A Cyber Security Review of 2022

2022 was an eventful year for the cyber security industry worldwide, with everything from government shutdowns to multimillion-dollar data breaches. It’s been the same story in Australia, with a dramatic increase in major breaches dominating the headlines and impacting millions of Australians. These attacks have highlighted weaknesses in cyber resilience across many industries and have made cyber security a priority for Australian organisations. Meanwhile, the Australian Government has become increasingly vigilant to sophisticated attacks and how best to mitigate the risk of a data breach. As we move into 2023, we take a look back at some of the high-profile security incidents that occurred in 2022 and explore what you can do to enhance your cyber resilience into the year ahead.
‍

MEDIBANK BREACH - OCTOBER 2022

On 13th October 2022, the Medibank Group, one of the largest Australian private health insurance providers, detected unusual activity on its network. While there was no evidence at the time that data had been breached, the company engaged specialised cyber security firms to try to contain the event, isolate customer-facing systems and reduce the likelihood of damage. Over the next few days, a forensic investigation ensued and the unusual activity was found to be consistent with a possible ransomware threat. However, as no systems had been encrypted and additional security measures had been put in place across the network, the company was hopeful it was a false alarm. It wasn’t until 19th October that Medibank received a message from a group wishing to negotiate regarding the alleged removal of customer data. As Medibank tried to validate the claim, the criminal provided a sample of records for policies, including names, addresses, dates of birth, medicare numbers, phone numbers and claims data. Over the following days, more data was found to be stolen and the volume of affected customers rose rapidly.

On 7th November, Medibank announced that, based on extensive advice from cybercrime experts and in line with the Australian Government, no ransom payment would be made due to the limited chance of the data being returned or the payment preventing publication of the data. At this point, an astounding 9.7 million Medibank customers had been impacted. In the days that followed, the stolen data was released on the dark web. To support its customers during an extremely challenging time, Medibank put several measures in place, including:

• A hardship package providing financial support for vulnerable customers
• Access to a dedicated mental health and wellbeing support line
• Access to specialist identity protection advice and resources from IDCARE
• Free identity monitoring services for customers with compromised primary ID
• Reimbursement of fees for re-issue of identity documents
• Specialist identity protection advice and resources from IDCARE
• Medibank's mental health and wellbeing support line
• A cybercrime health and wellbeing line
• Mental health outreach service
• Better Minds App
• Personal duress alarms

While it hasn’t been confirmed exactly how the Medibank data breach happened, it was likely due to the theft of internal credentials belonging to an individual with privileged system access. Medibank detected the activity at the point that data was extracted and may well have stopped data encryption due to its quick action of shutting down the backdoors. It has since worked to strengthen and enhance its security protections further.
‍

OPTUS BREACH - SEPTEMBER 2022

In September 2022, Optus experienced a cyber-attack compromising 9.8 million current and former customers’ information. Upon discovering this, Optus immediately shut down the attack and worked with the ACSC (Australian Cyber Security Centre) to mitigate any risks to current and former customers. The hacker posted a text file of customer data records, enabling other malicious actors to use it in their own phishing attempts. Customers were advised to have heightened awareness and be on the lookout for unusual or fraudulent activity and Optus offered proactive personal notifications and third-party monitoring for those at heightened risk. Some of the additional remediation efforts to support customers include:

• Operation Guardian - an initiative set up by the AFP (Australian Federal Police) and state and territory police to augment the protection of more than 10,000 customers whose identification credentials were released online. Customers were to receive multi-jurisdictional and multi-layered protection from identity crime and financial fraud.
• Forensic Review - Deloitte were to lead a forensic review of the attack, including the security systems, controls and processes. The forensic assessment forms a crucial role in Optus’ response to the incident, helping them to understand how it occurred, improve prevention measures and rebuild customer trust.
• Joint Working Group - the Federal Government and Optus formed a joint working group with proposed changes to data-sharing regulations. This aim is to enable businesses to share information with approved financial institutions and government agencies and apply enhanced monitoring and safeguards to accounts of customers affected by current and future cyber incidents.
• Equifax Protect – Optus offered affected customers a 12-month subscription to credit monitoring and identification service provider Equifax Protect at no cost. The credit monitoring and identity protection service helps reduce the risk of identity theft or financial loss.

