Ransomware rise a concern: Privacy Commissioner

Data breaches arising from ransomware incidents increased by 24 per cent in the first half of the year, prompting Australia’s Privacy Commissioner to warn that such attacks “are a significant cyber threat” that may be under-reported.

The Office of the Australian Information Commissioner (OAIC) received 446 data breach notifications from January to June this year, according to its latest notifiable data breaches report, with 43 per cent resulting from cyber security incidents. Of the 445 total breaches, 46 were from ransomware, up from 37 notifications in the last reporting period.

Angelene Falk
Privacy Commissioner Angelene Falk.

Since the notifiable data breaches scheme began in February 2018, health service providers and the finance industry have consistently reported the most data breaches compared to any other industry sector. In the first half of this year, that trend remained the same, with health service providers reporting 85 data breaches. The second largest source of notifications was from the finance sector with 57 followed by legal, accounting and management services with 35, and the Australian government and the insurance sector with 34 breaches each.

The rise in ransomware attacks comes as the federal government considers implementing a mandatory ransomware reporting scheme, where organisations that pay criminals to recover their files would be required to report this activity to the government. No government bill exists yet, but Labor’s Tim Watts is separately pushing his own that would require the same thing.

Privacy Commissioner Angelene Falk said the increase in ransomware incidents was cause for concern.

“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Commissioner Falk said.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.

“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”

Australian security expert Troy Hunt, who runs the popular haveibeenpwned.com website, said ransomware had been around for decades, with the PC Cyborg Trojan in 1989 considered among the first. What had resulted in a rise in its use in recent times was a change in the business model of criminal enterprises and the way they had begun monetising stolen data.

“I think one of the main driving factors is just simply return on investment,” Mr Hunt said of ransomware. “It’s just proven to be an enormously efficient way of monetising malicious software because, unfortunately, it does make good business sense to pay [a ransom].”

Another reason it was becoming more popular was because of the types of ultimatums criminals were issuing to victims, resulting in new income streams.

“It’s no longer just a ransom in terms of attacks against availability, where your files are locked and you need to pay for a key, but it’s also ransom with the threat of disclosure [of the stolen data].”

One other “alarming” way criminals were pivoting, Mr Hunt said, was by not only demanding ransoms from companies attacked but by using personal information inside a data breach to demand ransoms from individuals whose data has been stolen. Vastaamo, a now-bankrupted Finland-based private psychotherapy practice, was the target of such an attack, where patients were contacted and asked to pay ransoms or else have their private patient files published.

Mr Hunt said he expected sectors that remained at the top of the reporting list to be there because they were “heavily regulated” industries that were used to their reporting obligations under the law. This didn’t necessarily mean that they were the industries most impacted by known breaches, he said.

In the first half of the year, the OAIC was also notified of a number of data breaches resulting from impersonation fraud, which involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. There were 35 notifications of social engineering or impersonation fraud during the reporting period.

“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.

“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.

“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”

In May, Home Affairs secretary Mike Pezzullo said he believed it was “likely” a mandatory ransomware reporting scheme would be rolled out soon.

“I think…most advanced economies are at a point, whereby some means, whether it’s mandatory reporting combined with other measures, that a much more active defence posturing is going to be required simply because of the prevalence of the attacks,” Mr Pezzullo told a Senate Estimates hearing.

While human error breaches decreased after a significant increase last reporting period, Commissioner Falk said entities need to remain alert to this risk, particularly the Australian Government where 74 per cent of breaches fell into this category.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories