Data breaches in Australia are on the rise, particularly in the financial and healthcare industries. In an effort to disrupt this pernicious trend, the Australian government is revising its cybersecurity frameworks and policies to strengthen resilience against nation-state threat actors.
But Australian businesses cannot solely rely on the government's cybersecurity initiatives. Even the Australian Signals Directorate (ASD) admits that proposed security frameworks only raise the baseline of security. It's up to each individual business to continue lifting this standard with additional data breach prevention controls.
To help Australian businesses avoid some of the common malpractices that facilitate data breaches, we've compiled a list of some of the biggest data breaches in Australia, ranked by magnitude of impact. If you're interested in a global perspective, you can also review the biggest data breaches worldwide.
1. Canva Data Breach
Date: May 2019
Impact: 137 million users
Australian unicorn Canva suffered a monumental data breach impacting 137 million of its users. To put that into perspective, the online design tool currently has about 55 million active monthly users.
A cybercriminal identified as Ghosticplayers breached Canva's defences but was stopped by Canva when they detected malicious activity in their systems.
Unfortunately, this interception did not happen soon enough. The threat actor had time to access the following user data:
- User names
- Real names
- Email addresses
- Country data
- Encrypted passwords
- Partial payment data
After the cyberattack, Ghosticplayers contacted ZDNet to brag about the successful data breach. This is unusual behavior for cybercriminals who usually gloat about their cybercrimes on dark web forums.
2. Ubiquiti Data Breach
Date: December 2020
Impact: Unconfirmed (potentially up to 85 million)
Ubiquity Networks, one of the world's largest vendors of Internet of Things (IoT) devices, suffered a data breach after an intruder compromised the company's third-party provider and accessed customer account credentials.
The breach occurred in December 2020 and was made known to customers on January 11, 2021.
The breach was first discovered by some of Ubiquiti's more perceptive customers. They noticed a sudden transition to unified authentication, followed by local-only networks being connected to Ubiquiti's cloud.
Ubiquiti issued a statement notifying its customers that one of its undisclosed third-party providers was accessed by an unauthorized user. They asked their customers to change their passwords and assured them that user data was not compromised in the event
Then the severity of the breach began to mount, following a series of allegations by an anonymous whistleblower.
The source, identifying calling himself "Adam", said that the breach was significantly worse than reported.
According to Adam, Ubiquiti's claim that no customer data was comprised was not based on security intelligence, but rather based on the company's lack of database access logs. In other words, because Ubiquity's back was turned, the company couldn't confirm that a data breach took place
Adamalso exposed the following bombshells:
- The compromised third-party was Amazon Web Services (AWS)
- The cybercriminals stole privileged credentials from a compromised LastPass account belong to a Ubiquiti IT employee
- These privileged credentials then gave the threat actors administrative access to all Ubiquity S3 data buckets, application logs, source codes, cryptographic secrets, and even single sign-on (SSO) cookies.
This level of access could have allowed the cybercriminals to potentially compromise all of Ubiquiti's devices - the company ships more than 85 million globally with many clients in Australia.
The following information may have been accessed:
- Email addresses
- Salted/hashed password credentials
- Home addresses
- Phone numbers
Ubiquity security teams located a backdoor left by the cybercriminals in January. When they removed it, they were contacted by the criminals who demanded a payment of 50 Bitcoiin (approx. $2.8 million USD) in exchange for not publicizing the breach.
The IoT supplier did not comply and later found a second backdoor in their system. After rotating user credentials over the next few days, Ubiquity finally notified its customers of the event or at least a version of it.
Adam said that one of Ubiquiti's major errors was not immediately invalidating all of its customer's credentials through a forced reset. This allowed the cybercriminals to maintain remote access to Ubiquiti cloud-based devices for a longer period.
At the time of writing this, multiple law firms are investigating whether Ubiquiti intentionally diluted the severity of the breach to preserve its stock value. If this is proven to be true, its executive may be liable for securities fraud.
3. ProctorU Data Breach
Date: July 2020
Impact: 444,000 people
Sensitive information belonging to ProctorU, an online proctoring service for remote students, was leaked online for free on a dark web hacking forum. This incident was part of a larger data leak impacting 18 different company's and exposing a total of 386 million records.
The compromised database of 444,000 records included user records with email addresses belonging to:
- The University of Sydney,
- The University of New South Wales,
- The University of Melbourne
- The University of Queensland
- The University of Tasmania
- James Cook University
- Swinburne University of Technology
- The University of Western Australia
- Curtin University and the University of Adelaide.
The total number of records impacting Australian university's from the total of 444,000 is unknown.
ProctorU said that no financial information was compromised in the breach.
4. Australian National University (ANU) Data Breach
Date: November 2018
Impact: 200,000 students
The Australian National University (ANU) fell victim to a highly sophisticated cyber attack that shocked even the most experienced Australian security experts.