Again, Optus hasn’t confirmed exactly how the breach happened but did disclose that it involved someone gaining unauthorised access to its servers. Regardless, the breach led to a significant rise in phishing attacks.
‍

MEDLAB PATHOLOGY BREACH - FEBRUARY 2022

In February 2022, Medlab Pathology, one of Australia's largest pathology laboratories owned by Australian Clinical Labs (ACL), was the victim of a cyber-attack that affected almost 223,000 patients. The company realised that there had been unauthorised third-party access to its IT systems, leading to a forensic investigation by independent external cyber experts. However, they didn’t initially find any evidence that information had been compromised. It wasn’t until June that the ACSC informed ACL that Medlab information had been posted on the dark web. Following advice from cyber specialists, ACL implemented a program to uncover what information was hacked and which individuals could be at risk of serious harm. However, it took until October to ascertain the extent of the breach due to the highly complex nature of the data set. The personal information included medical and health records, credit card numbers and names and Medicare numbers. ACL then directly contacted impacted patients and staff with advice on how to protect their information, including a dedicated inbound response team and a free-of-charge credit monitoring or ID document replacement service for people at risk of credit or identity fraud.

The Medlab breach was one of the most concerning due to the highly sensitive information that was leaked. The ACL made efforts to permanently remove the data, but the process took external data-analysis experts several months to complete.
‍

LESSONS LEARNED - WHAT THE AUSTRALIAN GOVERNMENT IS DOING

Cyber resilience is a collaborative responsibility. Not only do individuals and businesses have a role to play, but government response to the drastic increase and scale of breaches is imperative. The Australian Government continues to be incredibly committed to strengthening cyber security on a national front and has implemented the following measures:

• Operation Orcus - the AFP has established a multi-agency task force to investigate a ransomware group called Deadbolt that has infiltrated the computers of over 15,000 people and companies in 13 countries. The disruption caused by the task force forced the criminals behind the attack to shut down their operations and individuals who filed reports were able to retrieve their data.
• Ransomware Action Plan - the plan, announced in October 2021, outlines the capabilities and powers that Australia will use to combat ransomware and details advice for victims. The 11 initiatives within the plan all work towards the key objective of preventing ransom payments from fuelling the ransomware business model.
• National Plan to Combat Cybercrime - since the plan was released in 2013, threats have evolved significantly. The updated 2022 version of the plan builds on existing initiatives while taking into account the evolving cyber threat environment and the increasing dependence and reliance on digital technologies. The plan focuses on three key pillars:

1. Preventing and protecting
2. Investigating, disrupting, and prosecuting
3. Recovering.

• Tougher penalties for serious data breaches - the Albanese Government has introduced legislation to significantly increase penalties for serious privacy breaches. The aim is to better regulate how companies manage the substantial amount of data they collect and to incentivise better behaviours.

LESSONS LEARNED - WHAT YOUR ORGANISATION CAN DO

With companies paying hefty penalties or even going out of business as a result of a simple system breach, prevention is vital. To avoid the purposeful exploitation of your systems or network and to mitigate the risk of attack, it’s vital to put some key measures in place, including:

• Detailed Incident Response Plan – Having an IR plan in place puts you in a better position to respond quickly to a security incident and minimise its impact and consequence. To manage a security incident, you need a framework to confirm whether or not an incident has occurred, provide rapid detection and response, reduce any and all disruption to the organisation and stakeholders, restore normal operations, and constantly  
• Security Assurance Program - security assurance is a measure of confidence that the security solutions, practices, and procedures you have in place are working effectively. Having a security assurance program is vital to protect information and ensure its integrity and quality and includes measures such as penetration tests, adversary simulations, and adversary protection services.
• Integrated Security Solutions - it’s vital to ensure your security technology is configured to best practices and can integrate with other technologies. Integrated solutions bring security into a single hub and deliver improved telemetry. With an integrated security solution, you will have a much clearer view of your environment and any potential vulnerabilities and can enhance threat detection with shared intelligence.

HOW TO IMPROVE YOUR SECURITY POSTURE

When it comes to cyberattacks, prevention is always better than cure, and the best defence is to:

• Continuously assess your security posture
• Introduce a culture of security
• Test your defences through security assurance engagements
• Build a comprehensive incident response plan
• Build a security improvement roadmap

At Infotrust, we are perfectly placed to assist you with all your cyber security responsibilities to mature your security posture over time and mitigate the risks associated with cybercrime. If you would like to improve your cyber resilience, contact the experts at Infotrust for a security planning session.

We are also holding an online event on Thursday 9th February, where we will discuss how to “Manage, Respond, and Recover from Cyber Incidents in 2023”. Our panel of experts will explore best practices for breach prevention, several ways to optimise your cyber defences, and how to respond effectively to a cyber incident. To register for this event, click here.