No more unto the (data) breach

Data breaches – the gift that keeps on giving…

Two of Australia’s most extensive data breaches occurred within the space of a few weeks in 2022. In September, Optus was the victim of a data breach and, the following month, Medibank Private suffered a similar attack. Collectively, the data of almost 20 million Australians was stolen and held to ransom.  

Between 17 and 20 September 2022, the personally identifiable information of more than 9.5 million former and current Optus customers was accessed by a hacker demanding a ransom. When it wasn’t paid, the personal details of about 10,200 people were subsequently published on the dark web. The data breach left the telco exposed to multiple investigations and court cases, including class actions. 

In October 2022, a ransomware attack by a member of the Russia-based REvil ransomware gang garnered the data of 9.7 million current and former Medibank members. When the private health insurer refused to pay the $10 million ransom, the private data was published on the dark web. Home Affairs Minister Clare O’Neil described the Medibank hack as “the single most devastating cyberattack we have experienced as a nation”. According to a federal cybercrime inquiry by Victoria Police in early 2024, over 11,000 cases of cybercrime have been connected to the Medibank data breach. The hacker has since been sanctioned – the first action of its kind in the country – with financial penalties and a travel ban. Like Optus, Medibank has been investigated and faces legal proceedings including a class action led by the Baker McKenzie legal team. 

Almost two years on, the fallout from these data breaches continues.  

Optus’ reputation took a major hit and it lost some 65,000 subscribers in just a few months. Following the breach, the company highlighted that the clean-up could cost $140 million. In May 2024, the Australian Communications and Media Authority (ACMA) filed proceedings in the Federal Court against Optus for failing to protect the confidentiality of its customers’ personal information from unauthorised interference or unauthorised access as required under the Telecommunications (Interception and Access) Act 1979. ACMA is seeking penalties, alleging Optus breached the Act at least 3.6 million times (the estimated number of active Optus subscribers at the time). If proven, each breach carries a penalty of up to $250,000, resulting in a theoretical maximum penalty of $900 million. The telco is also facing a class action brought by Slater and Gordon and recently lost its appeal to keep a report it commissioned from Deloitte regarding the 2022 cyberattack out of the hands of the lawyers.  

In June 2024, the Office of the Australian Information Commissioner (OAIC) filed a lawsuit against Medibank for the 2022 data breach. The OAIC has filed ‘civil penalty proceedings’ against the health insurer alleging it failed to take reasonable steps to protect the personal information of 9.7 million Australians from misuse and unauthorised access or disclosure in breach of section 13G of the Privacy Act 1988. If the lawsuit ruling is in favour of the OAIC, the Federal Court can impose a civil penalty as high as $2,220,000 for each breach of section 13G (the fine could total more than $21 trillion). 

Laws changed 

In the wake of the two major data breaches, new laws were enacted in November 2022.  The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.  

The maximum penalty for a business involved in a serious privacy breach was increased to the greater of $50 million or three times the value of benefits obtained from the misuse of information. 

Data breaches are prevalent 

The spate of data breaches has continued despite the increased penalties and greater awareness of data security among many businesses. While many have flown under the radar, others have made headlines. High profile data breaches have touched many industries and sectors including mining, transport, retail, finance, education, government, IT, manufacturing, distribution, resources, entertainment, banking, insurance, telecommunications, childcare and health.  

And the repercussions can be serious. For example, the impact of a data breach on e-prescription provider MediSecure in May 2024 resulted in the company declaring insolvency and entering into voluntary administration three weeks later. The breach saw 6.5 terabytes of patient and physician information posted for sale on a hacking forum. The data was for sale for US$500,000.  

Australia is one of the countries with the highest number of data breaches.  

According to research from VPN operator SurfShark, the account details of 1.8 million Australians were leaked in the first three months of 2024 – a 388% increase over the previous quarter. The research highlighted that among the breached accounts, 37 million included unique email identifiers. This equates to an average of 13 accounts being compromised every minute since 2004. The breaches have led to the exposure of a total of 416 million personal records in Australia, including 97 million passwords. 

Proofpoint’s Data Loss Landscape report revealed that Australian organisations suffer a mean average of 19 data loss events in a single year. 

Businesses will be held accountable 

With the government’s goal of making Australia the most cyber secure nation by 2030, lawyers warn that regulators will be even more motivated to hold businesses accountable for poor cyber security practices. 

Increasingly stringent cyber security regulations are being adopted in Europe and the US, and Australian authorities are likely to follow suit in taking a stronger stance on the need to report cyber breaches and in implementing regulatory standards. 

