All it will possibly take is a cellphone name. That’s what Qantas discovered this week when the private data of as much as 6 million prospects was stolen by cybercriminals after attackers focused an offshore IT name centre, enabling them to entry a third-party system.
It’s the newest in a sequence of cyber-attacks on giant firms in Australia involving the private data of hundreds of thousands of Australians, after the assault on Optus, Medibank and, most just lately, Australia’s $4t superannuation sector.
The Qantas assault got here simply days after US authorities warned the airline sector had been focused by a bunch often known as Scattered Spider, utilizing social engineering methods, together with impersonating staff or contractors to deceive IT assist desks into granting entry, and bypassing multi-factor authentication.
New expertise brings outdated strategies
Whereas firms could spend hundreds of thousands retaining their methods safe and software program up-to-date to plug identified vulnerabilities, hackers can flip to this type of assault to focus on, typically, the weakest hyperlink – people.
Social engineering will not be new. It predates the web, involving tricking somebody into offering compromising data.
The commonest method individuals would see social engineering in observe is thru phishing assaults – emails which might be designed to look official to lure unsuspecting individuals into offering their login and passwords.
The phone-call model of social engineering, often known as vishing, will be extra sophisticated for the attacker, requiring analysis into an organization and its staff, and ways to sound convincing over the cellphone to get the unwitting employee to allow them to in.
The arrival of easy-to-use synthetic intelligence merchandise, together with voice cloning, will solely make this simpler for attackers.
The Workplace of the Australian Info Commissioner’s most up-to-date information breaches report, masking the second half of 2024, famous a major rise in reviews of breaches attributable to social engineering assaults, with authorities companies reporting essentially the most, adopted by finance and well being.
The Qantas breach – that compromised data together with names, e mail addresses, cellphone numbers, dates of start and frequent flyer numbers – in isolation won’t result in monetary loss, however the rising variety of information breaches in Australia means hackers are capable of collate information collected throughout the breaches and probably launch assaults on unsuspecting new targets.
Knowledge breaches inflicting extra information breaches
In April, the nation’s superannuation funds grew to become conscious of the hazards of hackers amassing compromised login particulars from different breaches to achieve entry to tremendous accounts, in what’s termed credential stuffing.
The business was lucky solely a handful of shoppers suffered losses, collectively roughly $500,000 – possible a mix of the funds locking down methods, and the excessive proportion of fund holders who’ve but to succeed in the age the place they will entry their tremendous.
The Albanese authorities, nevertheless, has been warned that the assault was a canary within the coalmine for the monetary sector. In recommendation to the incoming authorities in Might – launched this week underneath freedom of knowledge legal guidelines – the Australian Prudential Regulation Authority (Apra) warned tremendous belongings have been in danger.
“Cyber-attacks at giant superannuation funds, that look prone to enhance in scope and frequency, spotlight that functionality within the administration of cyber and operational dangers should enhance,” Apra mentioned.
“Whereas the variety of member accounts that had funds fraudulently withdrawn was small, the incident highlighted the necessity for this sector to uplift its cybersecurity and operational resilience maturity.
“This want will solely develop because the sector will increase in measurement, extra members enter retirement and the sector takes on larger systemic significance with inter-linkages to the banking sector.”
after e-newsletter promotion
Apra had warned the sector in 2023 of the significance of multi-factor authentication – one thing among the funds had did not implement earlier than the April assault.
The regulator mentioned there have been additionally sustained cyber-attacks on banking and insurance coverage companies, and third-party suppliers that have been “persevering with to check resilience and defences as attackers develop new applied sciences and approaches”.
Who’s most in danger?
Healthcare, finance, expertise and important infrastructure, similar to telecommunications, have been most in danger from cyber threats, based on Craig Searle, international chief of cyber advisory at international cybersecurity agency Trustwave.
“The expertise sector is uniquely uncovered resulting from its central position in digital infrastructure and interconnected provide chains,” he mentioned. “An assault on a single tech supplier can cascade to lots of or hundreds of downstream shoppers, as seen in current high-profile provide chain breaches.
“Total, the sectors most in danger are these with high-value information, advanced provide chains, and important service supply.”
Searle mentioned attackers like Scattered Spider intentionally focused third-party methods and outsourced IT assist, as seen within the Qantas breach, representing a threat for big firms.
“The interconnected nature of digital provide chains means a vulnerability or misconfiguration in a associate or contractor can set off a domino impact, exposing delicate information and operations far past the preliminary breach,” he mentioned.
Christiaan Beek, senior director for menace analytics at cybersecurity agency Rapid7, mentioned third-party methods had change into an integral a part of many organisations’ enterprise operations and, consequently, have been more and more focused by menace actors.
“It’s important for organisations to use the correct ranges of due diligence in assessing the safety posture of such third-party methods to cut back the chance of their data being compromised.”
Searle mentioned organisations wanted to shift from reactive to proactive cybersecurity, apply software program patches promptly and implement robust entry management similar to multi-factor authentication.
Beek agreed organisations wanted to be proactive, with executives held accountable for cybersecurity of their organisations, in addition to board oversight.
“The novel ways noticed by modern-day cybercrime teams escape the standard confines of safety administration programmes,” he mentioned. “The no-limits strategy of those criminals pushes us to rethink the standard boundary of defence, specifically surrounding social engineering and the methods wherein we will be taken benefit of.”
