It’s been another busy month in the world of cyber security. This update summarises June’s leading cyber and privacy-related news including notable cyber incidents, regulatory developments, new industry research and a few updates from us.
News from HSF
HSF Cyber Survey
A reminder that we are surveying in-house counsel to better understand your cyber-related experiences and concerns. If you haven’t yet participated, we would value your insights. Responses can be submitted anonymously, but if you choose to share your contact details then we will provide you with an anonymised summary of all responses received that you can use to benchmark your organisation against your peers. The survey takes about 7 minutes to complete.
Surging Cyber Incidents: Regulatory Activity and Class Claims in Australia
Our cyber disputes experts have published a legal briefing on the pronounced increase in regulatory activity and class claims stemming from recent cyber incidents. This briefing identifies key features of regulatory action and recently commenced claims, and outlines what organisations can do to better prepare for regulatory action and claims that may follow cyber incidents.
Media on recent cyber incidents
Extortion Group Clop’s MOVEit Attacks Hit Over 130 Victims
Data Breach Today – 28 June 2023
The count of organisations affected by a zero-day vulnerability in file transfer tool MOVEit Transfer, is understood to have grown to 131 globally. Russian-speaking ransomware group, Clop, has claimed responsibility for the large-scale attacks that reportedly commenced around May 27. Victims named by Clop, or that have issued data breach notifications, include the BBC, Boots, British Airways, Shell and multiple U.S. government agencies, including the Department of Energy.
Latitude hit with $1 million lawsuit over data breach
The Canberra Times – 26 June 2023
An individual impacted by the Latitude data breach has commenced proceedings in the Federal Court of Australia, seeking AUD 1 million in damages. The individual reportedly claimed that Latitude failed to take reasonable steps to protect and secure their personal information, breaching its privacy obligations and duty of care to protect the individual from harm. A joint investigation by the Office of the Australian Information Commissioner and the New Zealand Office of the Privacy Commissioner is underway, while Australian Federal Police investigations also continue.
BlackCat claims hit on Reddit, threatens sensitive data leak
Data Breach Today – 19 June 2023
On 17 June, Russian-speaking cybercriminal group, ALPHV (also known as BlackCat), claimed on its leak site to have stolen 80 gigabytes of data from Reddit. BlackCat reportedly contacted Reddit on April 13 and June 16, demanding USD 4.5 million in exchange for the stolen data to be deleted. BlackCat further demanded that Reddit withdraw planned pricing changes that have purportedly sparked controversy between Reddit, and its volunteers, moderators and developers.
Suspected Chinese hackers use G7 ruse to target Australian government officials
AFR – 19 June 2023
Australia was reported to be one of four countries whose government officials were targeted by suspected China-based hackers following last month’s Group of Seven meeting in Japan. In an attempt to spread malware and steal information, cyber criminals emailed government officials from Australia, France, Singapore and the UK. These criminals impersonated officials from Indonesia’s Ministries of Foreign Affairs and Economic Affairs.
Fears government data has been stolen by cyber criminals grow as law firm’s clients are revealed
The Australian – 16 June 2023
The Australian Government established a crisis group to examine Commonwealth data that may have been accessed by Russian-speaking threat actors ALPHV (BlackCat) following the ransomware/data extortion attack on law firm, HWL Ebsworth. It is understood that HWL Ebsworth services at least 40 Commonwealth government departments and agencies as well as a large number of Australian corporates. Also see OAIC statement on HWL Ebsworth data breach.
Revealed: Inside HWL Ebsworth’s negotiations with the BlackCat hackers
AFR – 15 June 2023
The Australian Financial Review obtained court documents revealing the negotiations between HWL Ebsworth and ALPHV (BlackCat). The negotiations were revealed as part of a NSW Supreme Court injunction that was granted to restrain BlackCat from releasing the rest of the stolen data, as well as “any further broader access to or dissemination”, including by the media. HWL Ebsworth applied for the injunction after BlackCat published 4 terabytes of stolen data on 9 June – see AFR article (14 June) and The Age article (13 June).
FIIG Securities sees data stolen in Russian cyber attack
Cyber Security Connect – 13 June 2023
Sydney-based investment firm, FIIG Securities, announced that it had experienced a ransomware/data extortion attack impacting personal information of certain current and former clients, employees and shareholders. In the following days, ALPHV (BlackCat), claimed responsibility for the attack, stating it had stolen 385 gigabytes of data.
