The health services industry has continued to be the sector responsible for the highest number of reported data breaches in Australia, accounting for 85 of the 446 total breaches notified to the Office of the Australian Information Commissioner (OAIC) in the six months to 30 June 2021.The 446 total is down 16% when compared to the previous six month’s figure of 530 notifications. For the 2020-21 financial year, 976 notifications were received under the Notifiable Data Breaches (NDB) scheme.March saw the highest number of notifications with 102.In the reporting period, 81% of breaches were identified by the entity within 30 days of it occurring, but in 4% of occasions, it took the entity longer than 365 days.”For data breaches caused by malicious or criminal attack or human error, more than 80% of entities identified the incident within 30 days of it occurring,” the OAIC wrote. “Where entities experienced a data breach resulting from a system fault, only 61% identified the incident within 30 days, and 30% did not become aware of the incident for over a year.”In the reporting period, 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach. 27 entities took longer than 120 days from when they became aware of an incident to notify the OAIC.  71% of Australian government agencies reporting an incident found it within 30 days. 9%, however, took over a year to find. 3% took over a year to notify the OAIC.

Since the mandate, health has been the most affected sector. Coming in second to health this half was the finance sector, which accounted for 57 notifications, followed by legal and accounting with 35, and the Australian government and insurance sectors each with 34. The Australian government entered the top five sectors in the first half of FY21. All agencies and organisations in Australia that are covered by the Privacy Act 1988 are required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach. The Privacy Act covers most Australian government agencies; it does not cover a number of intelligence and national security agencies, nor does it cover state and local government agencies, public hospitals, and public schools.In its latest six-month report [PDF] capturing notifications made under the NDB scheme, the OAIC said most data breaches involved the personal information of 5,000 individuals or fewer.Three notifications affected over 1 million individuals, with one affecting over 10 million individuals.Contact information, identity information, and financial details continue to be the most common types of personal information involved in data breaches. 407 — or 91% — of breaches notified under the scheme involved contact information, such as an individual’s name, home address, phone number, or email address.247 instances saw the breach of identity information, 193 exposed financial information, 136 health information, tax file numbers were exposed in 102 breaches, and other sensitive information was compromised in 75 of the occasions. Malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 289 breaches. 192 breaches were caused by “cyber incidents”, 35 of them resulted from social engineering or impersonation, on 28 occasions the actions taken by a rogue employee or insider threat was the cause, and theft of paperwork or storage devices was responsible for 34 notifications.The report says human error also remained a major source of breaches, accounting for 134 notifications, while system faults accounted for the remaining 23 breaches.Human error breaches include sending personal information to the wrong recipient via email, unintended release or publication of personal information, and failure to use the blind carbon copy function when sending group emails.Unauthorised disclosure/unintended release or publication occurred in 31 notifications. This alone affected 523,998 individuals. The Australian government did not report any incidents pertaining to system faults, but reported 25 as human error, and nine as a malicious or criminal attack. The Australian government also reported one incident as “hacking”.The top sources of cyber incidents during the reporting period were phishing, compromised or stolen credentials, and ransomware. “More than half of cyber incidents (62%) during the reporting period involved malicious actors gaining access to accounts using compromised or stolen credentials,” OAIC said. “The most common method used by malicious actors to obtain compromised credentials was email-based phishing (58 notifications).”Ransomware incidents increased by 24% in the second half of the year, up from 37 in the first half to 46.Data breach notifications under the NDB scheme since inception
Image: OAIC
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaRELATED COVERAGE More

Google / Elyse Betters Picaro / ZDNETFollow ZDNET: Add us as a preferred source More

Scheduling platform FlexBooker apologized this week for a data breach that involved the sensitive information of 3.7 million users. In a statement, the company told ZDNet a portion of its customer database had been breached after its AWS servers were compromised on December 23. FlexBooker said their “system data storage was also accessed and downloaded” as part of the attack. They added they worked with Amazon to restore a backup and they were able to bring operations back in about 12 hours. “We sent a notification to all affected parties and have worked with Amazon Web Services, our hosting provider, to ensure that our accounts are re-secured,” a spokesperson said. “We deeply apologize for the inconvenience caused by this issue.”The spokesperson said the data was “limited to names, email addresses, and phone numbers” and a website notifying customers of the breach says the same thing. But Australian security expert Troy Hunt, who runs the Have I Been Pwned site that tracks breached information, said the trove of stolen data included password hashes and partial credit card information for some accounts. Hunt added that the data “was found being actively traded on a popular hacking forum.”A FlexBooker spokesperson confirmed Hunt’s report, telling ZDNet that the last 3 digits of card numbers were included in the breach but not the full card information, expiration date, or CVV.  

