Data breaches at scale: The implications for law firms
The Optus and Medibank cyber breaches should serve as a warning to law firms that they must identify their cybersecurity threats and develop a response plan in the event of such an attack, writes Simone Herbert-Lowe.
If there was still anyone out there who thought of cyber risk as a niche IT risk rather than a whole-of-business risk, that can surely no longer be the case after the 2022 breaches of information security involving Optus and Medibank.
When the Optus hack was announced, it appeared to be the most serious data breach in Australian history, with almost half of Australia’s adult population being affected by the release of personal data.
For up to 2 million Australians, that data included identity information such as passports, drivers’ licences and Medicare numbers totalling more than 100 points of identification, which translates to sufficient information to apply for bank accounts, credit cards and loans. The incident has potentially exposed the victims – Optus’s customers and former customers – to serious identity fraud.
At the time of writing, however, this breach has been eclipsed by the even more devastating news that the Russian hacking group behind the Medibank breach has dumped 6.5 gigabytes of stolen data in a file, which it has described as the entire cache.
At least 9.7 million Australians have been caught up in the Medibank breach, with the hackers releasing sensitive information about the health insurer’s customers, including medical histories detailing drug addiction, sensitive medical procedures and mental health diagnoses.
Law firms should not be complacent. The type of information that was exposed in these two breaches may have to be collected by law firms and, in actioning identity verification, is routinely collected by law firms. So, they should have a reporting plan in the event of a breach.
There is no doubt that in both the Optus and Medibank cyber events, the companies were required to report their breaches to the impacted people and to the Office of the Australian Information Commissioner on the basis that these amounted to Notifiable Data Breaches within the meaning of the Privacy Act 1988.
For entities with annual turnover of more than $3 million, the Act requires mandatory notification of data breaches involving personal information where there is a likelihood of serious personal harm to an individual to whom the information relates.
How did these breaches occur?
Both companies have declined to publicly reveal full details as to how the incidents occurred, understandably wanting to limit any exposure to further similar cyber incidents and no doubt being mindful of their legal implications.
The following descriptions are based on a range of media articles and public statements, full details of which have not been confirmed by either Optus or Medibank.
It appears that the Optus breach occurred following a project which saw the developers having access to all customer data. Once the project ended, a hacker was able to access the information via the internet because of a failure to close off an API, or application programming interface, which allows two software systems to talk to each other.
While this was initially described as a “sophisticated” cyberattack by Optus’ CEO, this description was refuted by Australia's cyber security minister, Clare O'Neil. Based on what we know at the date of writing, the breach might have been avoided had a subsequent, independent audit team reviewed the closure of the project.
The Medibank breach, on the other hand, reportedly occurred when the hackers were able to access all of Medibank’s records via compromised login credentials held by a person with high-level network access privileges.
One media report suggested that the hackers were able to access the system via a password stored in a single individual’s browser on a computer which was accessed remotely. This suggests that two-factor authentication – such as a code, token or authenticator app which would have prevented further access – had not been used or activated.
Importantly, it appears that neither of these incidents occurred through the “typical” method of a phishing email, which is often be the sole focus of many businesses’ cyber-education programs. As noted above, however, details of the initial point of vulnerability have not been revealed by the companies involved
Law firms in the danger zone
Both incidents involve cyber extortion, or the threat to publish confidential information if a ransom is not paid. With these cases, the organisations declined to pay the ransom, but with many other cyber events, ransoms are paid by organisations either to protect their own business from reputational damage, or to prevent harm to their customers and others.
Some Australian law firms and their service providers have been impacted by ransomware and have needed to make a call on whether to pay a ransom. The upshot is that such a scenario is no longer a theoretical risk.
The Australian Government, like most governments around the world, has always taken a firm position that ransoms should not be paid in order to avoid ‘feeding’ the cyber-extortion business model. and in some cases payment of a ransom can be illegal. However, vexed ethical and moral issues can come into play.
Is it more important to honour a blanket public policy objective designed to discourage cyber extortion (a business model which in any case is now highly successful and rampant)? Or is it more important for a business to honour the trust placed in it by its customers who have provided access to their personal data in good faith, especially in cases involving highly sensitive personal information? With the latter scenario, a breach could potentially lead to ongoing psychological, emotional and/or financial consequences for any affected individuals.
The Optus and Medibank incidents also clearly show yet again that you do not need to be a target to be a victim of cybercrime. Alarmingly, there may be many Australians suffering from psychological and emotional distress as a result of these events, which, based on media reports, may not have involved sophisticated attacks at all. Rather, the breaches may potentially have involved fairly basic failings in cybersecurity processes given the sensitivity of information held by both organisations.
Optus and Medibank were clearly the victims of serious crimes and should not be regarded as the key wrongdoers in this scenario. However, Australian businesses that collect sensitive information from people must do better in protecting that information.
Given lawyers’ duty of confidentiality, not only to clients but others involved in legal matters, this will apply even more to law firms. The Optus and Medibank breaches, therefore, should be a wakeup call for law firms.
They should now consider the risk of cybercrime as a standard and predictable business risk for which they must be prepared.
Simone Herbert-Lowe is a director of Law & Cyber. She acts for businesses and individuals impacted by cyber events, has provided written expert opinion in legal proceedings and is the author of the online, CPD-eligible courses Cyber Risk for Law Firms and Cyber Risk in the Property Industry.
For information from Westpac on how small businesses can create a Cyber Response Playbook, click here.
For better cyber-risk mitigation, the Australian Government advises these 10 points:
- Back up your data
Backing up your business’s data and website will help you recover any information you lose if you experience a cyber incident or have computer issues. It’s essential that you back up your most important data and information regularly.
- Secure devices and data
Ensure you program your operating system and security software to update automatically. Updates may contain important security upgrades for recent viruses and attacks. Most updates allow you to schedule these updates after business hours, or another more convenient time.
3. Encrypt important information
Make sure you turn on your network encryption and encrypt data when stored or sent online. Encryption converts your data into a secret code before you send it over the internet. This reduces the risk of theft, destruction or tampering. You can turn on network encryption through your router settings or by installing a virtual private network (VPN) solution on your device when using a public network.
4. Ensure you use multi-factor authentication (MFA)
MFA is a verification security process that requires you to provide two or more proofs of your identity before you can access your account. For example, a system will require a password and a code sent to your mobile device before access is granted. MFA adds an additional layer of security to make it harder for attackers to gain access to your device or online accounts.
5. Manage passphrases
Use passphrases instead of passwords to protect access to your devices and networks that hold important business information. Passphrases are passwords that is a phrase, or a collection of different words.
6. Monitor use of computer equipment and systems
Keep a record of all the computer equipment and software that your business uses. Make sure they are secure to prevent forbidden access.
7. Put policies in place to guide your staff
A cybersecurity policy helps your staff to understand their responsibilities and what is acceptable when they use or share data, computers and devices, emails and internet sites.
8. Train your staff to be safe online
Your staff can be the first and last line of defence against cyber threats. It’s important to make sure your staff know about the threats they can face and the role they play in keeping your business safe. Educate them about maintaining good passwords and passphrases; how to identify and avoid cyber threats; what to do when they encounter a cyber threat; and how to report a cyber threat.
9. Protect your customers
It’s vital that you keep your customers’ information safe. If you lose or compromise their information it will damage your business reputation, and you could face legal consequences.
10. Consider cyber security insurance
Consider cyber insurance to protect your business. The cost of dealing with a cyber-attack can be much more than just repairing databases, strengthening security or replacing laptops. Cyber liability insurance cover can help your business with the costs of recovering from an attack. Like all insurance policies, it is very important your business understands what it is covered for.