Security and Risk Management
There is a noticeable increase in the occurrence of data intrusions within the financial and healthcare
sectors in Australia. The Australian government is currently revising its cybersecurity frameworks and
policies to strengthen resilience against nation-state threat actors and thereby disrupt this adverse
trend.
In the past 4 years, numerous data breaches have occurred in Australia. Several of them affected many
users. Table 1 is a comprehensive compilation of noteworthy instances of data breaches that have
transpired in recent years.
Table 1: Major Data Breach Incidents in Australia
Company Name Date of Impact
Latitude March 2023
Medibank December 2022
Optus September 2022
Eastern Health March 2021
Northern Territory Government February 2021
Canva May 2019
Australian Parliament House February 2019
Approach Analysis
You are required to choose one of the data breaches from the list above in Table 1 and create a report
on it. Your report must include the following information.
1. Detail of the Attack:
This section of your report should include the elements below.
• What was the attack? What vulnerability was exploited?
• Was the vulnerability already known? When did it happen?
• Were there any controls implemented against the vulnerability and yet it was
exploited?
2. Analysis and Action:
This section of your report should include the elements below.
• When and how did the target figure out about the attack?
• For how long, the risk was not actioned?
• Did the organisation have a risk assessment policy and procedure?
Sample Solution
Data Breach Report: Optus (September 2022)
1. Detail of the Attack
- What was the attack? What vulnerability was exploited? The nature of the Optus data breach remains under investigation, but it is believed to be a cyberattack that exploited a vulnerability in Optus' systems. The exact vulnerability is not publicly known.
- Was the vulnerability already known? When did it happen? There is no official confirmation on whether the vulnerability was previously known. The attack itself occurred in September 2022.
Full Answer Section
- Were there any controls implemented against the vulnerability and yet it was exploited? It's impossible to say definitively without more information. However, the fact that a successful attack occurred suggests that existing controls may not have been sufficient or properly implemented.
2. Analysis and Action
- When and how did the target figure out about the attack? The exact timeline is unclear, but Optus publicly acknowledged the data breach on September 21st, 2022. It's likely they became aware of the intrusion internally before the public announcement.
- For how long, the risk was not actioned? Again, the exact timeframe is unknown. However, the successful attack indicates that the vulnerability existed for some time before being exploited.
- Did the organisation have a risk assessment policy and procedure? Optus certainly should have had a risk assessment policy and procedure in place. Having such a policy would involve identifying potential vulnerabilities, assessing the likelihood and impact of potential attacks, and implementing controls to mitigate those risks. Whether these procedures were followed and adequate or not remains under investigation.
Additional Notes
- The Optus data breach was a significant event in Australia, affecting millions of customers.
- The Australian government is currently reviewing its cybersecurity frameworks in light of this and other breaches.
- The details surrounding the attack, vulnerability, and Optus's response are still emerging.
This report provides a starting point for understanding the Optus data breach. Further investigation and official reports may reveal more details about the attack and the organization's response.