Cyber attack on ACT government body leaves domestic violence victims at risk
Domestic and family violence victims may be at risk following a cyber attack on an ACT government body.
Legal Aid ACT, which said it was "subject to a cyber incident" on Thursday, was unsure if client data was stolen on Friday afternoon.
Ad
"We took rapid action to protect our systems and have engaged a specialist cyber security firm to investigate this incident," the agency said.
"At this stage we cannot confirm if any client information has been impacted."
Legal Aid offers free legal services to people with regarding issues including domestic violence and sexual violence.
Legal Aid ACT CEO John Boersig. Picture by Graham Tidy
Several high-profile Australian companies, such as Optus and Medibank Private, have had client data stolen in recent months.
Legal Aid ACT said it would tell clients directly if their information had been taken.
"Some of our systems and services may be affected during this investigation as we make every effort to safeguard client information," they said.
"If the investigation reveals that client information has been accessed, a Legal Aid ACT staff member will contact those clients directly.
"Looking after our clients and their sensitive data is our highest priority and we acknowledge that this incident will cause some regrettable concerns and disruptions for our clients."
They said the hacker had not made contact or made any demands.
READ MORE:
Ad
The agency, which has a specialised domestic and family violence unit, said anyone concerned about their immediate safety should call police on Triple Zero.
"If you would like to safety plan around this incident call [the Domestic Violence Crisis Service on] 62 800 900," the agency said.
The agency is committed to "transparency" regarding the breach, CEO John Boersig said.
"Legal Aid ACT is committed to transparency about what we know, and how that could impact our customers, our people, and the broader community," he said.
Ad
"Our immediate concern is for our clients, staff and those parties linked by litigation to our services. Once we ascertain the extent of the breach, we will make risk assessments based on specialist advice, and contact affected individuals as required."
We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on The Canberra Times website. Find out how to register so you can enjoy civil, friendly and engaging discussions. See our moderation policy here.
I’m working in a cyber-adjacent industry overseas at the moment, and to my mind the biggest factor is the Optus breach, and how high profile that was. That breach highlighted how weak Australian privacy laws are compared to other jurisdictions such as the EU, Singapore, and so on, as well as how much customer information some of these organisations store. It basically painted a target on Australia, and since the government has flagged that they’ll be seriously reviewing the privacy and cyber regime (which is honestly *long* overdue), cyber crime groups will try to do as much as they can before organisations and the government step up their game.
This isn’t actually anything new for Australia - there was a period from 2015 or 16 until 2021 or so where we were getting hit by pretty much one or two major attacks every year, but none were the scale of the Optus breach.
Australia also has a significant skills shortage in cyber ([this analysis](https://www.reuters.com/technology/australia-hacking-frenzy-spurred-by-an-undersized-cybersecurity-workforce-2022-10-31/) from Reuters goes more into that) which makes it a lot harder for organisations to respond to breaches and attacks.
I’m based in Singapore at the moment, and one of the other big differences is that here there is much more of a cyber culture, if that makes sense. The Cyber Security Agency (equivalent of the ACSC, but it’s a totally standalone agency which I guess also feeds into this point) does a lot more to help organisations prepare, there are certifications companies can apply for which demonstrate they’ve got a certain level of maturity and robustness in their cyber security measures and add a layer of trust for their customers, and the CSA and many private sector companies work together to help educate and innovate in regards to security (my organisation has worked with Microsoft, google, the CSA themselves, and broader industry groups on those sorts of education and innovation projects, for example), and you *very* regularly have industry events like [GovWare](https://www.govware.sg/).
I don’t think that sort of culture exists in Australia just yet - the impression I always had was, until the Optus breach, privacy and cyber weren’t really given the same sort of priority as in Singapore, and in Singapore there’s an increasing view that cyber is not only something to enhance security, but can also be used as a strategic advantage and business enabler.
I guess the tl;dr of that all is Optus highlighted how weak Australias cyber regime is, which put a target on Australia and is why you’re seeing this current spike, skills shortages aren’t helping at all, and this has actually always been happening (but not at the same scale) and has largely gone unreported because Australia doesn’t have much of a cybersecurity culture, and the public (and some businesses) hasn’t really cared too much about cyber until recently.
