to hackers given the sensitive nature of the data.

While the industries should not be a shock to the reader, it is important for participants in those industries and for suppliers to those participants to realise the risk profile that attaches to them and have procedures in place reflective of those risk levels.  How one manages these risks in now likely to have indirect cost implications when you see ratings agencies like Moody’s assessing these sorts of areas. 

Cyber attacks becoming common place: Different industries, similar methods

By Cameron Abbott and Ella Richards

Popular car manufacturer Toyota has been hit by a malicious attack rendering their employees completely unable to access their emails. It is unclear whether any customer or employee data has been accessed, and Toyota is going to extensive efforts to discover the origin of the attack.

Staff who are powering on despite their access restrictions have been told to use face-to-face, phone and text communication until the emailing system is back online. Can you imagine!

Although the central server system is inaccessible, dealerships are continuing to operate normally besides being able to provide customers with the date they’ll receive their exciting new car.

Additionally, Melbourne Heart Group was subject to a cyber attack which completely locked them out of their filing system. 15,000 files were scrambled and held for ransom after a cyber crime syndicate hacked into their server, blocked all access to files and demanded a cryptocurrency payment be made.

Melbourne Heart Group is based at Cabrini Hospital in Malvern, but the separation of their systems ensured that no Cabrini operations were affected. Even though a payment was made to decrypt their servers, information including patient details and sensitive medical records are yet to be recovered.

Payment in these situations is always troubling, dealing with faceless individuals, having to trade in cryptocurrencies in order to chart a course to the fastest resolution.

Major political parties join the Federal Parliament in the February data breach

By Cameron Abbott and Ella Richards

Following an unprecedented surge in cyber attacks against Australian businesses, an attack on Australia’s political infrastructure was imminent. New information reveals that the cyber attack against the Federal Parliament earlier this year was accompanied by yet another directed towards the Liberal, Labour and National parties.

While the malicious culprit starting poking around last November, the full throttle attack didn’t come along until 3 months later. Australia’s political institutions are high value targets for foreign entities, as they’re relatively small organisations with a huge storage of voter and community data.

It’s the distinctive sophistication of this ‘state actor’ attack that has furthered overt suspicions of foreign state agent involvement. Technical experts reported that the infiltration was the first of its kind, ringing alarm bells across the Government to strengthen security against foreign espionage and increase cyber capabilities.

Authorities are trying to calm the masses by reporting that no electoral information was taken, but they also have no idea what data was taken, or what the motives were behind it.

Various media publications have wasted no time trying to connect the dots between these incidents. A whopping 78% increase in attacks on Australian businesses, upcoming elections in May and precarious ties with suspected countries fuel their prophecies. This may be the wake up call needed to ensure the integrity of our electoral system and avoid our very own version of the alleged foreign interference in the 2016 US presidential election.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.