CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
Scary statistics reveal 39,000 reported cybercrime incidents in 2015
2
Malware attacks a Melbourne hospital’s outdated IT system
3
Microsoft cuts support for Internet Explorer 8, 9 and 10
4
Mandatory data breach notification legislation up for discussion
5
APRA raising the bar on Cybersecurity
6
Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy
7
Hotel Industry Payment Systems Under Attack
8
10 Considerations for Developing a Data Breach Response Plan
9
Operation Resilient Shield
10
Victorian Racing Integrity Commissioner Seeks Access to Metadata

Scary statistics reveal 39,000 reported cybercrime incidents in 2015

By Cameron Abbott and Meg Aitken

Following its launch in November 2014, the Australian Cyber Online Reporting Network (ACORN) has revealed it fielded 39,000 reports of cybercrime from individuals and organisations in 2015. Fraud was the most commonly reported cybercrime, with 19,232 reports being made to ACORN last year.

Prominent data analytics group and credit bureau, Veda revealed similarly worrying statistics in the Veda 2015 Cybercrime and Fraud Report, noting that in 2015, 1 in 4 Australians reported being a victim of identity theft at some stage, up 7% from 2014. The report also suggests that Australians are becoming increasingly concerned about the risk of cybercrime and identity theft.

Veda has projected that 2016 will see even greater numbers of cybercrime attacks on individuals, firms and government agencies as the ‘Internet of Things’ further develops, reliance on social media grows and a profound amount of personal information and data continues to be collected.

Read the ACORN quarterly statistics reports here.

Malware attacks a Melbourne hospital’s outdated IT system

By Cameron Abbott and Meg Aitken

Don’t say we (and Microsoft) didn’t warn you, a prominent Melbourne hospital’s IT system that runs on an outdated and unsupported Windows operating system, Microsoft XP, was hacked last week.

Microsoft recently activated the end-of-life phase for Windows 8, 9 and 10 and encouraged users to transition to the company’s supported operating systems in order to prevent security incidents. The same process was undertaken for Microsoft XP in 2014; however the hospital continued to use the platform in some departments.

The pathology department was the primary victim of the attack and staff were reportedly forced to manually process blood tissue and urine samples while the electronic system was compromised. Fortunately, highly sensitive patient information is not believed to have been accessed by the hackers.

It has been reported that the hospital is now expediting plans to upgrade its IT systems.

Access the media release here.

Microsoft cuts support for Internet Explorer 8, 9 and 10

By Cameron Abbott and Meg Aitken

Today, Microsoft will initiate the ‘end-of-life’ phase for the company’s older Web browsers, Internet Explorer 8, 9, and 10. Customers using the outdated browsers will be sent an ‘end-of-life upgrade notification’ as technical support and security updates have now ceased.

Microsoft has encouraged the several hundred million users who currently operate the outdated browsers to upgrade to Internet Explorer 11 or Microsoft Edge, which they suggest offers better-quality security and improved performance.

While users currently running Internet Explorer 8, 9 and 10 will still be able to use their browsers, Microsoft has warned there is a significant security risk of continuing to run the outdated versions. Without the periodic security updates and routine technical support, the outdated browsers will be vulnerable to cyber-attacks, malware and other security threats.

Australian Corporations have an obligation to keep materials secure under the Privacy Act 1988 (Cth) and should therefore consider the risk that using the unsupported browsers may not be sufficient to meet this requirement.

Access the Microsoft release here.

Mandatory data breach notification legislation up for discussion

By Jim Bulling, Cameron Abbott, Michelle Chasser and Meg Aitken

The Attorney-General’s Department has released for discussion, an exposure draft bill regarding mandatory reporting of serious data breaches. Notification requirements will apply to companies and information subject to the Privacy Act.

Under the proposal, a company would have up to 30 days after it is aware of a breach, or ought reasonably to be aware of a breach, to assess whether a data breach is a ‘serious data breach’. A serious data breach occurs if:

  1. there is unauthorised access or disclosure of information; and
  2. there is a real risk of serious harm to any of the individuals to whom the information relates.

When considering whether there is a real risk of serious harm to an individual the draft legislation lists a number of factors that should be considered including:

  1. the kind of information;
  2. whether the information is in a form that is intelligible to an ordinary person;
  3. whether the information is protected by security measures;
  4. the kinds of person who could obtain the information;
  5. the nature of the harm; and
  6. any mitigation steps taken by the company.

If the company determines that a serious data breach has occurred, it must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as practicable. The draft legislation also gives the OAIC additional powers to direct companies to undertake notification.

The proposal has a number of differences from the previous attempts to legislate mandatory data breach reporting which were made in 2013 and 2014. Most notably, previously the trigger for notification involved a belief that there had been a data breach, the current draft requires a company to be aware, or when it ought reasonably to be aware, of a breach. Additional types of specific harm are included in the current draft, however, this is unlikely to have a major impact in practice.

Currently, data notification is only mandatory for unauthorised access to eHealth information under the My Health Records Act 2012. However, the OAIC operates a voluntary data breach notification scheme which also uses the real risk of serious harm notification threshold.

The exposure draft and accompanying discussion paper can be found here. Submissions are due by 4 March 2016.