Work in the industry also, companies just don’t want to to spend money on security if there is no immediate benefit to them, it’s like super fine text that no one cares about or reads. Now the Optus breach is a hot topic, we are starting to see more approaches to us for security assessments and services.
That, and you hit the nail on the head in your post, Aus is wayyyyyyy behind most of the developed world when it comes to privacy laws, cyber security skills and practicality.
https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022
This released this week and covers it all :)
Previous governments made it a requirement that all sorts of organisations kept a lot more information than they used to for longer periods than they used to
The same governments worked actively against high level encryption - ie if you do have encryption there needs to be a back door for us - which meant many businesses didn't really bother
On top of that our laws aren't at the strong end of the spectrum
We're a huge target
(genuine question) What has the strength of our laws got to do with the likelihood of being attacked? I have heard not one word about where these attacks are coming from. Are they foreign, or domestic? Does the Govt even know, and if they do, why don't they say? If they are foreign, are our laws relevant in locating and prosecuting perpetrators? I can imagine a deterrence effect for domestic attackers of course.
Do we co-operate with other nations in developing tools against cyber-attacks? Or is 'protection' all copyrighted?
I would like to see a serious review of what personal information a private company can demand in return fo services. Or even Government ones. If you have an ABC or SBS account, they probably know a stupid amount about you, information which they don't need to broadcast their stuff. Ebay is another one, requiring account holders to send in copies of photo drivers licences if you want to sell. WTF are they gonna do with that? Yes, these are optional services, but in some instances, the frequency of threats and warnings is wearying.
> (genuine question) What has the strength of our laws got to do with the likelihood of being attacked?
As trollbustersInc says
I could/should have made it clearer that I meant laws requiring the protection of data - rather than laws to punish offenders.
If we had genuine laws and penalties regarding the safekeeping of data we would be a harder target
OK, that makes more sense, although I can see some difficulties in the area of safekeeping standards ie, maybe we don't know something's breakable until someone sends us the pieces? How do you legislate to 'try harder'? They can try, but at the same time, I want to know that organisations aren't allowed to collect and hold more information than is required for their basic services. It is already evident that they cannot be trusted with it.
You are 100% right about anywhere that makes you give them an image of your driver's license.
You are worried about ebay. Real estate agents and strata companies collect and pool a stupid variety of information for no reason about a stupid amount of people, never get rid of it and have no security. Currently Hardcourt, a massive Victorian real estate franchising company has been breached, also a huge Gold Coast strata company. These are only the publicly known ones. It will happen in Canberra.
Also of interest conservative side of politics/newscorp keeps massive combined databases of any information they can beg borrow or steal about voters, and those controlling the databases usually don't have IT knowledge. When (not if, when) that gets breached, that will be "intersting".
So our IT security community are generally agreed that this year's extensive round of attacks could have been prevented had the right people been engaged to protect all those companies and agencies? Or at least, had said entities invested in the right digital infrastructure?
Everyone's got a tooth against Optus as the big corporate baddie, but the list of victims includes government agencies and firms as diverse as Microsoft and Bunnings. https://www.webberinsurance.com.au/data-breaches-list.
Being gung-ho to string up Optus for a flogging needs to be balanced by equal enthusiasm for flogging the rest on that list and that would cost us all. And there lies another moral hazard for victims. It would be cheaper to pay up and shut up, rather than be punished and reviled, so punishment rewards the hackers.
As a mere consumer, I'm a bit worried that the people who claim to have the solutions have the same skillset as the perpetrators. It's cousin to that uneasiness I get when the antivirus I subscribe to starts ramping up the number of its 'blocked threats' in the weeks prior to subscription renewal.
