CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
Hacked accounts anyone?
2
SWIFT’s assessment of Distributed Ledger Technologies
3
Australian Government releases Cyber Security Strategy
4
Privacy Commissioner releases a Guide to deal with data breaches
5
Event: Learn With Us – Update on Cybersecurity
6
Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack
7
The biggest cyber security threats experienced by Australian organisations
8
Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.
9
A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine
10
The EU-US Privacy Shield has been released

Hacked accounts anyone?

By Cameron Abbott and Giles Whittaker

Have you been hacked? If you are the user of a Google, Yahoo or Microsoft e-mail account then it is a possibility. Alex Holden, the founder and Chief Information Officer of Hold Security who discovered the hack has identified 272.3 million account credentials have been stolen. The majority of these accounts are users of Mail.ru which is Russia’s most popular e-mail service.

57 million Mail.ru account credentials had been hacked and Mail.ru “are now checking any combinations of usernames/passwords match users’ e-mails and are still active”, from initial checks there were no live combinations.

Google and Yahoo are yet to provide any response.

This recent hack, which was performed by a young Russian hacker who is more determined to become famous than rich from his recent efforts after only asking for 50 roubles (less than $1) for the entire dataset, is one of the biggest collection of stolen credentials since the attacks on major US banks and retailers two years ago. The information which was stolen, as suggest by Holden in an interview with Reuters is “potent [and] it is floating around in the underground…which can be abused multiple times.”

Some of the stolen credentials include those for employees of large US banking, manufacturing and retail companies. When considering that 22 percent of big data breaches come from stolen online credentials (according to a recent survey of 325 computer professional) and hacks of this nature typically allow for further break-ins or phishing attacks by accessing the contacts of each hacked account, the domino effect of a hack such as this is substantial. Furthermore, individuals that like to re-use their preferred passwords across multiple accounts have exposed themselves to additional hacks.

So what is the take away message? According to Will Harwood, founder and Chief Technology Officer of Silicon SAFE, the solution as he told Infosecurity is to put the “password data in a dedicated hardware supported database that only allows data to be stored and compared, never revealed.”

For more of Will Harwood’s security suggestions and the Infosecurity article click here.

To read more about Alex Holden’s discovery of the Russian hacker click here.

SWIFT’s assessment of Distributed Ledger Technologies

By Cameron Abbott and Giles Whittaker

SWIFT and Accenture released their new paper into how Distributed Ledger Technologies (DLTs) could be used in financial services. The outcome of their assessment highlighted 8 key gaps between industry requirements and the current DLT solutions. The 8 critical factors to be addressed before widespread adoption of DLT’s include:

  1. strong governance;
  2. data controls;
  3. compliance with regulatory requirements;
  4. standardisation;
  5. identity framework;
  6. security and cyber defence;
  7. reliability; and
  8. scalability.

The potential use of these technologies is still unclear according to Fabian Vandenreydt the Head of Securities, Innotribe and the SWIFT Institute. However SWIFT has committed to working with the industry to identify areas in which the technology can provide the greatest benefit.

For more information about SWIFT’s position on DLTs or to download a copy of the paper visit here.

Australian Government releases Cyber Security Strategy

By Cameron Abbott and Giles Whittaker

Cybersecurity appears to be a new popular expenditure, particularly in Australia, as Malcom Turnbull announces his government’s new Cyber Security Strategy initiative budgeted to cost $230 million over 4 years in addition to the $400 million allocated in the 2016 Defence White Paper over 10 years.

So what do we get for all that money? The government has announced their 5 themes of action over the next 4 years which includes:

  1. a national cyber partnership;
  2. strong cyber defences;
  3. global responsibility and influence;
  4. growth and innovation; and
  5. a cyber smart nation.

This will include the funding to establish a Cyber Security Growth Centre through a National Innovation and Science Agenda. The Growth Centre is intended to serve as an innovation hub which will identify and prioritise cybersecurity challenges and identify opportunities for Australia to build globally competitive commercial solutions.

Cybersecurity is grabbing global attention and the Turnbull government has appointment their first Cyber Ambassador. The role of the Cyber Ambassador will be to identify opportunities for practical international cooperation and ensure Australia is situated to take advantage of new commercial opportunities.

Small businesses are often left exposed to hackers due to a lack of resources allocated to cybersecurity and, are targeted for their potential provide a back door to other companies, are often targeted. Turnbull’s no business left behind strategy sees small businesses being allocated $15 million in grants to have their systems tested and improved by The Council of Registered Ethical Security Testers (CREST).

For further information access the government’s plan here.

Privacy Commissioner releases a Guide to deal with data breaches

By Cameron Abbott, Rob Pulham and Simon Ly

On 11 April 2016, the Privacy Commissioner released a guide to deal with issues associated with data breaches. This is aimed at entities regulated by the Privacy Act 1988 (Cth) in order to assist them with complying with the Australian Privacy Principles.

When (and it is likely to be a matter of when and not if) your entity is subject to a data breach, whether it be through your system being hacked or if devices are lost or stolen, it is important that you are equipped to deal with it. It is important to get in front of such problems and have pre-prepared action plans given that it is likely that the first 24 hours will be the most crucial in determining your level of success in dealing with a data breach. Data breaches can be expensive, both in a monetary and reputational sense.

In the guide, the Privacy Commissioner highlighted that a written data breach response plan is an important tool to help deal with such issues. Such a plan should include:

  • actions to be taken if a breach is suspected, discovered or reported by a staff member, including escalation measures;
  • the members of the data breach response team; and
  • the actions the team are expected to take.