Cyber attackers accessed sensitive information dating as far back as 19 years. The following information was stolen:
- Phone numbers
- Dates of birth
- Emergency contact details
- Tax file numbers
- Payroll information
- Bank account details
- Student academic results
The attackers deployed four spear-phishing campaigns to harvest network access credentials from staff. Each successful phishing attack granted them deeper levels of access until the University's Enterprise Systems Domain (ESD) was breached.
This is where the University's most sensitive records were stored.
The security incident worked meticulously to cover their tracks. They instantly deleted access logs and used the anonymity software Tor to obfuscate their location details.
ANU finally discovered the attack in April 2019.
5. Eastern Health Data Breach
Date: March 2021
Impact: 4 hospitals
Eastern Health, an operator of 4 Melbourne hospitals, fell victim to a cyberattack causing certain elective surgeries to be postponed.
The nature of the cyber attack is unknown, but it's suspected to have been a ransomware attack. This is likely to be true since, according to the Australian Cyber Security Centre (ACSC), ransomware attacks targeting the Australian health sector are growing.
Eastern Health assured the public that no patient data was compromised in the attack.
6. Service NSW Data Breach
Date: April 2020
Impact: 104,000 people
47 Service NSW staff email accounts were hacked through a series of phishing attacks. This led to 5 million documents being accessed, 10 percent of which contains sensitive data impacting 104,000 people.
A major contributing factor to the seamless breach was the lack of multi-factor authentication
7. Melbourne Heart Group Data Breach
Date: February 2019
Impact: 15,000 patients
Ransomware attacks are still classified as data breaches because cybercriminals access sensitive data and hold it hostage unless a ransom price is paid. This data breach compromised personal patient details and medical data, exposing victims to potential phishing attacks and identity theft.
Melbourne Heart Group was locked of it its compromised data for almost 3 weeks.
A spokesperson for the cardiology unit said that no sensitive data was leaked while it was in possession of the cybercriminals.
But such a claim assumes ransomware criminals are true to their promise that damages will be completely reversed if demands are obeyed
Melbourne Heart Group, reportedly, paid the bitcoin ransom.
Most of the encrypted files were restored, but not all of them.
8. Australian Parliament House Data Breach
Date: February 2019
Impact: Multiple political party networks - Liberal, Labor, and the Nationals.
Australian Parliament House networks were breached by a nation-state criminal group. It's speculated that China was responsible for the attack, as a response to Scott Morrison banning Huawei and ZTE equipment from Australia's 5G network.
The attack resulted in the loss of some data, but according to the head of the Australian Signals Directorate (ASD) Mike Burgess, none of it was classified as sensitive.
"There was a small amount of data taken; none of that was deemed sensitive, but the assessment of that is a matter for the parliament themselves." Mike said at the Foreign Affairs, Defence and Trade Legislation Committee on April 5, 2019.
The cybercriminals used phishing methods to steal employee credentials and gain entry into the government's network. This precursor attack took place on an infected external website that a small number of parliament staff visited.
9. Tasmanian Ambulance Data Breach
Date: January 2021
Impact: Every resident that requested an ambulance between Nov 2020 and Jan 2021.
At the time of the breach, the Tasmanian ambulance was using outdated radio technology to run its communications network. Cyberattackers intercepted the radio data, converted the conversation to text, and posted the stolen data online.
The breached data included the following patient information:
- HIV status
- Address of each emergency incident.
The website exposing the compromised data has since been taken offline.
10. Northern Territory Government Data Breach
Date: February 2021
Impact: 4400 emails
Personal and business emails across thousands of territories have been leaked following a breach of the Northern Territory's COVID-19 check-in app.
When the app was introduced, NT residents were assured that only Health Department officials and technical support personnel would have access to the collected data.
According to Sue Hawes, the head of the COVID-19 hazard management unit, the data breach was caused by an unintentional error.
11. Western Australian Parliament Data Breach
Date: March 2021
Western Australia parliament's mail server was accessed after a Microsoft Exchange Server Vulnerability was compromised. This incident was part of a global cyberattack frenzy targeting the zero-day exploit before Microsoft responded with a patch release.
WA's Executive Manager of Parliamentary Services Rob Hunter said that a forensic audit found no evidence of a data breach. A soon as security teams became aware of the malicious intrusion, they immediately disconnected the targeted email server.
But it's uncertain whether this consolation is true. The lack of transparency into the event is concerning.
The Australian Cyber Security Centre (ACSC) declined to comment about the WA parliament attack but said that many Australian organisations were exposed to potential compromise while their servers remained unpatched.
If the nation-state criminals were as sophisticated as the Prime Minister described them, may have had enough time to clandestinely exfiltrated some sensitive, even during such a brief visit.
UpGuard Helps Australian Businesses Prevent Data Breaches
UpGuard helps Australian businesses prevent data breaches by discovering vulnerabilities and data leaks exposing sensitive resources. This detection and remediation capability extends to the entire third-party vendor network.
Get a preliminary assessment of your data breach risk, click here for your free security score now!