The First Major Breach Of 2019 and What This Australian Story Teaches Us
By: Orhan Yildirim
The first data breach this year happened January 1, when the private data of 30,000 Australian civil servants were stolen in an email phishing attack.
The incident occurred when a directory was downloaded by an unauthorized third party after a government employee received a phishing email, and while no financial information was compromised, the stolen data included names, work emails, phone numbers and job titles.
There has been some speculation in the media that a former employee may have been associated with the attack and had that person’s credentials been revoked, the breach could have been avoided, with Multi-Factor Authentication (MFA) in place, as part of a robust Privileged Access Management program. Had the employee been forced to authenticate with a hard token and mobile device application, the entire breach could have been avoided.
And while the scope of this breach is small compared to attacks on Facebook, Marriott Hotels, the Intercontinental Hotel Group, Under Armour and many others, it is important to understand that even in government systems, often the most highly secured, when privileged access management is not practiced continually, valuable, private information can be acquired and exploited across large groups of employees.
This month, Australia’s Notifiable Data Breach (NDB) scheme will have been in place one full year, and with regulations less stringent than rules under GDPR, which applies to firms handling the data of European consumers, and given the New Year’s Day breach, the regulations are being revisited by lawmakers.
In Australia, unlike Europe, small firms are exempt unless they handle government contracts, credit reference, or health-related data.
Australian regulations are set at A$3 million annual revenue as the threshold for reporting.
Additionally, there is a one-month reporting timeframe for confirmed breaches, instead of the three days that apply under GDPR. And breaches are only notifiable if they are likely to cause “serious harm,” which is more subjective and open to debate than the more stringent GDPR rules.
The Office of the Australian Information Commissioner (OAIC) recently released statistics which cover the last three months of 2018, revealing that 262 data breaches involving personal information were reported in the last quarter of the year.
The report said the leading cause of notifiable data breaches in Q4 2018 was a malicious or criminal attack (168 notifications), followed by human error (85 notifications), and system error (nine notifications).
Phishing and brute-force attacks made up most of the criminal attacks.
The top three sectors to report breaches in Q4 2018 were private health service providers (54), finance (40), and professional services firms (23).
Attacking the Australian government seems to be a trend, with a second breach reported a bit over a month after the first, when the Australian Parliament Network was hacked, but with no evidence, any data was compromised.
All users were ordered to reset their passwords as a precaution.
“Following a security incident on the parliamentary computing network, a number of measures have been implemented to protect the network and its users,” Tony Smith, speaker of the lower House of Representatives, and Scott Ryan, president of the upper house, the Senate, said in a joint statement.
The Australian Signals Directorate, as well as the Department of Parliamentary Services, are probing the intrusion, according to Australian media reports, and while no attribution has been forthcoming, security experts quoted in media reports have suggested that only a nation-state could guess parliamentarians’ passwords.
Beyond personal password policies, the Australian government and all governments can benefit from state-of-the-art access management policies and programs, including the Privileged Access Management solutions ironsphere provides to large enterprises and service providers.
Our secure access management solution has a built-in MFA server, which is pre-integrated with other modules, including session manager, password manager, database access manager and others, and which can also be integrated with 3rd party external systems such as remote VPN servers, file transfer servers, applications, and more.
Working harmoniously within our PAM architecture, our MFA software:
- Makes system passwords invisible to staff and applications to make them secure
- Logging and video recording of privileged sessions to critical systems for audit and forensic purposes
- Real-time transparent policy enforcement for segregation of duties and to eliminate excessive privileges
You can learn more here or contact us to discuss how your organization can benefit from our feature-rich and easily integrated enterprise security offerings.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.