“Four minutes is quick, but not quick enough, they had managed to encrypt one directory on that server, and our team stopped the access, neutralised the threat and were able to restore from back-up instantly during the night,” he said.
“[The hackers accessed] historical information, but didn’t get to our main document management system or to our main tax file and financial statements data, but there is a possibility that some client data has been compromised.”
The hackers posted an online claim on the dark web about accessing PKF’s system and have threatened to publish it on Tuesday night, which Mr Cannan said would be worrying for clients, but that it would immediately work with them to remediate the situation once it became fully clear.
“Whether that means they need to change their passwords, or they need help to change bank accounts, or whatever they need to do, we will help them do it,” he said.
The QRU hackers, meanwhile, claimed to have taken finance, accounting, bank details, email details and client data, and also have threatened to make it public if a ransom was not paid.
A QRU spokesman, however said the Union’s investigations found the exfiltrated data appeared to be of the non-harmful variety, such as game-day video footage and digital marketing material.
“QRU’s management and specialist IT Team took immediate steps to contain the breach, counter the unauthorised access and isolate affected network areas,” the spokesman said.
‘The ASD’s first interest will be to do spook stuff aligned with the overall national security umbrella, which may or may not be in the best interests of an individual company.’
— James Turner, CISO Lens
“QRU’s external cyber security expert partner is currently forensically investigating the matter, and we are yet to identify any data exfiltration that would constitute a notifiable data breach.”
Previously, the SOCI Act covered specific assets in the electricity, gas, water and ports sectors only, but has now expanded to encompass 11 so-called critical sectors.
These are communications, financial services and markets, data storage or processing, defence, higher education and research, energy, food and grocery, healthcare, space technology, transport, and water and sewerage.
”It’s most of the whole marketplace now, there’s not a lot that’s not there,” said Lesley Sutton, technology and digital partner at Gilbert & Tobin.
The bill splits assets into two categories: critical infrastructure assets and critical infrastructure sector assets, essentially suppliers.
The owners and operators of critical infrastructure assets must report cyber breaches within 12 hours to the Australian Signals Directorate (ASD), and must respond to government directives regarding how to respond. They also need to register who has ownership interests in the assets themselves.
“Ultimately, the government wants to know who has influence over the ability to control the assets, who could it give directions to if there was a cyber incident and who would be able to act on those directions,” Ms Sutton said.
The second category recognises owners and operators of critical infrastructure sector assets, like a cloud operator that supplies services for Telstra.
These parties don’t have the same immediate reporting obligations but do need to respond if the government directs them to do something.
Ms Sutton does not expect a great deal of changes for business at this point, aside for updates to cyber security policies.
Chris Gatford, co-founder and CEO of cyber security services company Hacktive, said there was typically at least one successful attack ongoing in an Australian organisation every week, and that greater government assistance would be welcomed by most organisations.
“In Australia, there has been massive underinvestment in IT security for many years, so it’s no surprise attacks are so prevalent as now we are really paying the price,” he said.
“Under the new bill I think the government would be effectively sitting over the shoulders of organisations because it won’t be practical to hand over the usernames, password credentials and multi-factor authentication to the government guy.
“It will hopefully be an improvement on what we have had before though, as in my experience, government has been providing way too little support to even just standard organisations, the outreach that we see from the Australian federal government to victims is largely pretty useless.
“The Australian government has access to some great intelligence, they’re aware ahead of time of the threat actors because they are watching all the traffic from the service providers, but organisations need them to share that intelligence in a more timely and actionable format.“
Shannon Sedgwick, senior managing director at cyber services company Ankura, said he viewed the SOCI amendments as a step in the right direction, saying the expansion of the definition of what organisations are deemed to be critical infrastructure was a necessary one.
He said the mandatory notification timeline of 12 hours was likely to prove too brief, as the investigation and triage of incidents often take longer, and he was concerned the definition of a “significant impact” in the legislation was overly broad and had no minimum threshold for reporting.
His main concern, however, was the potential for the government to become involved to an unwelcome level in the operations of organisations deemed critical infrastructure, when responding to cyber problems.
“The thorny problem lies in the government assistance measures termed ‘last resort’ measures for the government to exercise in limited circumstances. Currently, these limited circumstances are rather broad, have little due process for decision-making, and have no appeal or revision mechanism for decisions made by the government under this bill,” Mr Sedgwick said.
“The bill requires additional consideration between industry and government to ensure such complex legislation is not rushed and does not cause unintended regulatory and cost burdens or a potential reduction in cyber security.”
CISO Lens managing director James Turner, meanwhile, said the powers for the Australian Signals Directorate to effectively step in and take control of a company’s response to a cyber attack were getting a mixed reaction from security executives.
He said most could see there was a rise in national security concerns related to cyber attacks, but there were concerns about who was liable for the results of any actions taken by agents on behalf of companies.
“The ASD’s first interest will be to do spook stuff aligned with the overall national security umbrella, which may or may not be in the best interests of an individual company,” Mr Turner said.
“If ASD personnel first want to monitor the activities of the adversary to see how far they can get and how capable they are, what does this mean for the ongoing operations of the enterprise, the security of its data, and the safety of staff, and director liability?
“What happens if an ASD intervention on a company’s technical environment results, directly or indirectly, in the loss of life? Would witnesses be gagged from talking about such an incident?
“Without the government accepting liability for any costs resulting from its interventions, I can’t see these step in powers going the way the government seems to think they will.”