Regulatory and industry news
Australia’s Medibank faces fourth class-action lawsuit over cyberattack
Reuters – 29 June 2023
Phi Finney McDonald has filed a class action in the Supreme Court of Victoria, on behalf of individuals who held an interest in Medibank shares between September 2020 and October 2022. According to Medibank’s ASX release (29 June), the statement of claim includes allegations of misleading or deceptive conduct, and that Medibank breached its continuous disclosure obligations under the Corporations Act 2001 (Cth) and the ASX Listing Rules, by not disclosing to the market information relating to alleged deficiencies in its cyber security systems. Medibank has said it intends to defend the proceedings.
APRA takes action against Medibank in relation to cyber incident
Australian Prudential Regulation Authority (APRA) – 27 June 2023
APRA announced that it is raising Medibank’s capital adequacy requirement to AUD 250 million (effective 1 July 2023), following APRA’s review of its major cyber incident. APRA stated that this action seeks to ensure Medibank expedites its remediation program and “demonstrates how seriously APRA takes entities’ obligations in relation to cyber risk.” In response, Medibank stated that it is able to meet the capital adjustment, and that APRA had also indicated it would conduct a technology review of Medibank – see Medibank’s ASX release (27 June).
Air Force’s readiness chief sent into Home Affairs to fortify response to ‘cyber scumbags’
The Mandarin – 23 June 2023
Air Vice-Marshal Darren Goldie AM (former head of the Royal Australian Air Force’s VIP operations and current Air Commander Australia) was appointed as the head of the National Office of Cyber Security and as Australia’s first cyber security coordinator within the Department of Home Affairs. Air Vice-Marshal Goldie will be responsible for coordinating cyber incident prevention and response efforts across federal government departments.
Cyber security incidents double between 2019-20 and 2021-22
Australian Bureau of Statistics – 22 June 2023
The Australian Bureau of Statistics (ABS) found that 22% of Australian businesses had experienced a cyber security incident or incidents in FY22, compared to 8% during FY20. In the ABS’ Characteristics of Australian Business survey, 34% of businesses reported loss of time in managing cyber security attacks, 18% reported downtime of service and 17% reported a loss of staff productivity.
Cyber attacks ruled as biggest issue facing Australia
Cyber Security Connect – 21 June 2023
The Lowy Institute found that foreign cyber attacks now top the list of national threats worrying Australians. In an annual poll of how Australians view the world, 68% of participants said they saw foreign cyber attacks as a critical threat to Australia’s vital interests in the next 10 years. See the 2023 Lowy Institute Poll – Understanding Australian Attitudes to the World.
Only 30% of businesses have board members responsible for cybersecurity
IBT Times – 21 June 2023
The UK government published a national cyber security breach study. Results showed that only 30% of all businesses have board members or trustees explicitly responsible for cyber security as part of their role. See the Cyber security breaches survey 2023. From an Australian perspective, ASIC’s position is that whilst boards may not require general technology expertise, “it may be advisable to have one or more directors who have a strategic understanding of technology or who have a background in cyber security.” See further here.
SEC delays final rules on breach disclosure, board expertise
Bank Info Security – 20 June 2023
The U.S. Securities and Exchange Commission announced that it will delay (until October) its publication of new rules requiring listed entities to disclose cyber security incidents and to disclose whether boards have cyber security expertise. The delay is attributed to pushback against a proposed requirement for entities to report cyber security incidents within four business days of discovery.
In-conversation with Home Affairs’ Hamish Hansford. Cyber security & critical infrastructure
The Australian Strategic Policy Institute (ASPI) – 15 June 2023
Dr Alex Caples (ASPI’s Director of Cyber, Technology and Security) hosted a podcast with Hamish Hansford (Deputy Secretary of Cyber and Infrastructure Security at the Department of Home Affairs). Their discussion explored links between cyber security, supply chain security and critical infrastructure, as well as what the amendments to the Security of Critical Infrastructure Act mean for industry.
Understanding Ransomware Threat Actors: LockBit
Australian Cyber Security Centre – 15 June 2023
The Australian Cyber Security Centre, along with similar Five Eyes agencies, co-authored a new intelligence advisory on the LockBit Ransomware-as-a-Service cybercrime group. The advisory states that between 1 April 2022 to 31 March 2023, LockBit were responsible for 18% of the total number of reported ransomware incidents in Australia.
2023 Data Breach Investigations Report: frequency and cost of social engineering attacks skyrocket
Verizon – 6 June 2023
Verizon released its annual Data Breach Investigations Report, which analysed 16,312 security incidents and 5,199 breaches. The research showed that the cost of a ransomware incident has doubled over the past two years, with 95% of incidents costing between USD 1 – 2.25 million. See also Verizon’s webinars on 2023 Data Breach Investigations Report (DBIR) Key Findings and Applying the DBIR to your Organization.
For further information, please contact:
Cameron Whittfield, Partner, Herbert Smith Freehills
cameron.whittfield@hsf.com