The Australian Prudential Regulation Authority (APRA) has issued a directive to all entities under its regulation stressing the importance of data backups and ensuring cyber resilience. APRA mandated that entities evaluate their backup systems and promptly rectify any deficiencies. The Interim Policy and Supervision Priorities update also noted APRA will maintain its heightened supervisory focus on cyber resilience.  

In the legal proceedings against Medibank, the OAIC asserts that the data breach was due to the health insurer’s lack of cybersecurity preparedness. It cited issues such as stolen credentials, no multi-factor authentication and a slow response to the intrusion identified by the security software. 

Tips to help prevent data breaches 

• Understand your obligations – Know your data security obligations, particularly if governed by the Privacy Act and subject to the notifiable data breach (NDB) regime. 

• Develop a cyber security policy – Be sure to develop and implement a robust cyber security policy which outlines acceptable use of company resources and sets guidelines for protecting sensitive data. Enforce strict policies and procedures around the collection, updating, sharing and disposal of confidential and private information. 

• Assess the data that your business needs to collect and hold – Collect and store only the data essential for your business operations and legal requirements. Collect as little sensitive information as required to operate your business. Continually assess the need, the operational requirements and the compliance requirements for a set of data. If the data is necessary, ensure that measures are in place to reasonably protect that data. 

• Employ segmentation – Ensure there are strict access controls in place by restricting administrative privileges. Restrict access to the data to only those people who need it. If someone leaves your business or is absent for a long period of time, suspend their access to your systems. 

• Use encryption – Be sure to encrypt all data, including any backups.

• Use strong passwords – Ensure strong passwords or passphrases are used on PCs, smartphones, laptops, tablets, email accounts and any other devices or accounts where personal information is stored. Discourage employees from using the same password across devices or accounts. Implement a lock-out for multiple failed login attempts and ensure passwords are periodically re-set.

• Implement multi-factor authentication – Set company accounts so that they require multi-factor authentication. Ensure MFA is in place for all remote access to business systems and for all users when they perform a privileged action or access an important data repository.

• Install a firewall – While most operating systems have in-built firewalls, consider investing in a third-party firewall to protect your devices and networks against viruses and malware, and defend against backdoor attacks, DoS and DDoS attacks, access attacks, or stolen data.

• Install anti-virus and malware protection – And then keep it up-to-date. Be sure it is installed on all devices used at home and by anyone working remotely too.

• Enforce protocols for BYOD and using work devices in public places – Ensure any devices used by employees, whether business-owned or their own, are secure. If employees use devices outside of the office, be sure there are protocols for use in place (e.g. around using unsecured connections or public Wi-Fi).

• Use endpoint detection and response (EDR) security software – Use intrusion detection and prevention systems to monitor network activity for suspicious behaviour.

• Secure your Wi-Fi connection – Use the strongest Wi-Fi protocols (WPA3 or WPA2 at the least) and ensure you modify the default names and passwords on your business’ routers. Also ensure there are strong network passwords.

• Use a virtual private network – Use a VPN to secure data transmissions and protect sensitive information when accessing the internet, especially while working outside of the office.

• Prevent unauthorised software installations – Set company computers to disallow installations not approved by IT/management. 

• Regularly update software – Require the use of latest versions of all software, applications, and operating systems. Patch applications and operating systems. Ensure all updates are installed as soon as prompted.

• Constantly monitor company networks – Check for unusual activity and take any necessary steps to investigate and address all potential security threats. Consider remote monitoring by a managed IT services provider.

• Conduct security audits – Perform regular security audits to identify and mitigate vulnerabilities in your business.

• Back up your files – Regularly backup your data. This could be to a server, the cloud or a physical device. Adopt the 3-2-1 rule:

• • • • 3x copies of your data, with 

• • • • 2x of those copies being backups stored on different types of media, and 

• • • • 1x of those backups stored offsite. 

• Train employees – Educate and train staff on data handling practices and best-practice data protection. Provide ongoing cybersecurity training to help employees recognise social engineering (phishing) and other cyberattacks.  

• Destroy data no longer needed – Don’t keep data for longer than you need it. Use best-practice to de-identify or destroy data no longer required (subject to data retention laws).

• Dispose of old IT equipment securely – Ensure no personal data is left on computers, laptops, smartphones or any other devices before you dispose of them. Consider using detection software or hire a specialist to wipe data.

• Develop a data breach response plan – Have a plan in place for responding to security breaches and other incidents, and regularly review, test, and update your plan as needed. The Office of the Australian Information Commissioner (OAIC) provides guidance on how to create a strong data breach response plan. 

Last, but by no means least, ensure your business is protected with a cyber insurance policy. While insurance is not a substitute for good cyber security and responsible management of risks, it can provide essential financial protection and operational support in the event that your safeguards fail. Talk to your EBM Account Manager about cyber cover.