October is Cyber Security Awareness month and the timing of this annual focus on staying secure online couldn’t be more pertinent given the very recent cyber attacks on Optus, Uber, Medibank Private and Woolworths MyDeal, to name just some of the biggest hacks that have hit the headlines.
Telecoms giant Optus reported one of the most serious privacy breaches in Australian history in late September, with the theft of nearly 10m current and former customers’ personal data. This data included Medicare details, drivers licences and passports, all of which increase the threat of an individual becoming the victim of identity theft.
The data appears to have been accessed via an unsecure API, so, unfortunately, Gartner’s prediction that by 2022 API attacks will become the most-frequent attack vector, causing data breaches for enterprise web applications, appears to be coming to pass.
Optus have been focused on remediating a situation that we all dread. They have been proactive with their communications and in taking steps to help support and protect affected customers, including paying for a 1-year subscription to Equifax Protect, the credit monitoring service, and covering the costs of replacement drivers’ licences. However, the reputational and financial damage associated with an attack of this size will impact the organisation for a long time to come, which will no doubt be music to Telstra’s ears.
Just a week earlier, Uber found itself in the midst of a Cyberattack, with an 18-year-old hacker going undetected until he announced himself on Uber’s Slack. In this instance, the hacker relied on MFA fatigue (multi-factor authentication) – a growing problem for the Cyber Security industry – where the attacker floods a user’s authentication app with push notifications in the hope that they will accept, thus giving the attacker access to the account or device. From there, the hacker easily accessed highly privileged security accounts and key external resources, such as AWS, Google Workspace and Slack as the programs that Uber used to access these included their passwords, compromising the entire organisation.
In the last week alone, Medibank Private and Woolworths MyDeal have fallen foul of Cyberattacks. In both instances both companies have been on the front foot in reporting the event to the Australian Information Commissioner and notifying and working with customers to remediate any fallout.
Our take outs
- Cyber resilience should be a focus for all Australian organisations at all levels from the Board to the front line
- Cyberattacks can take many forms. Not only do company systems need to be secure and monitored but staff need to be equally as well trained and on their guard
- All organisations should have a Cyber Security incident response plan to identify, eliminate and recover from Cyber Security attacks in an efficient and co-ordinated manner
- Customers trust companies to be custodians of their data, who have a duty to protect it