Information breaches in Australia are on the rise, notably within the monetary and healthcare industries. In an effort to DISRUPT this detrimental development, the Australian authorities is revising its cybersecurity frameworks and insurance policies to strengthen resilience in opposition to nation-state risk actors.
However Australian companies can’t solely depend on the federal government’s cybersecurity initiatives. Even the Australian Indicators Directorate (ASD) admits that proposed safety frameworks solely increase the baseline of safety. It is as much as every particular person enterprise to proceed lifting this normal with further knowledge breach prevention controls.
To assist Australian companies keep away from a number of the frequent malpractices that facilitate knowledge breaches, we have compiled a listing of a number of the greatest knowledge breaches in Australia, ranked by magnitude of influence.
If you happen to’re concerned about a world perspective, you can too learn our weblog on the largest knowledge breaches globally.
Find out how Cybersecurity simplifies assault floor administration >
1. Canva
Date: Might 2019
Impression: 137 million customers
Australian unicorn Canva suffered a monumental knowledge breach impacting 137 million of its customers. To place that into perspective, the net design device at the moment has about 55 million energetic month-to-month customers.
A cybercriminal recognized as Ghosticplayers breached Canva’s defences however was stopped by Canva once they detected malicious exercise of their programs. Sadly, this interception didn’t occur quickly sufficient. The risk actor had time to entry the next person knowledge:
UsernamesReal namesEmail addressesCountry dataEncrypted passwordsPartial cost knowledge
After the cyberattack, Ghosticplayers contacted ZDNet to brag in regards to the profitable knowledge breach. That is uncommon conduct for cybercriminals who often gloat about their cybercrimes on darkish internet boards.
Canva shortly notified affected accounts that had decrypted passwords to vary their passwords and reset all accounts for those who had not modified their passwords in 6 months.
Learn to adjust to CPS 230 >
2. Latitude
Date: March 2023
Impression: 14 million clients
Latitude, the Australian private mortgage and monetary service supplier, was affected by an information breach that impacted over 14 million folks from Australia and New Zealand. Though the preliminary disclosure said that solely 328,000 particular person clients had been affected, that quantity shortly grew to 14 million after additional investigation.
The Latitude breach was one in all Australia’s largest breaches in current historical past and follows a current string of large-scale assaults (Optus and Medibank).
The assault occurred when one set of worker credentials was stolen, permitting entry to Latitude’s buyer knowledge, primarily consisting of:
Full namesPhysical addressesEmail addressesPhone numbersDates of birthDriver’s license numbersPassport numbers
A lot of the data was knowledge saved from 2005, which drew questions on why corporations proceed to retailer buyer information past the required seven-year timeframe. The federal government additionally thought-about extending the attain of federal cyber businesses to intervene within the case personal corporations come below assault.
Latitude is at the moment being investigated for its function within the assault and whether or not or not it had enough capability to forestall the assault from occurring. The corporate can also be being investigated for a class-action lawsuit.
Learn to forestall expensive knowledge breaches. Obtain the free information >
3. Optus
Date: September 2022
Impression: 9.8 million clients
The Optus knowledge breach was one of many greatest safety breaches ever in Australian historical past. Because the second-largest telecommunications firm in Australia, this safety incident introduced up questions on Australian knowledge safety insurance policies and the way corporations deal with them.
Cybercriminals believed to be working for a state-sponsored operation breached Optus’ inner community, compromising private data and impacting as much as 9.8 million clients, virtually 40% of the inhabitants. In response to Optus CEO Kelly Bayer, the oldest information within the compromised database may date way back to 2017.
Private knowledge included on this compromised knowledge set consists of:
NamesBirth datesAddressesPhone numbersPassport informationDriver’s license numbersGovernment ID numbersMedical information & Medicare card ID numbers
It’s speculated that the prison group gained entry by way of an unauthorized API endpoint, that means a person/password or different authentication technique wasn’t required to hook up with the API. Bayer mentioned it was an especially refined assault that circumvented the corporate’s sturdy cyber defenses.
