Published on the 14/02/2019 | Written by Pat Pilcher
Foreign governments implied in attempted breach…
Australia’s security agencies say a cyber breach of the Federal Parliament is likely the result of a hack by a foreign government. While speculation quickly focused on whether China was involved, no evidence of data theft or the origins of the cyber-attack has surfaced.
Sources indicate that the data breach was quickly detected, and the Australian Signals Directorate is working to secure the network.
Australian Prime Minister Scott Morrison confirmed that no Federal Government departments or agencies were targeted in the attack, but he was unable to provide any additional details. ABC Australia subsequently confirmed that the computer systems of ministers and staff were not affected, while backbenchers, the Opposition and crossbenchers have been impacted.
“The OIAC report shows 262 data breaches in the Oct-Dec quarter, with most being the result of malicious or criminal attacks.”
While this cyber-attack may be big news because the Federal parliament was the target, the most recent quarterly report from the Office of the Australian Information Commissioner (OAIC) shows that data breaches are becoming an increasingly common feature on the Australian digital landscape.
The latest report lists 262 data breaches in the October to December quarter, up significantly on the 114 data beach notifications the office received for the entire 2016-17 year (bearing in mind the notifiable data breach scheme has only been in force since last February). Most notifiable data breaches in the December quarter were the result of malicious or criminal attacks (168 notifications), with data breaches from human error accounting for 85 notifications, followed by systems errors which accounted for just nine notifications.
According to the OAIC, examples of a data breach can include when a device containing personal information is lost or stolen, or when a database containing personal information gets hacked, or if personal data gets provided to the wrong person in error.
The notified data breaches listed by the OAIC are just the tip of a sizeable iceberg as the Notifiable Data Breaches scheme only requires that breaches be notifiable when they could result in harm caused by the stolen data, or if the affected organisation has a turnover of AU$3 million or greater. Small businesses can still be required to comply, but only if they handle sensitive health documents or government contracts. Because of this, it is possible that many other breaches have either gone unreported or undiscovered.
Much of the malicious or criminal activity involved was a result of compromised usernames and passwords, which were obtained either via phishing or brute-force attacks. Australian Information Commissioner and Privacy Commissioner Angelene Falk says organisations and individuals should secure personal information by safeguarding their credentials.
“Employees need to be made aware of the common tricks used by cyber-criminals to steal usernames and passwords,” Falk says.
The OAIC has published guidelines for protecting data as well as information on how to deal with a data breach.
A key recommendation of the OAIC is moving quickly. If a data breach occurs, ensuring that there are early notifications can help those affected take action to prevent further harm from happening. The OAIC also say that those affected should change passwords and keep an eye on financial statements, plus scams using their personal information.