Australia Cybersecurity Gets Major Overhaul After Devastating 2022 Attacks

After a pair of high-profile data breaches in 2022, Australia's cybersecurity landscape has undergone a significant transformation. A recent survey commissioned by American security company Commvault found that Australian businesses have recovered much more quickly from cyberattacks over the past year, thanks to improved preparedness and tighter government regulations on security.

The 2022 attacks highlighted major weaknesses in security and caused extensive damage. The first victim was Optus, one of Australia's largest telecom companies. In September 2022, hackers stole a massive trove of customer data from the company, including driver’s license numbers and government ID numbers. A significant number of Optus' millions of customers were affected by the breach.

Optus offered credit protection to its customers in the aftermath and provided assistance with changing identification numbers that might have been compromised. However, the attack led to a major cybersecurity wake-up call for Australia.

The second attack came a month later and targeted Medibank, a private health insurance firm. Medibank's servers were infected with ransomware, and hackers threatened to release confidential medical records for millions of clients if they were not paid. The perpetrators, identified as a Russian "ransomware for hire" group called REvil, demanded one dollar for each of the company's 9.7 million customers.

Medibank did not pay the ransom, and an Interpol investigation was launched. In January 2024, the governments of Australia, the United Kingdom, and the United States announced sanctions against the prime suspect, a 33-year-old Russian national named Aleksandr Gennadievich Ermakov.

Analysts found that the Optus hack was accomplished through an unsecured Application Programming Interface (API), a forgotten back door hanging wide open on the Internet that allowed the attackers to stroll right into the system. Once inside, the thieves discovered Optus' customer database was structured in a way that allowed them to steal it quickly and easily.

Medibank did not require its employees to use multi-factor authentication, which left no defense against a hacker who chanced to find the username and password of a legitimate user. A multi-factor authentication scheme requires users to have a second form of digital identification to thwart intruders who get their hands on valid passwords.

In Medibank's case, hackers struck gold by finding that one of the company's IT service desk operators saved his username and password in his Internet browser at work. The operator's work computer was configured to automatically synchronize his browser data across accounts, so it duly transmitted his saved login credentials to his computer at home, which became compromised by malware.

Making matters worse, the compromised employee had administrator-level access to much of Medibank's network. The company's security system swiftly detected the intruder but failed to escalate the intrusion or trigger a security response, allowing the hacker to lurk in the system for almost two months and make off with over 500 gigabytes of sensitive data.

The double sucker punch of the Optus and Medibank hacks led to a flurry of new Australian government regulations on cybersecurity. These regulations cracked down on all the lapses in authentication and security response that occurred in the two high-profile cases. Companies were also required to report data breaches to the government and the public more quickly.

According to Commvault's survey, companies in Australia and New Zealand are now responding to cyberattacks and recovering from the damage 38 percent faster than they did last year. The average recovery time is now 28 days, down from 45 days in 2023. While this is still behind the global average of 24 days, experts attribute the improvement to increased awareness among organizations and enterprises.

"I do put that down to the fact that organisations and enterprises are getting more aware," said Commvault Asia-Pacific Vice President Martin Creighan. "I also put it down to the fact that the regulators are being more stringent and more strict on what their requirements are."

However, not all news is good. Commvault's survey found that less than a third of Australian firms were capable of responding effectively to a cyberattack, and 12 percent had no formal response plan at all.

Many industry observers grumbled that Commvault's survey merely proved that Australian firms – and quite a few others around the world – will only take cybersecurity seriously when they are compelled to do so. Creighan argued that corporate interest in security picked up after 2022 because executives were "worried about the regulation landscape."

Cynics, however, argue that much of this worry stems from company brass realizing they could be held personally liable for massive cyberattack damages. They also fear Australia waited much too long to get serious about security while companies in other countries spent decades building formidable defenses and training their employees in best practices.