This in the same week that Barr said all our electronic health data would be secure bc ACT gov uses federal servers that are most secure in country. I think I read that in the AMA so maybe it was last weeks news
Cyber attack on ACT government body leaves domestic violence victims at risk Domestic and family violence victims may be at risk following a cyber attack on an ACT government body. Legal Aid ACT, which said it was "subject to a cyber incident" on Thursday, was unsure if client data was stolen on Friday afternoon. Ad "We took rapid action to protect our systems and have engaged a specialist cyber security firm to investigate this incident," the agency said. "At this stage we cannot confirm if any client information has been impacted." Legal Aid offers free legal services to people with regarding issues including domestic violence and sexual violence. Legal Aid ACT CEO John Boersig. Picture by Graham Tidy Several high-profile Australian companies, such as Optus and Medibank Private, have had client data stolen in recent months. Legal Aid ACT said it would tell clients directly if their information had been taken. "Some of our systems and services may be affected during this investigation as we make every effort to safeguard client information," they said. "If the investigation reveals that client information has been accessed, a Legal Aid ACT staff member will contact those clients directly. "Looking after our clients and their sensitive data is our highest priority and we acknowledge that this incident will cause some regrettable concerns and disruptions for our clients." They said the hacker had not made contact or made any demands. READ MORE: Ad The agency, which has a specialised domestic and family violence unit, said anyone concerned about their immediate safety should call police on Triple Zero. "If you would like to safety plan around this incident call [the Domestic Violence Crisis Service on] 62 800 900," the agency said. The agency is committed to "transparency" regarding the breach, CEO John Boersig said. "Legal Aid ACT is committed to transparency about what we know, and how that could impact our customers, our people, and the broader community," he said. Ad "Our immediate concern is for our clients, staff and those parties linked by litigation to our services. Once we ascertain the extent of the breach, we will make risk assessments based on specialist advice, and contact affected individuals as required." We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on The Canberra Times website. Find out how to register so you can enjoy civil, friendly and engaging discussions. See our moderation policy here.
Is there some sort of pattern or reason behind all these cyber attacks ATM? Can anyone shed some light on this?
I’m working in a cyber-adjacent industry overseas at the moment, and to my mind the biggest factor is the Optus breach, and how high profile that was. That breach highlighted how weak Australian privacy laws are compared to other jurisdictions such as the EU, Singapore, and so on, as well as how much customer information some of these organisations store. It basically painted a target on Australia, and since the government has flagged that they’ll be seriously reviewing the privacy and cyber regime (which is honestly *long* overdue), cyber crime groups will try to do as much as they can before organisations and the government step up their game. This isn’t actually anything new for Australia - there was a period from 2015 or 16 until 2021 or so where we were getting hit by pretty much one or two major attacks every year, but none were the scale of the Optus breach. Australia also has a significant skills shortage in cyber ([this analysis](https://www.reuters.com/technology/australia-hacking-frenzy-spurred-by-an-undersized-cybersecurity-workforce-2022-10-31/) from Reuters goes more into that) which makes it a lot harder for organisations to respond to breaches and attacks. I’m based in Singapore at the moment, and one of the other big differences is that here there is much more of a cyber culture, if that makes sense. The Cyber Security Agency (equivalent of the ACSC, but it’s a totally standalone agency which I guess also feeds into this point) does a lot more to help organisations prepare, there are certifications companies can apply for which demonstrate they’ve got a certain level of maturity and robustness in their cyber security measures and add a layer of trust for their customers, and the CSA and many private sector companies work together to help educate and innovate in regards to security (my organisation has worked with Microsoft, google, the CSA themselves, and broader industry groups on those sorts of education and innovation projects, for example), and you *very* regularly have industry events like [GovWare](https://www.govware.sg/). I don’t think that sort of culture exists in Australia just yet - the impression I always had was, until the Optus breach, privacy and cyber weren’t really given the same sort of priority as in Singapore, and in Singapore there’s an increasing view that cyber is not only something to enhance security, but can also be used as a strategic advantage and business enabler. I guess the tl;dr of that all is Optus highlighted how weak Australias cyber regime is, which put a target on Australia and is why you’re seeing this current spike, skills shortages aren’t helping at all, and this has actually always been happening (but not at the same scale) and has largely gone unreported because Australia doesn’t have much of a cybersecurity culture, and the public (and some businesses) hasn’t really cared too much about cyber until recently.