Such a plan needs to be regularly reviewed and updated, with all relevant staff kept up to date so that they know what actions they are expected to take.

The Privacy Commissioner suggests the following four steps to be taken when a data breach is discovered:

  1. contain the breach and do a preliminary assessment;
  2. evaluate the risks associated with the breach;
  3. develop a plan for notifying affected individuals and consider what information should be in any notification; and
  4. determine steps to be taken to prevent future breaches.

For more information, please feel free to contact us. You can find out more information on practical steps you can take here.

Event: Learn With Us – Update on Cybersecurity

2016 is shaping up to be another big year for developments in cybersecurity and privacy.

We finally expect to see mandatory data breach reporting laws introduced into Australia; there are continuing developments in relation to the US/EU “Safe Harbor” framework and its proposed replacement the “Privacy Shield”; ever-growing connectivity between “Internet of Things” devices; hackable cars; self-driving cars; and of course our favourite topic, drones.

Not to mention the increasing usefulness of data analytics and the steady migration of data into the “cloud”, along with data breaches that have become too prolific to list.

Join Cameron Abbott, Partner, and Rob Pulham, Senior Associate, in our Melbourne office Thursday 14 April 2016 12.45pm to 2.00pm for our annual update on all things cybersecurity and privacy, where we will:

  • highlight some of the key developments over the past 12 months
  • consider how your business should be placed to handle issues that are regularly arising in practice
  • look forward to the (near) future and what it may bring.

Lunch will be provided. We hope you can join us – please register here.

CPD/CLE points:
You can claim one substantive law CLE point for your attendance at this session.

Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack

By Cameron Abbott and Simon Ly

In a story that would make an excellent plot to a sequel to Ocean’s 13, the Federal Reserve Bank of New York has been the target of a successful major cyber hack. Part of the targeted attack was an attempt to steal nearly $1 billion from Bangladesh Bank’s account.

If anyone would be well protected it would be the NY Fed, right? Well, while they were able to block some 30 transactions, 5 were successful, resulting in $81 million being stolen from Bangladesh Bank’s account.

The NY Fed has released a statement outlining that its systems were not breached, but instead pointing to SWIFT, a member-owned cooperative relied upon by banks to authenticate international monetary transactions. In response, a SWIFT representative stated that it “reiterates that the SWIFT network itself was not breached”. For its part, the NY Fed agreed that it “viewed this as a major lapse on the part of FRB NY”.

It will be fascinating to see how this he-said she-said blame game plays out. The current state of events is that the Bangladesh Bank is engaging legal counsel to establish grounds for recompense.

It goes without saying that these mind boggling figures and the nature of the attack emphasise that no one is immune from attacks. Next time someone tells you that it can’t happen to your organisation – remember this example.

For more information, please see Bloomberg’s report here.

The biggest cyber security threats experienced by Australian organisations

By Jim Bulling and Michelle Chasser

The Australian Government Australian Cyber Security Centre (ACSC) has released its 2015 Cyber Security Survey: Major Australian Businesses. 149 organisations across a number of sectors, including banking and finance, defence and energy, responded to the survey which provides some interesting insights into cyber security activity and concerns for the future.

According to the survey the top 10 cyber security incidents experienced by respondents on their networks in the previous 12 months were:

  1. ransomware (72%)
  2. malware (66%)
  3. targeted malicious emails (59%)
  4. virus or worm infection (30%)
  5. theft of mobile devices and laptops (30%)
  6. trojan (27%)
  7. remote access trojans (20%)
  8. unauthorised access (25%)
  9. theft or breach of confidential information (23%)
  10. unauthorised access to information from an outsider (17%)

Read More

Been Hacked? To Report Or Not To Report… To The SEC, It Isn’t Even A Question.

By Tyler Kirk

In the US, the Securities and Exchange Commission has encouraged its regulated entities to self-report. If entities do not self-report, there is the very real possibility that a whistleblower may disclose a cybersecurity incident to the Commission. Significantly, the SEC has indicated that it would take a more adversarial position against an entity that does not self-report.
When self-reporting cybersecurity incidents to the SEC, it is important to approach the Commission with a well thought out plan for responding to the incident. Moreover, a remediation strategy should be a part of every entity’s cybersecurity policies and procedures.

After a cybersecurity incident, SEC regulated entities, such as investment companies and their boards, should move quickly to establish the scope of the incident, decide whether to self-report to the SEC, and begin the remediation process. According to the Commission, under some circumstances, the SEC has tools available to assist with remediation.

Importantly, self-reporting cybersecurity incidents to the SEC could benefit an investment company and its board by leading to a reduced penalty in the event an enforcement action is brought on the basis of the incident.

A New Cyber Regulator on the Beat: The CFPB Issues its First Cybersecurity Order and Fine

By Ted Kornobis

On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) instituted its first data security enforcement action, in the form of a consent order against online payment platform Dwolla, Inc.

The CFPB joins several other regulators that have recently issued statements or instituted enforcement actions in this space, including the Securities and Exchange Commission (“SEC”), Commodities Futures Trading Commission (“CFTC”), the Financial Industry Regulatory Authority (“FINRA”), the National Futures Association (“NFA”), the Department of Justice (“DOJ”), state attorneys general, and the Federal Trade Commission (“FTC”), which has been active in this area for several years.

To read more click here.

The EU-US Privacy Shield has been released

By Cameron Abbott and Meg Aitken

The European Commission has now officially released the EU-U.S. Privacy Shield, which sets out the key requirements and principles for trans-Atlantic data flow between Europe to the US.

Read our colleague’s article on the announcement here.

Alternatively, access the European Commission’s Press Release here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.