Hackers printed the delicate knowledge samples on on-line boards just some days later, demanding a A$1.5m ransom in cryptocurrency. Nevertheless, the hacker reversed course just some days after demanding a ransom because of strain from legislation enforcement and claimed to delete all the info throughout an apology on the identical discussion board.
The fallout of the assault noticed main coverage criticisms in regards to the effectiveness of Australian cybersecurity. In April 2023, Optus was hit with a class-action lawsuit comprised of 1.2 million clients. Australian Cyber Safety Minister Clare O’Neil admitted that the nation was a decade behind different developed international locations on cybersecurity and knowledge privateness.
The alleged particulars of the Optus knowledge breach as revealed by a cybercriminal claiming duty – Supply: Twitter – Jeremy Kirk.
If the cybercriminals are confirmed to be state-sponsored, the breach was possible brought on by a ransomware assault – a method of assault preferenced by such well-financed hacker teams for its excessive success charges and vital dividends.
Find out how the Ransomware-as-a-Service prison community operates.
Investigations are nonetheless underway, and Optus has but to verify whether or not it obtained a ransomware notice from the cybercriminals.
At this level, it isn’t clear whether or not this breach constitutes a violation of Australian privateness rules. To forestall such a expensive conclusion, Optus must show that it took energetic measures to make sure the safety of all buyer knowledge from knowledge breach makes an attempt – a choice for the privateness commissioner to make.
4. Medibank
Date: December 2022
Impression: 9.7 million folks
In December 2022, Medibank, the Australian medical insurance large, was the sufferer of a significant knowledge breach, affecting the non-public particulars of 9.7 million clients. The assault was believed to be linked to a well known ransomware group primarily based in Russia, the REvil ransomware gang.
The privateness breach was first found when REvil posted on a darkish internet weblog a folder that contained 6GB of uncooked knowledge samples, indicating that they’d bigger quantities of information to launch, and demanded a $10 million ransom. The info included:
NamesBirthdatesPassport numbersMedical claims dataMedical information
Regardless of one of many largest knowledge breaches in Australian historical past, Medibank stayed agency and refused to pay the ransom. Though the info is believed to have been totally launched on the darkish internet, no instances of id or monetary fraud have occurred but. Medibank additionally urged clients to remain vigilant on credit score checks and phishing scams to make sure that they don’t develop into victims, and the well being large invested vital quantities into its cybersecurity.
Medibank is at the moment below investigation by the Workplace of the Australian Data Commissioner (OAIC) for its data dealing with practices and could possibly be topic to a $50 million high-quality whether it is decided that it didn’t have enough safety practices in place. Moreover, a class-action lawsuit could possibly be underway for Medibank as effectively.
5. ProctorU
Date: July 2020
Impression: 444,000 folks
Delicate data belonging to ProctorU, a web based proctoring service for distant college students, was leaked on-line without cost on a darkish internet hacking discussion board. This incident was half of a bigger knowledge leak impacting 18 corporations and exposing 386 million information.
The College of SydneyThe College of New South WalesThe College of MelbourneThe College of QueenslandThe College of TasmaniaJames Cook dinner UniversitySwinburne College of TechnologyThe College of Western AustraliaCurtin College and the College of Adelaide
6. Australian Nationwide College (ANU)
Date: November 2018
Impression: 200,000 college students
The Australian Nationwide College (ANU) fell sufferer to a extremely refined cyber assault that shocked even essentially the most skilled Australian safety specialists. Moreover, the assault wasn’t found till almost six months later.
Cyber attackers accessed delicate data courting way back to 19 years. The next data was stolen:
Names Addresses Cellphone numbers Dates of start Emergency contact particulars Tax file numbers Payroll data Checking account particulars Pupil educational outcomes
That is the place the College’s most delicate information had been saved. The attackers labored meticulously to cowl their tracks, immediately deleted entry logs, and used the anonymity software program Tor to obfuscate their location particulars.
7. Japanese Well being
Date: March 2021
Impression: 4 hospitals
Japanese Well being, an operator of 4 Melbourne hospitals, fell sufferer to a cyberattack inflicting sure elective surgical procedures to be postponed.
