Category: Awareness

Australian Cyber News Last Week – November 27th, 2023: Well, that was a busy week. The Australian government’s release of the 2023-2030 Australian Cyber Security Strategy. I wrote up the TissuePath breach and followed down a rabbit hole of Core Desktop and AlphV (Black Cat). Optus CEO resigns, Changes to the SOCI act, Federal whole-of-government zero trust target, scale back of Metadata retention, and two-year delay on banning ransomware payments.

Australian Cyber News Last Week – November 20th, 2023: It was a week of fallout Optus Outage is putting pressure on the company, especially their CEO. DP World Australia is causing rethinks and proposals around Critical Infrastructure and Ransomware reporting. To back this up a new report “ASD Cyber Threat Report 2022-2023”, reveals cybercrimes are soaring with the targets ranging from everyday people to big businesses and even our nation’s most crucial assets.

Australian Info and Cyber Security Last Week 26th June 2023: Efos machine provider Smartpay impacted OZ and NZ customers. Libraries Tasmania had an old-school data handling incident, placing PII on this public website. The HWL Ebsworth Lawyers breach is continuing to expose clients with the Big 4 banks and the Department of Defence joining the growing list. And to finish off we welcome our new National Cybersecurity Co-Ordinator, Air Marshal Darren Goldie.

Australian Info and Cyber Security Last Week 12th June 2023: The ACT Government has been caught up in the Barracuda email gateway vulnerability. Investigations are continuing, I suspect there will be more organisations caught in this one. An update to the HWL Ebsworth with the Tasmanian Government caught up as one of their clients. The firm a many high-profile and government clients. More to play out here as well.

Australian Info and Cyber Security Last Week 5th June 2023: The Department of Defence made headlines by initially claiming they had only a few Chinese surveillance devices on their network, but an internal audit revealed over 400. Toyota finally revealed that Australian users were caught up in the overseas breach. Access key allowing access to databases was publicly available on GitHub for almost five years.

Last Week 22 – 28 May: Only one published data handling breach in the media last week. An interesting trend with data handling and internal data disclosure (via poor access control) being reported.

Last Week Ending 15 May: No publicly disclosed incidents this week, but a lost of coverage of the budget and discussions around the upcoming changes to the Privacy Act from the OAIC. A great resource that I have subscribed to (its free) is Lexology https://www.lexology.com/ , I have it provided a filtered feed of Australian legal and legislative news..

Last Week 15 – 21 May: Three new breaches, Ambulance Victoria internally exposing private medical results, TechnologyOne had its Microsoft 365 environment compromised, then the Medusa ransomware group demanded $100k with 7 days to pay from the Crown Princess Mary Cancer Centre. Fire Rescue Victoria dispatch system five months later trying to get the system fixed…. The federal budget cyber new and a boost for privacy. review of the Privacy Act released, and joint AU/ZN privacy investigation into Latitude breach.

Last Week 01 – 07 May: Two incidents were reported in the press this week. Amnesty International Australia’s report on a breach from December has some interesting notes surrounding the “serious harm” clause of the Australian Breach Notifications rules. HWL Ebsworth Lawyers is a good reminder for Privacy Week about excessive storage and encryption of PII data.

Last Week 24 – 30 April: With the extra free time I’ve rummaged through state government audit agencies sites looking for recent audits. I’ve added two from Western Australia and once from the best state Queensland. They are worth reading to remind us that independent audits are a valuable tool (ISO 27002 5.35 Independent review of information security). Have a great Privacy Awareness Week.

Reports from 17th April – 24th April: Last week TAFE SA incident where police in an unrelated investigation “found” a USB stick full of student registration and identity documents. A report from ASIC “ASIC’s report flagged inconsistencies in dealing with scams between Australia’s big four banks as a major issue” and the banking industries response makes good reading. Hopefully, it will drive a few changes.

Reports from 10th April – 17th April: Last week the deeps of the Latitude (Coles and GEMoney) and Tasmanian Government (GoAnywhere) breaches kept the news feeds busy. Another insider unauthorised access incident led to criminal charges relating to kidnapping. The general themes of stories we third-party risk management and unnecessary retention of data.

Reports from 3rd April – 9th April: More publicly reported breaches increasing the trend we are seeing this year now that the general media sees some new value in these stories. Canberra Health Services and Australian National Maritime Museum were both Insider Threat jobs (one fraud, the other unauthorised access and disclosure). Both are good reminders to tighten up your related internal controls. Tik Tok ban, Operation Cookie Monster and GoAnywhere are among the stories of the week.