Australia is going through the largest security shake-up in its history. On October 27th, Australian Clinical Labs' Medlab Pathology business suffered a data breach that affected around 223,000 accounts. An unauthorized third party gained access to its IT system and was able to compromise sensitive data including medical and health records, Medicare numbers, and credit card numbers.
This follows on from three more major security breaches that have impacted half of Australia's population since September.
Recent wave of major data breaches
On September 22nd, Singtel-owned Optus, the country's second-largest telco, disclosed that personal data from up to 10 million accounts (of Australia's population of 26 million) had been stolen. That data included home addresses, driver's licenses, and passports. Some experts have said this may be the worst data breach in Australia's history.
This isn't the only significant attack Australia has suffered. Earlier in the same month, retail giant Woolworths revealed that millions of customers' details were exposed in a major data breach at an online shopping site due to compromised credentials. More recently, health insurer Medibank Private disclosed that it had suffered a data breach resulting in the theft of personal information, including sensitive medical data, of many of its customers. The number of people affected is continuing to grow.
Following reports on prime-time news, Australia has been described as a 'hotbed for cyber attacks.' However, despite the severity of these attacks, there is a silver lining: cybersecurity is being acknowledged and taken seriously by the government. And as such, they expect to release additional data privacy and security legislation before Christmas.
Australia's existing safeguards deemed "inadequate"
The intense wave of serious cyberattacks has put Australia under a lot of pressure to act to prevent breaches of this magnitude from happening again in the future.
"When Australians are asked to hand over their personal data, they have a right to expect it will be protected," said Attorney-General of Australia Mark Dreyfus in a recent media release. "Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business."
Australia's Minister for Cyber Security, Clare O'Neil, slammed telecommunications provider Optus, claiming that it "effectively left the window open for data of this nature to be stolen." She told Australian Broadcasting Corp. that the attack was an "unprecedented theft of consumer information in Australian history" and that in some countries, such a breach would result in fines "amounting to hundreds of millions of dollars."
As it stands, Australian law does not currently allow Optus to be fined for the breach that has affected approximately 40% of the country's population. However, these recent data breaches have led to the country considering tougher cybersecurity laws.
Australia ramps up penalties for cybercriminals
Over the weekend, Australia gave the General Data Protection Regulation (GDPR) a run for its money by ramping up the penalties for those who breach the Australia Privacy Act 1998. Under GDPR rules, the EU's data protection authorities can impose fines of €20 million or 4% of their global turnover, depending on which is higher.
Those who are caught under Australia's new laws will face fines of up to $42.5 million, three times the value of any benefits obtained, or 30% of the company's turnover for the relevant period.
To put this into perspective, in May 2022, the US Federal Trade Commission (FTC) fined Twitter $150m for using 2FA (two-factor authentication) phone numbers for ad targeting. This equates to 3% of their turnover. If Twitter got a fine per the Australian rules above, that penalty could have been as much as $1.28 billion.
The country has also announced an overhaul of consumer privacy rules designed to help facilitate targeted sharing of government-issued identification documents between telecommunication firms and banks. This will allow for increased fraud detection and enhanced monitoring for customers impacted by data breaches.
Australia has also demonstrated a strong commitment to cybersecurity in its 2022-23 federal budget, which reveals that AU$9.9 billion ($6.8 billion) will be allocated to the Australian Signals Directorate (ASD) and spent over the next ten years. It will be part of a new program called Resilience, Effects, Defense, Space, Intelligence, Cyber and Enablers (REDSPICE).
How should individual organizations respond?
In addition to measures taken by the government, there are steps that organizations can take to bolster their security at an individual level. Despite 98% of organizations carrying out security awareness and training (SA&T), it’s becoming increasingly clear that SA&T on its own isn't enough to protect organizations from data breaches. No matter how much training your employees receive, they are human and will inevitably make mistakes.
Furthermore, while Secure Email Gateways (SEGs) and Microsoft 365 native security add an extra layer of protection, they will not stop the most advanced phishing attacks. Many organizations also neglect their outbound security by failing to consider that accidental branches and deliberate exfiltration can be just as bad as phishing.
Individual organizations can reduce their risk of falling victim to a cyber attack by taking these 18 cybersecurity precautions that can be started today.
Secure your riskiest channel
Egress Intelligent Email Security is designed to mitigate inbound threats and outbound risks over the number one threat vector – email. It uses a combination of machine learning, technologies to evaluate context, relationships, and message content. In addition, real-time teachable moments help employees to understand why inbound emails are flagged as phishing attempts or outbound emails are flagged as potential breaches.