Australian Clinical Labs hack alleged to have resulted in more than
200,000 health records and credit card details being published on dark
web
Medical testing company Australian Clinical Labs
had “serious and systemic failures” that resulted in a cyber-attack that
led to more than 200,000 customer health records and credit card
details being published on the dark web, the Australian information
commissioner has alleged.
In October last year,
in the midst of the Medibank and Optus cyber-attacks, Medlab’s parent
company, ACL, confirmed it had been the victim of a cyber-attack eight
months earlier in February.
The
hacker group responsible – known as Quantum – was able to exfiltrate
86GB worth of data, including customer passport information, health
information, and credit card details including number, expiry date and
CCV.
The data had been published on the dark web on 16 June last year, four months before ACL publicly confirmed the attack.
This
month, the Office of the Australian information commissioner (OAIC)
took ACL to court over its failure to protect customer data during the
breach. The OAIC’s concise statement, released last week, alleges
significant failures by the company to protect customer data and inform
the commissioner about the breach when required.
According to the documents, within four hours from
the time the first employee noticed the ransomware message on a desktop
computer in Medlab, it had spread to other computers in Brisbane and
Sydney, which were then encrypted by the attackers.
ACL,
which generated revenue of almost $1bn during the 2022 financial year,
did not have a dedicated cybersecurity team, the documents state. Its
response was led by an IT team leader, overseen by ACL’s CIO and head of
technical services, but the OAIC alleges none of these staff had formal
cybersecurity qualifications or experience in responding to a
cyber-attack.
The head of technical services
provided the IT team leader with the company’s playbook for ransomware
and malware, but the IT team leader had not been trained to use these
books, and OAIC alleges critical steps in the playbook were not
followed, including analysing the ransomware.
The
company then brought in a third-party company, StickmanCyber, to assist
in the response. The OAIC found that monitoring agents were only
deployed on three of the at least 121 computers infected with
ransomware.
StickmanCyber’s short engagement
with ACL, including reviewing one hour of firewall logs and dark web
scans, concluded at the time no data had been taken.
By
21 March 2022 the IT team leader, after a conversation with the
company’s general counsel, sent an email stating “as per information
available to the IT department there was no unauthorised access,
disclosure, or loss of any personal information … as a result of the
incident”. The company did not inform the OAIC about the attack.
On 25 March, the Australian Cyber Security Centre
informed ACL it had intelligence that Medlab may be a victim of a
ransomware attack, and reminded ACL of its notification requirements.
ACL did not investigate further, OAIC alleges.
ACSC
alerted ACL again on 16 June that data had been published to the dark
web. It would take the company nearly one month (10 July) to inform the
OAIC, which OAIC alleges is in breach of the act. ACL would take until
October to announce the breach publicly.
The
OAIC alleges ACL was “aware of serious deficiencies in its cybersecurity
framework” at least nine months before the cyber-attack, and did not
take appropriate steps to protect personal information.
The
OAIC said the failures were “serious and systemic”, noting that ACL’s
IT budget was $1.3m in 2022, with a cybersecurity budget of $350,000 –
“significantly lower than that of industry standards”, the OAIC alleges.
The OAIC is seeking civil penalties and costs.
A spokesperson for ACL said the company is “vigorously defending the action”.
The case continues.
The
OAIC is still investigating Optus and Medibank over cyber-attacks last
year, which could lead to similar court action against the two
companies.
Source: The Guardian
Australian's will see more of these so called failures with regards to their 'private and confidential' data, where only huge fines may wake up corporations to better protect their 'consumer's' data.
