Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Australian Privacy Breaches Continue with Meriton Latest Victim

Today comes news of yet another Australian company which has suffered a data breach; this time it is property firm Meriton, which has contacted almost 2,000 staff and customers, warning them to take steps to protect themselves.

Approximately 35.6 GB of data was compromised in the January 14 breach, including contact information of guests in Meriton serviced apartments, as well as other data - potentially including health information should they, for example, have suffered an injury which required an ambulance to be requested. However, staff are more severely affected, with potential access by cybercriminals to employment information such as their salary, bank account details, tax file numbers and performance appraisals.

The company has contacted the Australian Cyber Security Centre (ACSC) as well as the Office of the Australian Information Commissioner (OAIC), and is working with data forensics and incident response professionals. It has also promised to implement enhanced cybersecurity measures in future.

Tran, Danny, Hotel and property giant Meriton hit by data hack, personal documents may be at risk, ABC News, 29 March 2023. Available online at https://www.abc.net.au/news/2023-03-29/australian-hotel-chain-meriton-hit-by-data-breach-hack/102141880.

ABC Charts Scale of Privacy Breaches

Coincidentally, the Australian Broadcasting Corporation has published an interactive news report detailing the incredible scope of Australian and international data breaches which put Australians at risk of "serious harm". Their graphic shows a total of 2,784 breaches recorded since the start of 2020, based on reports to the OAIC and obtained via administrative access requests to de-aggregated versions of the summary data released in the OAIC's bi-annual reports (available for download as a spreadsheet).

Their analysis makes sobering reading, with some stand-out conclusions. For example, "There were 164 fewer data breaches disclosed last year than back in 2020." - yet this does not gel with the growth of ransomware attacks reported internationally.

In addition, breaches involving multinationals Amazon and Spotify did not fall into the scop of 'notifiable events' in Australia and therefore do not appear in the dataset at all.

A problem that rarely attracts attention is that each successive breach allows a threat actor who collects the information to aggregate information about the affected individuals; while an individual breach may not - to the breached organization - appear to reach the threshold of putting individuals "at likely risk of serious harm" and requiring mandatory disclosure to the OAIC, when combined with other breaches it certainly may pose risk of serious harm.

We may therefore see the law further refined to require breached organizations to take steps to determine what other information may exist from previous breaches before determining the level of risk posed in a holistic manner.

Fell, Julian, Georgina Piper and Matt Liddy, This is the most detailed portrait yet of data breaches in Australia, ABC Story Lab, 28 March 2023. Available online at https://www.abc.net.au/news/2023-03-28/detailed-portrait-data-breaches-oaic-disclosures/102131586.

Pen Tests Suggest Security Postures Are Weakening, Says Cymulate

In their new "2022 State of Cybersecurity Effectiveness", Cymulate researchers analysed the results of over 1 million penetration tests conducted within production environments. Their results indicate that, using their risk rating methodology, the average enterprise's information exfiltration risk rating has increased from 30 out of 100 in 2021, to 44 out of 100 in 2022 (compare this with reporting to the OAIC described above).

In addition, there is bad news about patch management: four of the top 10 vulnerabilities in customer environments were more than two years old.

It's not as though companies aren't working hard, either. Malware detection rates are improving, and most enterprises are doing better at securing their attack surfaces; it's just that threat actors are adapting even faster.

Porter, Katrina, Cymulate Releases Findings from Over One Million Security Assessments, news release, 28 March 2023. Available online at https://cymulate.com/news/one-million-security-assessments/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.