A lot can happen in a month. This update summarises cyber news from the last month – including notable cyber incidents, regulatory developments and general industry trends, plus an update from us.
- News from HSF
- Media on recent cyber incidents
- Regulatory investigations and litigation
- Regulatory and industry news
News from HSF
Cyber Insurance Health Checks
As the nature of cyber incidents evolve, it is increasingly important that you understand whether your insurance policies provide cover for all relevant exposures. As end of year renewals approach, our Insurance team is conducting cyber insurance health checks – to assess client insurance coverage against key cyber risk areas, identify gaps and recommend fixes based on what else is available in the market. On completion, clients receive an accessible, easy to understand overview, designed for legal teams, boards and key executives, along with general coverage advice and recommendations.
HSF Cyber Survey
In September, the AFR will host its inaugural Cyber Summit, bringing together a vast array of key cyber players. HSF is sponsoring this event and, in preparation for it, we are surveying in-house counsel, to better understand their cyber-related experiences and concerns. We would love for you to participate. The survey takes about 7 minutes to complete.
Media on recent cyber incidents
We have set out some of the main cyber 'headlines', posted by various media outlets, published in the past month or so.
HWL Ebsworth issued 'final warning' by Russian cybercriminals
AFR – 4 June 2023
Australian law firm HWL Ebsworth has allegedly been issued a 'final warning' by Russian-linked cybercriminal group, ALPHV (also known as BlackCat), to pay a ransom to prevent its data being leaked. News of the data breach was first reported on 1 May.
Hackers use flaw in popular file transfer tool to steal data, researchers say
Reuters – 3 June 2023
Russian-linked cybercriminal group, dubbed Clop, has allegedly stolen data from users of the file transfer tool, MOVEit Transfer. Its US-based developer, Progress Software, announced on 31 May that it had identified security vulnerabilities on 28 May, and made appropriate fixes.
Toyota Motor Corporation website – 31 May 2023
After announcing a suspected data breach on May 12, Toyota Motor Corporation confirmed that Asia and Oceania customer data was potentially accessible externally between 2015 and 2023. Toyota attributed the incident to cloud security misconfigurations (which Toyota said it had since implemented a system to monitor), and to insufficient dissemination and enforcement of data handling rules.
Latitude Financial attack costs company up to AU $105 million
Data Breach Today – 26 May 2023
In an ASX announcement, Latitude stated that it had forecasted a loss of up to AUD 105 million as a result of its recent ransomware and cyber extortion attack. This figure accounted for a five-week period during which Latitude's debt collection systems were disrupted.
Five Eyes members expose China-backed hacking campaign
AFR – 25 May 2023
The Australian Cyber Security Centre (ACSC) issued an advisory warning Australian businesses to be on high alert, after a Chinese state-backed hacking group was blamed for attacks on US critical infrastructure. See also the ACSC alert.
TechnologyOne halts trading after cyberattack
Lawyerly – 10 May 2023
Australian software company, TechnologyOne, announced that it had detected unauthorised third party access to its internal Microsoft 365 'back-office' system. At TechnologyOne's request, the company's shares were placed in trading halt on the ASX until the commencement of trading on 12 May 2023. See also TechnologyOne's ASX announcement.
ABC – 4 May 2023
Crown Princess Mary Cancer Centre in Westmead Hospital experienced a ransomware and data extortion attack. According to CyberCX, the group claiming responsibility for the attack, known as Medusa, has been actively targeting organisations in Australia and New Zealand since early 2023.
Medibank to keep Deloitte hack report secret
AFR – 28 April 2023
Medibank confirmed that it would not release the findings of an external report prepared by its advisor, Deloitte, which describes the firm's investigation into the October 2022 ransomware and data extortion attack.
Regulatory investigations and litigation
OAIC to investigate group proceeding against Medibank
Lawyerly – 12 May 2023
The Office of the Australian Information Commissioner (OAIC) advised Medibank that it will proceed with an investigation of the representative complaint against the health insurer, brought by Maurice Blackburn in November 2022, following Medibank's October 2022 data breach.
Latitude hack investigated by privacy watchdogs
AFR – 10 May 2023
The OAIC and New Zealand Office of the Privacy Commissioner announced the commencement of a joint investigation into Latitude, focusing on whether Latitude took reasonable steps to protect the personal information it held. See also OAIC announcement.
Law firm launches class action on behalf of millions of customers caught up in Medibank data hack
ABC News – 5 May 2023
On 4 May, a third class action was filed against Medibank in relation to the October 2022 data breach that exposed the personal information of millions of Medibank and ahm customers – this time, by Slater & Gordon in the Federal Court of Australia. The statement of claim references alleged breaches of contract, negligence and contraventions of the Australian Consumer Law. See also AFR article.
Regulatory and industry news
New report from NAB reveals the personal cost of cyber security threats
Cyber Security Connect – 30 May 2023
NAB released a report that found three in 10 Australians are extremely concerned about the threat and impact of cyber attacks.
State-aligned actors targeting SMBs globally
Data Breach Today – 24 May 2023
Research from cyber security company, Proofpoint, found that state-aligned hackers from Russia, Iran and North Korea are increasingly targeting small and medium sized businesses around the world.
After feds backtrack, Victoria stumps up AU $35 million for cyber hubs
InnovationAus.com – 23 May 2023
The 2023 Victorian Budget allocated AUD 34.7 million for a cyber security reform package. The funding is intended to strengthen Victoria's cyber defence systems and response capabilities through a new Cyber Defence Centre.
Australian Federal Budget 2023-24: Cyber and Privacy Initiatives
Herbert Smith Freehills Legal Briefings – 12 May 2023
The 2023-24 Federal Budget allocated AUD 101.6 million to building cyber resiliency across the private and public sectors.
Critical Infrastructure Asset Class Definition Guidance
Herbert Smith Freehills Legal Briefings – 12 May 2023
The Department of Home Affairs' Cyber and Infrastructure Security Centre (CISC) published guidance to assist organisations to identify how their assets are classified under Australia's Security of Critical Infrastructure regime.
OAIC welcomes three-Commissioner model
Office of the Australian Information Commissioner – 3 May 2023
The OAIC welcomed the Commonwealth Attorney-General's announcement of a new three-Commissioner model, in which a standalone Privacy Commissioner will be appointed alongside an interim Freedom of Information Commissioner and the existing Australian Information Commissioner.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