The character of the cyber assault is unknown, but it surely’s suspected to have been a ransomware assault. That is prone to be true since, in keeping with the Australian Cyber Safety Centre (ACSC), ransomware assaults concentrating on the Australian well being sector are rising.
Japanese Well being assured the general public that no affected person knowledge was compromised within the assault.
8. Service NSW
Date: April 2020
Impression: 104,000 folks
A serious contributing issue to the seamless breach was the dearth of multi-factor authentication
9. Melbourne Coronary heart Group
Date: February 2019
Impression: 15,000 sufferers
Melbourne Coronary heart Group, a specialist cardiology unit in Cabrini Hospital, fell sufferer to a ransomware assault impacting 15,000 affected person information.
Ransomware assaults are nonetheless labeled as knowledge breaches as a result of cybercriminals entry delicate knowledge and maintain it hostage until a ransom worth is paid. This knowledge breach compromised private affected person particulars and medical knowledge, exposing victims to potential phishing assaults and id theft.
Melbourne Coronary heart Group was locked of it its compromised knowledge for nearly 3 weeks.
A spokesperson for the cardiology unit mentioned that no delicate knowledge was leaked whereas it was in possession of the cybercriminals.
However such a declare assumes ransomware criminals are true to their promise that damages will likely be utterly reversed if calls for are obeyed
Melbourne Coronary heart Group, reportedly, paid the bitcoin ransom.
A lot of the encrypted information had been restored, however not all of them.
10. Australian Parliament Home
Date: February 2019
Impression: A number of political social gathering networks – Liberal, Labor, and the Nationals.
Australian Parliament Home networks had been breached by a nation-state prison group. It is speculated that China was accountable for the assault, as a response to Scott Morrison banning Huawei and ZTE tools from Australia’s 5G community.
The assault resulted within the lack of some knowledge, however in keeping with the top of the Australian Indicators Directorate (ASD) Mike Burgess, none of it was labeled as delicate.
“There was a small amount of data taken; none of that was deemed sensitive, but the assessment of that is a matter for the parliament themselves.” Mike mentioned on the International Affairs, Defence and Commerce Laws Committee on April 5, 2019.
The cybercriminals used phishing strategies to steal worker credentials and acquire entry into the federal government’s community. This precursor assault befell on an contaminated exterior web site {that a} small variety of parliament employees visited.
11. Tasmanian Ambulance
Date: January 2021
Impression: Each resident that requested an ambulance between Nov 2020 and Jan 2021.
On the time of the breach, the Tasmanian ambulance was utilizing outdated radio expertise to run its communications community. Cyberattackers intercepted the radio knowledge, transformed the dialog to textual content, and posted the stolen knowledge on-line.
The breached knowledge included the next affected person data:
HIV statusGenderAgeAddress of every emergency incident.
The web site exposing the compromised knowledge has since been taken offline.
12. Northern Territory Authorities
Date: February 2021
When the app was launched, NT residents had been assured that solely Well being Division officers and technical assist personnel would have entry to the collected knowledge.
In response to Sue Hawes, the top of the COVID-19 hazard administration unit, the info breach was brought on by an unintentional error.
13. Western Australian Parliament
Date: March 2021
Impression: Unknown
Western Australia parliament’s mail server was accessed after a Microsoft Trade Server Vulnerability was compromised. This incident was a part of a world cyberattack frenzy concentrating on the zero-day exploit earlier than Microsoft responded with a patch launch.
However it’s unsure whether or not this comfort is true. The dearth of transparency into the occasion is regarding.
The Australian Cyber Safety Centre (ACSC) declined to remark in regards to the WA parliament assault however mentioned that many Australian organisations had been uncovered to potential compromise whereas their servers remained unpatched.
If the nation-state criminals had been as refined because the Prime Minister described them, might have had sufficient time to clandestinely exfiltrated some delicate, even throughout such a short go to.
Really useful Studying:Cybersecurity Helps Australian Companies Stop Information Breaches
Cybersecurity helps Australian companies power their cyber risk resilience by discovering vulnerabilities and knowledge leaks exposing sensiveit assets. This detection and remediation resolution extends to your entire third-party vendor community.