APRA raising the bar on Cybersecurity

By Jim Bulling

At the Association of Superannuation Funds of Australia (ASFA) conference held in Brisbane in the last week of November, Stephen Glenfield, APRA’s General Manager of the South West region indicated that an area of significant interest for APRA during 2016 would be the extent to which superannuation funds were prepared for cybersecurity risks.

Mr Glenfield indicated that APRA would be conducting a thematic review of superannuation funds during 2016 which was designed to provide APRA with much more detailed information about the processes that superannuation fund trustees were putting in place to protect their funds and their members from cybersecurity breaches.

As thematic reviews carried out by APRA are usually precursors to further regulatory or prudential reform, this announcement should alert superannuation funds to expect more comprehensive regulatory requirements in relation to the cybersecurity risks in the near future.

It is expected that APRA will be particularly interested in understanding how superannuation fund risk management frameworks address cybersecurity risks and how trustee boards are involved in the oversight of cybersecurity risk management. A likely focus of the reviews will be investigating the measures which superannuation funds have established to:

  • identify critical assets and data
  • protect such assets and data
  • promptly detect when breaches have occurred
  • respond to breaches including communications and reporting
  • recover from breaches including reinstatement of systems and learnings from incidents.

This initiative comes on the back of ASIC’s release during March of this year of its Report 429 on Cyber Resilience and underlines how Australia’s financial system Regulators are becoming much more concerned about cybersecurity risks.

Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy

By Cameron Abbott and Meg Aitken

While the festive season approaches and retailers prepare for their busiest time of the year, a sophisticated form of point-of-sale malware, known as ‘ModPOS’, has reared its ugly head and is targeting payment terminals in the U.S.

It is estimated that the first ModPOS data hacks occurred in 2013 and that millions of credit and debit cards used at a broad variety of U.S. retailers have since been compromised. The unique complexity of the code, which experts say has never been seen before in malware, made it tricky to decipher.

Cyber security experts have warned that ModPOS has the ability to not only “scrape” credit and debit card numbers from the memory of point-of-sale terminals, but that the multifaceted code also records keystrokes of computer operators and transmits stolen data. If that isn’t enough, the malware is particularly difficult to detect and is reportedly capable of infiltrating despite security software and data controls.

More details about ModPOS malware can be found here.

Hotel Industry Payment Systems Under Attack

By Cameron Abbott and Meg Aitken

Stayed at one of Hilton Worldwide Holdings’ (Hilton) hotels between 18 November – 5 December 2014 or 21 April – 27 July 2015? Check your bank statement.

Within the same week, both the Hilton and Starwood Hotels & Resorts Worldwide Inc. (Starwood) have discovered the point-of-sale terminals at a number of hotels across the globe have been infected with malware.

The malicious malware has enabled hackers to pinch the credit and debit card information of Starwood and Hilton customers, however there is apparently no evidence that personal contact information provided as part of the hotels’ guest-reservation system or loyalty rewards program was stolen.

While the attack on Starwood was confined to 54 of its hotels in North America, the Hilton attack affected the chain’s hotels globally, including Australian establishments. The number of cards compromised has not been revealed by either hotel.

Starwood and Hilton hotels are not the only luxury hotel chains to be affected by data hacks in 2015. The Mandarin Oriental and Trump International have also reported data security breaches involving intrusive malware this year. In the case of Starwood the hack occurred over eight months without detection showing how sophisticated some of these attacks are.

Starwood’s media release can be found here. Hilton’s media release can be accessed here.

10 Considerations for Developing a Data Breach Response Plan

By Jim Bulling and Michelle Chasser

A quick response to a data breach is key to mitigating its impact. The Office of the Australian Information Commissioner (OAIC) recommends that all entities have a data breach response plan in place and has recently released draft guidance on how to develop such a plan.

The guidance recommends that the plan include setting out the actions to be taken in the event of a breach and the team members involved in those actions. Here are some questions for your organisation to consider based on the OAIC’s draft guidance to developing a data breach response plan.

1. What constitutes a data breach?

2. What actions should your staff take?

3. Who is a member of the response team?

4. When does a breach needs to be escalated to senior management?

5. Who is responsible for contacting and managing any affected individuals?

6. Who decides whether to contact law enforcement or regulators?

7. How are records of data breaches kept?

8. How will you identify and address any weaknesses in data handling that contributed to a data breach?

9. Are there any steps your cybersecurity insurance policy requires you to follow?

10. How will you test your response plan?

The OAIC’s Guide to developing a data breach response plan Consultation draft can be found here.

Operation Resilient Shield

By Jim Bulling and Michelle Chasser

The US and UK are set to launch Operation Resilient Shield later this month. Operation Resilient Shield is a cybersecurity exercise to test each country’s readiness to withstand a serious attack designed to steal financial information and disrupt financial systems. Banks and government agencies in both countries will be involved.

As with the UK’s previous large scale cybersecurity exercise in 2013, Operation Waking Shark II, not a lot of detail about the operation has been released. The UK Computer Emergency Response Team (CERT) will be overseeing the operation and is thought to be focusing on communication between the two governments and the participating banks as well as amongst the participating banks themselves.

The joint UK US operation was originally announced in January 2015 by UK Prime Minister David Cameron and US President Barack Obama as part of an agreement between the two countries to develop cybersecurity cooperation principles.

Copyright © 2018, K&L Gates LLP. All Rights Reserved.