A spate of high-profile attacks affecting millions of people have hit Australia and New Zealand. These unprecedented data breaches have led to increased government scrutiny, as well as a new look at what cybersecurity resilience and posture should be for companies housing sensitive and personal customer data.
The increase in cybersecurity attacks we’re seeing in these countries underscores the point that small businesses are just as much a target as enterprise companies. In fact, out of over 3 million businesses across New Zealand and Australia, approximately 98% are small to medium-sized businesses.
We’ll address what you need to know as a small to mid-sized enterprise (SME) about the recent cyberattacks, the potential regulations and oversight that are on the horizon for businesses in Australia and New Zealand, as well as how you can work to protect yourself from potential threats while still being compliant with any upcoming requirements.
Recent Cyber Attacks in New Zealand and Australia
In mid-March 2023, a privacy breach exposed over one million customer driver’s licenses of Latitude Financial, operator of several financial entities including Genoapay, GO Mastercard, Gem Visa, and Infinity Rewards.
In total, about 14 million records were taken from people in New Zealand and Australia. The breach started with an unauthorized user signing in as an administrator, but engaging in abnormal administrator activities. Before Latitude ended the connection with an upstream service provider, this user had already logged into at least two other Latitude service providers and exfiltrated customer data.
One of the key takeaways from the breach, after uncovering that some of the data stolen was over 18 years old, is that personal information needs to have set retention schedules. As stated by Liz MacPherson, New Zealand’s Deputy Privacy Commissioner, “All businesses and organizations can learn from this: don’t collect or hold onto information you don’t need.” There is no reason for an organization to hold onto data for 18 years. While record-keeping standards vary by the type of information being collected, a general rule of thumb is to retain data for five years.
The breach was first reported on March 16, with Latitude estimating that about 328,000 users were affected. Since then, forensic analysis has revealed that the scope of the damage was significantly larger than first thought, with 6.1 million of the 14 million records being at least 10 years old. By retaining data for much longer than necessary, Latitude opened customers to unnecessary additional risk.
Managed Service Provider (MSP) Mercury IT was hit with a ransomware attack that impacted several public New Zealand organizations at the end of November 2022. Being a relatively small operation, Mercury had about 25 employees running IT services, including cybersecurity and support, for several New Zealand organizations, including BusinessNZ, the Wellington Chamber of Commerce, and Business Central.
Outside of business-oriented organizations, the attack also impacted six health regulatory authorities. As a result of the ransomware attack, public entities were prevented from accessing core systems and important patient data. On December 21, 2022, the Privacy Commissioner announced a compliance investigation was underway in the case of the Mercury IT breach. The case is still under active investigation.
Optus, an Australian telecommunications company, announced in September 2022 that it had experienced a cybersecurity breach, exposing the personal information of 10 million customers. Stolen information included names, phone numbers, email addresses, dates of birth, addresses, and even passports and driver’s licenses for some people.
An unprotected and publicly exposed API was responsible for the breach. Because no username or password was required to facilitate a connection, it was easy for a hacker to infiltrate. Once accessed, the data was leaked on a hacking forum. Optus reported that payment details and account passwords weren’t included in the breach, and has since worked to secure the API and offer free identity theft protection and credit monitoring to affected users.
In November 2022, Medibank experienced a similar breach that exposed the information of 9.7 million customers. The incident was caused by a ransomware attack. Health claims of almost half a million users were also accessed. In response, the law firm Baker McKenzie filed a class action lawsuit against Medibank.
More recently, IPH, an intellectual property services provider, announced a breach that stemmed from unauthorized access of the document management system (DMS). In April 2023, they determined that an unauthorized third party accessed the data via a member firm, Spruson & Ferguson. Some client documents, administrative documents, and correspondence from the head office and two member firms were included in the data breach that cost the company $2 – $2.5M in 2023.
