Following a spate of cyberattacks and data breaches affecting millions of Australians, the government‘s cybersecurity minister this week announced the formation of a task force that will hunt down hackers and said she is contemplating a ban on ransomware payments.
Australia Cyber Security Minister Clare O’Neil announced the formation of the Joint Standing Operation task force, which brings together experts from the Australian Federal Police and the Australian Signals Directorate.
The task force merges domestic police and foreign intelligence resources to provide assistance to victims and also to take down international cybercriminals. The Joint Standing Operation will “investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups,” according to a joint news release.
On Saturday, O’Neil reiterated that this task force is a way of “Australia standing up and punching back.”
“What they will do is scour the world and hunt down the criminal syndicates and gangs who are targeting Australia in cyberattacks and disrupt their efforts,” whether they’re in Russia or other countries, O’Neil announced on Twitter.
Some states in the United States have already banned ransom payments, and Arizona, New Jersey, New York and Texas are considering bans in the coming days to discourage attackers.
But banning ransom payments could have “terrible consequences,” experts warn. State agencies could end up paying more taxpayer money to recover and update systems after an attack, says Alan Brill, senior managing director in the cyber risk practice at Kroll consulting group (see: As States Ban Ransom Payments, What Could Possibly Go Wrong?).
Early next year, Australia is set to host a virtual international counter-ransomware task force as part of a global Counter-Ransomware Initiative. The initiative, hosted by the Department of Home Affairs Cyber and Critical Technology Coordination Center, will drive international cooperation and joint efforts to tackle the ransomware menace.
The government also aims to pass tougher privacy laws that will include harsher penalties for serious data breaches. “This will provide a strong incentive for companies and large organizations to do better to protect the data of their customers and prevent future breaches,” the government says.
In a proposed amendment, noncorporate entities will face a maximum penalty of up to AU$2.5 million for breaches. For corporations, the penalty will be three times the value of any benefit obtained through the misuse of the information, 30% of a company’s adjusted turnover in the relevant period, or AU$50 million – whichever is greater.
The current maximum civil penalty for noncorporate entities is AU$444,000, and the maximum for corporate entities is AU$2.22 million.
Latest on Medibank
The announcements follow several high-profile breaches in the last two months. One breach against the country’s largest private health insurer, Medibank, affected 9.7 million current and past customers.
On Tuesday, a Medibank spokesperson told Information Security Media Group that additional employee data was affected in the breach. An Excel spreadsheet containing the names of nearly 900 current and former employees was posted on the dark web, the spokesperson confirmed.
The leak site exposed employee names, email addresses, mobile phone numbers and device information, including the asset number and mobile equipment identity number.
In the health insurer’s annual general meeting, Medibank’s top executives defended their decision to not pay the ransom. They estimate, however, that up to AU$35 million of pretax, nonrecurring costs will affect earnings in the first half of 2023.
Class Action Lawsuit on the Horizon?
Two law firms are investigating potential class action lawsuits on behalf of customers affected by the breach. Bannister Law Class Actions and Centennial Lawyers launched one such initiative last week, and attorney Maurice Blackburn launched another after that.