CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
ICO issues record £20 million fine to British Airways
2
First reported death connected to misfired ransomware attack on German hospital
3
Assessing the security of your cloud solutions
4
No news is good news…not always!
5
From voluntary action and collaboration to legislation and classified capabilities: Australia’s Cyber Security Strategy 2020 released
6
Cyber Criminals “King of the (Data Breach) Jungle”: 61% of all Data Breaches caused by Malicious or Criminal Attacks, according to OAIC Report
7
Can It Get Any Worse? Travel Giant CWT pays $4.5 Million USD ransom to Hackers who Stole Corporate Files and Knocked 30,000 Computers Offline
8
Trust but verify: Independent report on Australia’s “anti-encryption” legislation released
9
Update: Australia’s 2020 Cyber Security Strategy
10
OAIC and UK ICO announce joint investigation into Clearview AI

ICO issues record £20 million fine to British Airways

By Cameron Abbott and Rebecca Gill

The UK Information Commissioner’s Office (ICO) has fined British Airways £20 million, the ICO’s largest fine to date, for failing to protect the personal and financial details of more than 400,000 of its customers.

In a statement published online on 16 October 2020, the ICO stated that its investigation had found that British Airways was “processing a significant amount of personal data without adequate security measures in place”. This failure is said to have breached data protection laws and, subsequently, the airline was the subject of a cyberattack in 2018, which was not detected for more than two months.

Read More

First reported death connected to misfired ransomware attack on German hospital

By Cameron Abbott and Keely O’Dowd

News reports have surfaced that a woman in Germany has died due to a delay in receiving medical care. What is most concerning about this death is the circumstances in which the woman tragically passed away.

According to reports, the woman needed urgent medical treatment and the hospital she presented to, Duesseldorf University Hospital, was unable to admit her as it was dealing with a ransomware attack.

The hackers exploited a vulnerability in a widely used commercial add-on software. This attack caused a failure in the hospital’s IT systems resulting in it being unable to access data and diverting emergency patients elsewhere. The woman was redirected to a hospital approximately 30km away from Duesseldorf University Hospital, which led to a delay in the woman receiving treatment. Unfortunately the delay proved fatal and the women passed away before she could be treated.

Read More

Assessing the security of your cloud solutions

By Cameron Abbott and Keely O’Dowd

The adoption of cloud based solutions offer many advantages to businesses, such as cost savings, efficiencies and flexibility. Cloud based solutions can also improve data security as cloud providers will be tasked with monitoring the security of their solutions, updating software and improving security features as required.    

However, adopting a cloud based solution will not automatically reduce an organisation’s exposure to cyber risks. Care must be taken before procuring a cloud based solution and any solution must be properly assessed from a security perspective.  

Read More

No news is good news…not always!

By Cameron Abbott, Michelle Aggromito and Max Evans

The Commonwealth Government is proposing to introduce a controversial new mandatory code that intends to regulate digital platforms and their distribution of news content.

Read More

From voluntary action and collaboration to legislation and classified capabilities: Australia’s Cyber Security Strategy 2020 released

By Cameron Abbott, Keely O’Dowd and Rebecca Gill

In July this year, we blogged about the Australian Government’s plan to release Australia’s Cyber Security Strategy (Strategy). On 6 August 2020, the Strategy was released after consultation with the public and industry actors.

The Strategy will invest $1.67 billion over the next 10 years – the largest ever financial commitment to cyber security – to create a more secure online world for Australians, our businesses and the essential services which we depend upon. This will be achieved through the following:

Read More

Cyber Criminals “King of the (Data Breach) Jungle”: 61% of all Data Breaches caused by Malicious or Criminal Attacks, according to OAIC Report

By Cameron Abbott, Keely O’Dowd and Max Evans

The Office of the Australian Information Commissioner (OAIC) has released its report on notifications received under the Notifiable Data Breaches scheme for period January to June 2020.

The OAIC reported 518 breaches were notified to it in the relevant period. The OAIC noted a 3% decrease from the 532 breaches notified in the period July 2019 to December 2019. However, there was a 16% increase on the 447 notifications received during January to June 2019.

Read More

Can It Get Any Worse? Travel Giant CWT pays $4.5 Million USD ransom to Hackers who Stole Corporate Files and Knocked 30,000 Computers Offline

By Cameron Abbott and Max Evans

In these unprecedented times, where travel around the globe is primarily halted as nations get to grips with controlling the outbreak of COVID-19, many would think it couldn’t get any worse for travel companies. However, they would be wrong, as according to an article from ITNews, American travel management giant CWT has reportedly paid a whopping 414 bitcoin, equivalent to a value of 4.5 Million USD (approximately 6.3 Million AUD), to hackers who successfully exfiltrated over 2 terabytes of sensitive corporate files.

According to the Article, the successful hackers used a strain of ransomware referred to as “Ragnar Locker” which places computer files into a virtual prison through encryption and renders them unusable until the victim pays for the keys. Then in CWT had to negotiate in a public chat forum to pay for the release.  It gives us a rare insight into the dialogue that followed. CWT negotiated the hackers down from their initial demand of 10 Million USD. According to the Report, whilst the hackers claimed to have stolen over 2 terabytes of files including financial reports, security documents and employees’ personal data, it was not clear whether any customer data was compromised.

Read More

Trust but verify: Independent report on Australia’s “anti-encryption” legislation released

By Cameron Abbott and Rebecca Gill

The ability of a government to force a technology provider to create a “back door” into their technology to allow security agencies to “listen in” to communications is a very controversial step, but it has not been the subject of much discussion as any recipient of such intervention is gagged. 

It was interesting to see that the Independent National Security Legislation Monitor has released a report on its review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA Act). The review considered, and provided recommendations on, the operation, effectiveness and implications of the TOLA Act and whether it is necessary, is proportionate to the threats it seeks to meet and treats human rights properly.

Read More

Update: Australia’s 2020 Cyber Security Strategy

By Cameron Abbott and Keely O’Dowd

The Australian Government is currently developing its next Cyber Security Strategy, which is scheduled for release in the coming months.

The Australian Government 2020 Cyber Security Strategy Industry Advisory Panel has released a report consisting of 60 recommendations to inform the 2020 Cyber Security Strategy. The Panel’s 60 recommendations are structured around five key pillars:

Read More

OAIC and UK ICO announce joint investigation into Clearview AI

By Cameron Abbott, Warwick Andersen, Rob Pulham and Keely O’Dowd

On 9 July 2020, the Office of the Australian Information Commissioner (OAIC) and the UK Information Commissioner’s Office (ICO) announced they have opened a joint investigation into the personal information handling practices of Clearview AI Inc.

The OAIC has stated the investigation will focus on ClearView AI’s use of “scraped” data and biometrics of individuals.

Read More

Copyright © 2019, K&L Gates LLP. All Rights Reserved.