Fallout From Hacks and Reaction from Government Bodies
Unfortunately, these high-profile attacks don’t represent one-time issues. New Zealand reported 404 cyber incidents in the 2020/2021 year and 350 cyber incidents in the 2021/2022 period. Between July and December 2022, attacks rose by 67% compared to the first half of the year. An Australian firm, Webber Insurance, keeps an annual running list of hacks and has already shared news stories from 16 incidents so far in 2023.
Both Optus and Medibank were attacked in close proximity to each other in late 2022, with Optus being one of the largest data breaches Australia has experienced. Criminals have said that Optus was easy to hack (which has been denied by the company), but the attack has led to the government looking to levy additional fines and stricter requirements on cybersecurity and notices of breaches in the country.
The Minister for Home Affairs and Cybersecurity is launching new exercises to respond to attacks that impact critical infrastructure. They are planning to increase their focus on “hacking as a service,” cyber attackers, and extortionists that are financially motivated to breach and hack companies.
In an effort to combat the uptick of data breaches, the Attorney-General’s office of Australia has proposed a shortened time frame for organizations or agencies to report on hacks – from an undetermined amount of time to 72 hours. 116 recommendations were made by the department in January, including a suggestion that small businesses shouldn’t be exempt from the Privacy Act. The government is also setting up a cyber office that would work to develop a Cyber Security Act. These changes could have wide-sweeping implications for countless small businesses that may have little to no cybersecurity investment.
For businesses and people living and working out of New Zealand and Australia, it’s clear that there are causes for concern. Companies feel like they could be targeted at any time, customers are on edge, and governments are working to update regulations that hold both cybercriminals and companies vulnerable to attack more accountable.
So what can SMBs do?
What SMBs in Australia and New Zealand Can Do
Cybersecurity breaches can affect businesses large and small, and governmental bodies are working to ensure that your business is up to snuff. As an SMB, it’s your responsibility to protect your clients and customers, but you don’t have to take it on all at once.
Focus on the basics of prevention
Every business needs some foundational cybersecurity elements to stop cyberattacks where they start. This includes assessments and training around ransomware, patching your most critical vulnerabilities across systems and applications, identifying aberrant user behavior, and protecting your email, endpoints, and DNS, to name a few.
Extend beyond antivirus and traditional cybersecurity
The threat of cybersecurity breaches is not only real, it’s growing; and the risks can’t be ignored. Traditional measures used by SMBs, like antivirus, no longer protect organizations from the most prominent threats.
Small businesses simply can’t rely on crossing their fingers and hoping that cyberattacks won’t happen to them. Organizations of all sizes are vulnerable to ransomware, data breaches, and other forms of cybercrime. Knowing how to identify vulnerabilities, addressing them when they appear, and constantly updating your practices as new threats arise, must become essential parts of building up your security posture.
By taking proactive steps to protect your business – educating employees, employing detection and response methods, planning for remediation and recovery, and investing in cybersecurity technologies – you can reduce the likelihood of a breach and minimize the damage in case one occurs. This requires investing in efforts to monitor and detect, as well as the capabilities to respond appropriately to potential compromises.
Find a partner to take on the heavy lifting
All of these additional responsibilities may seem overwhelming to smaller businesses, but there is a solution. If you lack the expertise and resources to employ foundational pieces in-house, a security-focused partner can provide a fully managed security program, inclusive of all the tools and support you need to help you stay compliant and protected.
Partnering with managed security solution providers like SolCyber is an excellent option for small to mid-sized businesses. We can act as outsourced members of your team, augmenting or filling the role of IT staff in your organization. At SolCyber, we work as an extension of your team, providing a dedicated crew that responds actively to threats, ensuring detection and response are in play. Additionally, our monthly briefings enable you to better understand who is targeting you and how your protection is improving over time.
With SolCyber, you can get started quickly, receive technology and support from the same vendor, have access to simple subscription-based pricing, and be fully protected in less than 30 days. Let’s talk!
Follow us on the following social platforms!