Privacy Act review says Australians should be able to sue for breaches
A three-year review of Australia’s Privacy Act has been completed. The 116 proposals across its 320 pages include the recommendation that individuals should have a direct right of action for serious invasions of privacy.
The review of the Privacy Act, which governs how organisations store and use private data, began in 2020. The review aims to make the legislation fit for the modern age, particularly in the wake of recent data breaches.
Proposals include giving members of the public a direct right of action and statutory tort for serious invasions of privacy. Businesses with a turnover of under $3 million, which were previously exempt, would be included in the scheme. People’s right to opt out of targeted ads would also be strengthened, and attorney general Mark Dreyfus says future legislation could encompass a European-style right to be forgotten. One lawyer called the review an “an overwhelmingly positive step”. The proposals will go through a round of consultation later this year.
Thousands of Atlassian staff hit by breach
The data of 13,200 employees of the Australian tech firm Atlassian appears to have been stolen, with hackers claiming, “This company worth $44 billion has been pwned by the furry hackers uwu.”
The group, known as SiegedSec, claims to have taken data including the names, email addresses, work departments and phone numbers of the Atlassian employees, along with floor plans of offices located in Sydney and San Francisco.
An Atlassian spokesperson at first suggested that Envoy, a third-party app that Atlassian uses to coordinate in-office resources, had been compromised. However, after an Envoy spokesperson suggested an attacker had simply used “an Atlassian employee’s valid credentials” to access the app, Atlassian confirmed poor credential management had been the source of the breach. The attack is a reminder of the importance of good credential and password management, but also underlines the role of communications in crisis management – mixed messaging does no one any favours. The right incident response plan can be a big help in navigating this sort of crisis.
Australian companies scammed by education impersonator
Cybercriminals have hacked at least 12 Australian companies by compromising an online education provider. The attackers targeted construction and legal services in a sophisticated campaign that used the e-learning platform to host phishing infrastructure that sent links with fake Microsoft and Adobe login pages to the victims.
The phishing scam is believed to have been active since March 2021, with the scammers stealing credentials to access several organisations’ IT systems. Phishing scams have been growing more sophisticated in recent years and e-learning – a service that many companies outsource to third-party portals – is just one way hackers can trick unwary employees to give away data that can be leveraged in subsequent attacks. Awareness training is an obvious way to manage the threat, but it can’t prevent every incident, and should be combined with effective technical controls.
Iran has launched ransomware attacks on Australia – and more could be on the way
A report tabled in parliament has revealed that groups affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) have launched cyberattacks against Australia. The report, from the multinational Cybersecurity Advisory (CSA), of which Australia is a member, notes that two Iran-based organisations have attempted to steal or encrypt data for the purposes of extortion.
While the report notes that critical infrastructure in Australia and other nations is at risk from the groups, attacks appear to be fairly indiscriminate, with the threat actors “exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors”.
A spokesperson for Foreign Minister Penny Wong said, “Australia will continue to work domestically to keep Australians safe from foreign interference and with our like-minded partners to apply pressure on the Iranian regime over its egregious human rights abuses.” However, the federal government has so far stopped short of branding the IRGC a terrorist organisation. State-linked groups can be as opportunistic as other criminals: good cyber security is a must if you want to avoid becoming collateral damage in war’s newest frontier.
Guardian hack includes the salary details of over 100 Australian staff
A ransomware attack earlier this year on the Guardian compromised the personal details of 140 current and former employees of the media firm in Australia, despite the company’s initial belief that no Australian staff had been affected.
The attack, which was detected on 20 December, was initially believed to have only exposed the personal data of some UK employees. We now know that 140 Guardian Australia staff have been affected, although there is no evidence that their data was exposed online.
The ransomware attack is believed to have been profit-driven, rather than to have targeted the Guardian in response to its news coverage. Its website and newspaper have continued to operate as usual, although many staff are still working from home. Malware’s evolution into ransomware-as-a-service and cross-platform attacks has so far helped it stay ahead of police and regulators, although the right strategy – such as new approaches to threat monitoring – can mitigate the risk of attack.