Reporters from Bleeping Computer said the group behind the attack, Uawrongteam, leaked information from FlexBooker and two other companies on a hacking forum. They tied the breach to a DDoS attack that FlexBooker reported on December 23. In their log of the attack, FlexBooker said the attack caused widespread outages of their core application functionality and required help from AWS to solve. “We have been informed that this should not have been possible, but before they were able to assist technically, they had to ensure that all our security practices were correct. They have completed this step, and this has now gone to their leadership team who have approved dedicating technical resources to this immediately,” FlexBooker said of the assistance from AWS on December 24. “We truly apologize again for the impact here. We have been on the phone with AWS support for 7 hours now, trying to push them through. A brute force attack such as this should not have been possible, so we are pushing them hard to put a network-level solution in place to ensure this is both resolved quickly and also permanently so this never happens again in the future.”The issue was resolved about eight hours later. Shared Assessments’ Nasser Fattah said he has seen instances where DDoS attacks are sometimes launched as a distraction to disrupt vital business services while the adversary’s primary goal is to gain access and exfiltrate sensitive information. “We know that there are financial losses associated with system outages, hence, why security teams have all eyes on glass, so to speak, when there is a DDoS attack,” Fattah said. “And when this happens, it is important to be prepared for the possibility of a multifaceted attack and be very diligent with monitoring other anomalies happening on the network.” More

New Zealand ‘Beehive’ Image: Chris Duckett/ZDNet The New Zealand government has introduced a Bill that proposes to block violent extremist content, introduce criminal offences, allow the ordering of take-down notices, and would hand the power to a chief censor to make immediate decisions on what material should be blocked. The objective of the Films, Videos, […] More

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published updated guidance about how to harden Kubernetes for managing container applications. Kubernetes is an open-source system that automates deployment, scaling, and management of applications run in containers.The updated guidance refreshes the two agencies’ first Cybersecurity Technical Report regarding Kubernetes hardening guidance from August 2021. CISA says the update contains additional details and explanations based on feedback from industry, including more detailed info on logging and threat detection in addition to other clarifications. Some of the updates are subtle but important for those who protect Kubernetes clusters. NSA and CISA do not list what the changes are in the updated guidance, but the initial recommendations weren’t met with universal approval. For example NCC Group noted that advice about Kubernetes authentication was “largely incorrect when it states that Kubernetes does not provide an authentication method by default”, whereas most customer implementations NCCGroup had reviewed “support both token and certification authentication, both of which are supported natively.” NCCGroup advised against both for production loads because Kubernetes does not support certificate revocation, which can be a problem if an attacker has gained access to a certificate issued to privileged accounts. The updated guidance now says that “several user authentication mechanisms are supported but not enabled by default.”Otherwise, key points of the original document appear to be unchanged. It looks at hardening within the context of typical Kubernetes cluster designs that include the control plane, worker nodes (for running containerized apps for the cluster), and pods for containers that are hosted upon these nodes. These clusters are often hosted in the cloud and often across multiple clouds in AWS, Azure, Google and elsewhere.   The agencies maintain that Kubernetes is commonly targeted for data theft, computational power theft, or denial of service. Historically, flaws in Kubernetes and various dependencies as well as misconfigurations have been used to deploy cryptominers on victim’s infrastructure.    It also maintains that Kubernetes is exposed to significant supply chain risks because clusters often have software and hardware dependences built by third-party developers. For example, security analysts last year warned of attacks against Kubernetes clusters via misconfigured Argo Workflows container workflow engine for K8s clusters.  Besides supply chain risks, other key actors in the agencies’ threat model include malicious outsiders and insider threats. These help define its hardening recommendations.For example, there is a common cloud case where workloads that aren’t managed by a given Kubernetes cluster share the same physical network. In that instance, a workload may have access to the kubelet and to control plane components, such as the API server. So, the agencies recommend network level isolation.   The agencies provide advice on how to ensure strict workload isolation between pods running on in same node in a cluster, given that Kubernetes doesn’t by default guarantee this separation.  Announcing the updated guidance, the NSA says: “Primary actions include the scanning of containers and pods for vulnerabilities or misconfigurations, running containers and pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing.”The agencies also recommend periodic reviews of Kubernetes settings and vulnerability scans to ensure appropriate risks are account for and security patches are applied. But patching is not easy in the context of Kubernetes. CISA regularly publishes alerts about new Kubernetes related vulnerabilities. In February for example it warned of a critical (severity score 8.8 out of 10) privilege escalation flaw, CVE-2022-23652, which affected the capsule-proxy reverse proxy for Capsule Operator. But as NCCGroup points out: “patching everything is hard”, partly because of the pressure to avoid downtime but also because relevant vulnerabilities span Kubernetes, Containerd, runc, the Linux kernel and more.”This is something that Kubernetes can help with, as the whole concept of orchestration is intended to keep services running even as nodes go on and offline. Despite this, we still regularly see customers running nodes that haven’t had patches applied in several months, or even years. (As a tip, server uptime isn’t a badge of honour as much as it used to be; it’s more likely indicative that you’re running an outdated kernel),” NCCGroup noted.  More