An American security company called Commvault commissioned a survey last week that found Australian businesses have recovered much more quickly from cyberattacks over the past year, thanks to improved preparedness and tighter government regulations on security.
Australia’s cybersecurity wake-up call arrived in 2022 with a pair of high-profile data breaches, which illuminated major weaknesses in security and caused a great deal of damage. The first victim was a telecom company called Optus, one of the largest in Australia. Hackers stole a massive trove of customer data from the company in September 2022, including driver’s license numbers and government ID numbers.
The company admitted a “significant” number of its millions of customers were affected by the breach. Optus offered credit protection to its customers in the aftermath and provided assistance with changing identification numbers that might have been compromised.
The second attack came a month later and targeted Medibank, a private health insurance firm. Medibank’s servers were infected with ransomware, and the hackers threatened to release confidential medical records for millions of clients if they were not paid.
The perpetrators, who were identified as a Russian “ransomware for hire” group called REvil, demanded one dollar for each of the company’s 9.7 million customers. Medibank did not pay the ransom. An Interpol investigation of the crime was launched, and in January 2024, the governments of Australia, the United Kingdom, and the United States announced sanctions against the prime suspect, a 33-year-old Russian national named Aleksandr Gennadievich Ermakov.
The Optus hack was accomplished, cybersecurity experts found, through an unsecured Application Programming Interface (API), a forgotten back door hanging wide open on the Internet that allowed the attackers to stroll right into the system. Once they were inside, the thieves discovered Optus’ customer database was structured in a way that allowed them to steal it quickly and easily.
Medibank did not require its employees to use multi-factor authentication, so there was no defense in place against a hacker who chanced to find the username and password of a legitimate user. A multi-factor authentication scheme requires users to have a second form of digital identification, ranging from another password to a security code requested via a smartphone app, for the very purpose of thwarting intruders who get their hands on valid passwords.
In the case of Medibank, the hackers struck gold by finding that one of the company’s IT service desk operators saved his username and password in his Internet browser at work, as ordinary users often do.
The operator’s work computer was configured to automatically synchronize his browser data across accounts, so it duly transmitted his saved login credentials to his computer at home, which became compromised by malware.
Making matters worse, the compromised employee had administrator-level access to much of Medibank’s network. The company’s security system swiftly detected the intruder, but then failed to escalate the intrusion or trigger a security response, so the hacker was able to lurk in the system for almost two months and make off with over 500 gigabytes of sensitive data.
The double sucker punch of the Optus and Medibank hacks led to a flurry of new Australian government regulations on cybersecurity, which cracked down on all of the lapses in authentication and security response that occurred in the two high-profile cases. Companies were also required to report data breaches to the government and the public more quickly.
According to Commvault’s survey, companies in Australia and New Zealand are now responding to cyberattacks and recovering from the damage 38 percent faster than they were last year. The average recovery time is now 28 days, down from 45 days in 2024. Australia still lags behind the global average of 24 days.
“I do put that down to the fact that organisations and enterprises are getting more aware. I also put it down to the fact that the regulators are being more stringent and more strict on what their requirements are,” Commvault Asia-Pacific Vice President Martin Creighan told Reuters.
The news was not all good. Commvault’s survey found that less than a third of Australian firms were capable of responding effectively to a cyberattack, and 12 percent had no formal response plan at all.
Many industry observers grumbled that Commvault’s survey merely proved that Australian firms — and quite a few others around the world — will only take cybersecurity seriously when they are compelled to do so.
Creighan said corporate interest in security picked up after 2022 because executives were “worried about the regulation landscape.” Cynics argue that much of that worry stems from company brass realizing they could be held personally liable for massive cyberattack damages. They also fear Australia waited much too long to get serious about security, while companies in other countries spent decades building formidable defenses and training their employees in best practices.