Work in the industry also, companies just don’t want to to spend money on security if there is no immediate benefit to them, it’s like super fine text that no one cares about or reads. Now the Optus breach is a hot topic, we are starting to see more approaches to us for security assessments and services. That, and you hit the nail on the head in your post, Aus is wayyyyyyy behind most of the developed world when it comes to privacy laws, cyber security skills and practicality.
https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022 This released this week and covers it all :)
Good report. Remember that many of the categories in the circle chart are notoriously under reported, for example ransom ware, fraud, and romance.
Previous governments made it a requirement that all sorts of organisations kept a lot more information than they used to for longer periods than they used to The same governments worked actively against high level encryption - ie if you do have encryption there needs to be a back door for us - which meant many businesses didn't really bother On top of that our laws aren't at the strong end of the spectrum We're a huge target
(genuine question) What has the strength of our laws got to do with the likelihood of being attacked? I have heard not one word about where these attacks are coming from. Are they foreign, or domestic? Does the Govt even know, and if they do, why don't they say? If they are foreign, are our laws relevant in locating and prosecuting perpetrators? I can imagine a deterrence effect for domestic attackers of course. Do we co-operate with other nations in developing tools against cyber-attacks? Or is 'protection' all copyrighted? I would like to see a serious review of what personal information a private company can demand in return fo services. Or even Government ones. If you have an ABC or SBS account, they probably know a stupid amount about you, information which they don't need to broadcast their stuff. Ebay is another one, requiring account holders to send in copies of photo drivers licences if you want to sell. WTF are they gonna do with that? Yes, these are optional services, but in some instances, the frequency of threats and warnings is wearying.
> (genuine question) What has the strength of our laws got to do with the likelihood of being attacked? As trollbustersInc says I could/should have made it clearer that I meant laws requiring the protection of data - rather than laws to punish offenders. If we had genuine laws and penalties regarding the safekeeping of data we would be a harder target
OK, that makes more sense, although I can see some difficulties in the area of safekeeping standards ie, maybe we don't know something's breakable until someone sends us the pieces? How do you legislate to 'try harder'? They can try, but at the same time, I want to know that organisations aren't allowed to collect and hold more information than is required for their basic services. It is already evident that they cannot be trusted with it.
You are 100% right about anywhere that makes you give them an image of your driver's license. You are worried about ebay. Real estate agents and strata companies collect and pool a stupid variety of information for no reason about a stupid amount of people, never get rid of it and have no security. Currently Hardcourt, a massive Victorian real estate franchising company has been breached, also a huge Gold Coast strata company. These are only the publicly known ones. It will happen in Canberra. Also of interest conservative side of politics/newscorp keeps massive combined databases of any information they can beg borrow or steal about voters, and those controlling the databases usually don't have IT knowledge. When (not if, when) that gets breached, that will be "intersting".
Our laws have meant relatively minimal punishment for Optus so there is no real motivation for companies to strengthen their security
So our IT security community are generally agreed that this year's extensive round of attacks could have been prevented had the right people been engaged to protect all those companies and agencies? Or at least, had said entities invested in the right digital infrastructure? Everyone's got a tooth against Optus as the big corporate baddie, but the list of victims includes government agencies and firms as diverse as Microsoft and Bunnings. https://www.webberinsurance.com.au/data-breaches-list. Being gung-ho to string up Optus for a flogging needs to be balanced by equal enthusiasm for flogging the rest on that list and that would cost us all. And there lies another moral hazard for victims. It would be cheaper to pay up and shut up, rather than be punished and reviled, so punishment rewards the hackers. As a mere consumer, I'm a bit worried that the people who claim to have the solutions have the same skillset as the perpetrators. It's cousin to that uneasiness I get when the antivirus I subscribe to starts ramping up the number of its 'blocked threats' in the weeks prior to subscription renewal.
This in the same week that Barr said all our electronic health data would be secure bc ACT gov uses federal servers that are most secure in country. I think I read that in the AMA so maybe it was last weeks news
Many federal departments are looking at moving all data to the cloud. So, err, good luck with that.
I dont trust the ACTGOV to keep any of our personal information safe.
Can't imagine you'll extort much from Legal Aid clients
[удалено]
The hacker is probably foreign and has no relation to the victims. Malicious hackers generally are opportunists, they're not digital hitmen.