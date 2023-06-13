ARTICLE

A lot can happen in a month. This update summarises cyber news from the last month – including notable cyber incidents, regulatory developments and general industry trends, plus an update from us.

News from HSF Media on recent cyber incidents Regulatory investigations and litigation Regulatory and industry news

News from HSF

Media on recent cyber incidents

We have set out some of the main cyber 'headlines', posted by various media outlets, published in the past month or so.

HWL Ebsworth issued 'final warning' by Russian cybercriminals

AFR – 4 June 2023

Australian law firm HWL Ebsworth has allegedly been issued a 'final warning' by Russian-linked cybercriminal group, ALPHV (also known as BlackCat), to pay a ransom to prevent its data being leaked. News of the data breach was first reported on 1 May.

Hackers use flaw in popular file transfer tool to steal data, researchers say

Reuters – 3 June 2023

Russian-linked cybercriminal group, dubbed Clop, has allegedly stolen data from users of the file transfer tool, MOVEit Transfer. Its US-based developer, Progress Software, announced on 31 May that it had identified security vulnerabilities on 28 May, and made appropriate fixes.

Toyota: Apology and Notice Concerning Newly Discovered Potential Data Leakage of Customer Information Due to Cloud Settings

Toyota Motor Corporation website – 31 May 2023

After announcing a suspected data breach on May 12, Toyota Motor Corporation confirmed that Asia and Oceania customer data was potentially accessible externally between 2015 and 2023. Toyota attributed the incident to cloud security misconfigurations (which Toyota said it had since implemented a system to monitor), and to insufficient dissemination and enforcement of data handling rules.

Latitude Financial attack costs company up to AU $105 million

Data Breach Today – 26 May 2023

In an ASX announcement, Latitude stated that it had forecasted a loss of up to AUD 105 million as a result of its recent ransomware and cyber extortion attack. This figure accounted for a five-week period during which Latitude's debt collection systems were disrupted.

Five Eyes members expose China-backed hacking campaign

AFR – 25 May 2023

The Australian Cyber Security Centre (ACSC) issued an advisory warning Australian businesses to be on high alert, after a Chinese state-backed hacking group was blamed for attacks on US critical infrastructure. See also the ACSC alert.

TechnologyOne halts trading after cyberattack

Lawyerly – 10 May 2023

Australian software company, TechnologyOne, announced that it had detected unauthorised third party access to its internal Microsoft 365 'back-office' system. At TechnologyOne's request, the company's shares were placed in trading halt on the ASX until the commencement of trading on 12 May 2023. See also TechnologyOne's ASX announcement.

Crown Princess Mary Cancer Centre in Westmead Hospital in cyber attack, hackers threatening to release stolen data

ABC – 4 May 2023

Crown Princess Mary Cancer Centre in Westmead Hospital experienced a ransomware and data extortion attack. According to CyberCX, the group claiming responsibility for the attack, known as Medusa, has been actively targeting organisations in Australia and New Zealand since early 2023.

Medibank to keep Deloitte hack report secret

AFR – 28 April 2023

Medibank confirmed that it would not release the findings of an external report prepared by its advisor, Deloitte, which describes the firm's investigation into the October 2022 ransomware and data extortion attack.

Regulatory investigations and litigation

OAIC to investigate group proceeding against Medibank

Lawyerly – 12 May 2023

The Office of the Australian Information Commissioner (OAIC) advised Medibank that it will proceed with an investigation of the representative complaint against the health insurer, brought by Maurice Blackburn in November 2022, following Medibank's October 2022 data breach.

Latitude hack investigated by privacy watchdogs

AFR – 10 May 2023

The OAIC and New Zealand Office of the Privacy Commissioner announced the commencement of a joint investigation into Latitude, focusing on whether Latitude took reasonable steps to protect the personal information it held. See also OAIC announcement.

Law firm launches class action on behalf of millions of customers caught up in Medibank data hack

ABC News – 5 May 2023

On 4 May, a third class action was filed against Medibank in relation to the October 2022 data breach that exposed the personal information of millions of Medibank and ahm customers – this time, by Slater & Gordon in the Federal Court of Australia. The statement of claim references alleged breaches of contract, negligence and contraventions of the Australian Consumer Law. See also AFR article.

Regulatory and industry news

New report from NAB reveals the personal cost of cyber security threats

Cyber Security Connect – 30 May 2023

NAB released a report that found three in 10 Australians are extremely concerned about the threat and impact of cyber attacks.

State-aligned actors targeting SMBs globally

Data Breach Today – 24 May 2023

Research from cyber security company, Proofpoint, found that state-aligned hackers from Russia, Iran and North Korea are increasingly targeting small and medium sized businesses around the world.

After feds backtrack, Victoria stumps up AU $35 million for cyber hubs

InnovationAus.com – 23 May 2023

The 2023 Victorian Budget allocated AUD 34.7 million for a cyber security reform package. The funding is intended to strengthen Victoria's cyber defence systems and response capabilities through a new Cyber Defence Centre.

Australian Federal Budget 2023-24: Cyber and Privacy Initiatives

Herbert Smith Freehills Legal Briefings – 12 May 2023

The 2023-24 Federal Budget allocated AUD 101.6 million to building cyber resiliency across the private and public sectors.

Critical Infrastructure Asset Class Definition Guidance

Herbert Smith Freehills Legal Briefings – 12 May 2023

The Department of Home Affairs' Cyber and Infrastructure Security Centre (CISC) published guidance to assist organisations to identify how their assets are classified under Australia's Security of Critical Infrastructure regime.

OAIC welcomes three-Commissioner model

Office of the Australian Information Commissioner – 3 May 2023

The OAIC welcomed the Commonwealth Attorney-General's announcement of a new three-Commissioner model, in which a standalone Privacy Commissioner will be appointed alongside an interim Freedom of Information Commissioner and the existing Australian Information Commissioner.

