Australian industry calls for the government to ban cyber ransom payments
The mass Latitude data breach has sparked renewed calls for the government to outlaw the payment of cyber ransoms, with criminals chasing increasingly lucrative paydays.
The Latitude mass data breach has sparked fresh calls for the government to outlaw the payment of cyber ransoms, with industry figures warning that extra deterrents are needed to curb the spike in cyber attacks, while praising Latitude for refusing to pay a cyber ransom.
Latitude on Tuesday rejected a ransom demand from criminals behind the nation’s biggest cyber attack, a move welcomed by the Albanese government.
Ransomware cyber attacks are on the rise, with the Australian Cyber Security Centre (ACSC) a jump of between 10 and 15 per cent year-on-year, with average ransomware payments also increasing.
“We will not reward criminal behaviour, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen,” Latitude said in a statement to the ASX. “Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks.”
It follows a similar move by breach victim Medibank, which last year refused to pay a ransom sought by Russian hackers.
With the threat posed by ransomware increasing, Cyber Security Minister Clare O’Neil is considering making ransom payments illegal, or tightening reporting requirements. In Australia there is currently no specific law that prohibits the payment of a ransomware demand but government has charged an expert board, led by former Telstra chief Andy Penn, to examine the issue.
Companies that pay ransoms — to recover sensitive data when there is no alternative, or prevent physical or bodily harm — typically do so under legal advice, and tend not to disclose such payments, which can be covered by insurance.
Biztech Lawyers director Andrew Truswell said that a more restrictive law warrants consideration.
“Paying a ransom is legal … Simple as that,” Mr Truswell told The Australian.
“Resources companies and their affiliates pay ransoms to kidnappers all the time when operating in countries that are politically unstable. It’s factored into the cost of doing business.
“Company executives should plan for the day they face a ransom demand from a cyber hacker. But it’s governments that are primarily driving the thinking around refusing to pay the ransom after a data hack. And for good reason. The thinking is nation-states don’t want to make themselves targets for cybersecurity attacks.”
Given the interconnectedness of the global economy, the fewer victims pay ransoms, the better off the system is, the executive said.
“The government has warned that paying ransoms does not guarantee access to locked systems or sensitive data, and may open the victim up to repeated attacks. Any ransom payment large or small fuels the illegal ransomware business.
“The focus on cyber law reform is high on the government’s agenda, and private tech industry polling indicates 85 per cent of Australians want action on cybersecurity.
“You have to wonder how long it will be before an Australian company that’s worried about disappointing exhausted consumers goes against the government’s wishes.”
Wayne Tufek, Director at CyberRisk, said that organisations are better off investing money upfront in their security posture rather than paying to replace passports and fines to regulators.
“The Latitude breach is an interesting one in that it is the biggest since the laws changed regarding fines and it will be exciting to see how this is handled by the OAIC and the courts,” he said.
“I’m also amazed at how long Latitude has retained the data they held given that it’s likely the individual repaid their loan some time ago.
“I think that making ransom payments illegal would act as a deterrent for criminals to continue attacks if they know that they won’t be paid large sums of money,” he said. “Would it stop the crime, maybe, however the information they steal still has value in the criminal world to perpetrate identify theft, for example.”
According to Mr Tufek, consumers affected by the breach should ensure they are wary of unsolicited communications and phone calls as part of social engineering attacks.
“There’s not much that can be done once an individual’s information is out, some things cannot be changed or are very difficult to do so,” he said. “Subscribing to a credit check and watch service makes good sense, so that you can see who has made an inquiry on your credit record. This may be an indication that someone is attempting to take out a loan out in your name.”
Amazon’s big changes to overhaul deliveries
A ‘Cambrian explosion’ in artificial intelligence – combined with Amazon’s 12-year investment in robotics – has allowed it to build its next generation of warehouses, and speed up deliveries further while reducing costs.
Firms looking to chop costs with wage cuts, lay-offs
Some 20,000 financial services and telecommunications roles have been shifted overseas as local contractors are given the flick and employers begin to cut costs.