Spike In Australian Cyber Attacks

Over the course of the last year, there were two major cyberattacks in Australia that made international news. One of Australia’s second-largest telecommunications companies, Optus, and one of the country’s largest private medical insurance companies, Medibank. 

At Optus, it is believed that attackers stole, copied, or at least had access to the personal information of up to 9.8 million customers,[1] which includes customers’ names, birth dates, home addresses, phone numbers, and in some cases, passport or driver's license numbers. Some of these records date back to 2017. Meanwhile, at Medibank, criminals were able to access the private health insurance and personal data of all of their 4 million customers.[2] Although there must be some overlap, these two incidents – within just weeks of each other – compromised the data of close to half of Australia’s population. 

These incidents were clearly the largest and worst but were by no means the only ones in recent memory. A report of the annual cyber threats for the 2021-2022 financial year – released in November 2022 but covering a period before both of these incidents – showed that the Australian Cyber Security Centre (ACSC), ‘received over 76,000 cybercrime reports, an increase of nearly 13 percent from the previous financial year. This equates to one report every 7 minutes, compared to every 8 minutes last financial year.’[3]

More worryingly, however, while many attacks were on individuals, a large number targeted corporations and government agencies. Of those, some of the biggest threat actors are likely to be coming from state-sponsored organizations in Russia, China, and Iran.[4] 

Another report, released on 1 March 2023, focusing on notifiable data breaches in Australia, July to December 2022, found that 70% of all data breaches stemmed from malicious or criminal attacks, with the rest from the system or human errors.[5] This is a 41% increase from the previous reporting period, showing the continued brazenness of the attackers. Of the malicious attacks, the majority came from ransomware or phishing, with about a quarter coming from compromised or stolen credentials. 

Backing up this data, the PwC Digital Trust Survey of senior executives from around the world, found that in Australia, ‘cyber criminals [are] at the top of the list of threat actors most likely to significantly affect their organization in 2023 (67%), in line with global trends (65%).’ ^[6] These cyber criminals tend to use all kinds of ever-increasingly sophisticated ransomware, which is malicious software or malware, to threaten to extract files or to deny access to computer systems until a ransom is paid.

Speaking in November 2022 after the release of the ACSC report and after the two major corporate breaches, Prime Minister Anthony Albanese said ‘it's a huge wakeup call and companies need to get their act together...we need to do much better.’ He then added that ‘the government has stepped up, [now] the private sector needs to step up in the interest of their customers but also their own interest.’[7]

The good news is that for all the breaches and reported attacks, many more have been thwarted and many companies, individuals, and governments have begun to take the threats much more seriously than before, with appropriate protections in place. Whilst it is almost inevitable that there will be more cyberattacks, including large-scale ones like we saw last year, there is more that everyone can and should do to ensure that the threats of cyber incidents are taken as seriously as possible.