In 2022, 59 percent of business in the Asia-Pacific region reported being the victim of a cyber attack, 32 percent reported being the victim of multiple cyber attacks and the region suffered a shortage of 2.1 million cyber security professionals.
This has culminated in the Asia-Pacific region being victim to a number of high-profile cyber attacks within the last 12 months. In this article, Cyber Security Hub explores seven of these attacks.
Contents
- New Zealand government compromised in third-party attack
- Medibank suffers data leak that affects 9.7 million people
- Toyota admits to data breach after access key is posted on GitHub
- MyDeal data breach impacts 2.2 million people
- Vulnerabilities in GPS tracker could put 1.5 million vehicles in danger
- Data breach sees Telstra employees’ details posted online
- Details of 11 million customers accessed in Optus data breach
New Zealand government compromised in third-party cyber attack
In December 2022, an IT managed service provider that supports a range of organizations across New Zealand including several within its government suffered a cyber attack, compromising access to its data and systems.
Those affected by the cyber security incident includes some providers contracted to Te Whatu Ora (Health New Zealand), although health service delivery was not been affected.
The Ministry of Justice was also affected by the third-party data breach and confirmed the cyber attack impacted access to some coronial data. This allegedly included thousands of autopsy reports.
New Zealand’s National Cyber Security Center (NCSC) said that it was coordinating governmental response to the cyber attack, both within the Government Communication Security Bureau and alongside the New Zealand Police, CERT NZ and the Privacy Commissioner.
Lisa Fong, deputy director-general of the NCSC, said that the organization is working with the compromised third party to “understand more fully the nature of the data that has been impacted” and how the cyber attack occurred.
Medibank suffers data leak that affects 9.7 million people
On October 13, 2022, Australian health insurance provider Medibank suffered a data breach which affected 9.7 million people.
The malicious actor responsible for the breach attempted to extort the company by contacting them directly to negotiate the release of the data. Medibank refused, which led to the hacker releasing private medical information obtained in the breach on the dark web.
The hacker posted a file labelled “abortions” to a site backed by Russian ransomware group REvil on November 10, 2022, which apparently contained information on procedures that policyholders have claimed on, including miscarriages, terminations and ectopic pregnancies.
They also released files containing customer data called “good-list” and “naughty-list” on November 9, 2022. The so-called “naughty-list” reportedly includes details on those who had sought medical treatment for HIV, drug addiction or alcohol abuse or for mental health issues like eating disorders.
The hacker added to the November 10 data leak post, saying: “Society ask us about ransom, it’s a 10 millions (sic) usd. We can make discount 9.7m 1$=1 customer.”
During question time in Australian Parliament on November 10, minister of home affairs Clare O’Neil hit back at the hackers, saying: “I want the scumbags behind this attack to know that the smartest and toughest people in this country are coming [at] you.
“I want to say, particularly to the women whose private health information has been compromised overnight, as the minister for cyber-security but more importantly, as a woman, this should not have happened, and I know this is a really difficult time.”
David Koczkar, CEO of Medibank, called the release of the data “disgraceful” and a “weaponization of people’s private information”. He also called those involved in the cyber-attack and data leak “deplorable”.
In an attempt to protect those affected by the cyber security incident and the subsequent data leaks, Medibank urged members of the public and the media to not “unnecessarily download sensitive personal data from the dark web” and to “refrain from contacting customers directly”.
Toyota admits to data breach after access key is posted on GitHub
On October 7, 2022, Japanese car manufacturer Toyota issued a statement and an apology after it was discovered that third parties may have gained unauthorized access to customer details between December 2017 and September 2022.
The breach occurred because a section of the source code for T-Connect, an app which allows customers to connect their phone to their car, had been posted on source code repository GitHub in December 2017. As the source code contained an access key for the server, this may have allowed unauthorized access to customer data for five years.
Any customers who registered for the app from December 2017 to September 2022 were at risk for their data being accessed, meaning the data for a potential 296,019 customers may have been leaked. The information available for access included email addresses and customer management numbers. Personal or sensitive information including payment card information, name and address were not accessed.
Following a security investigation, Toyota said that while it “cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time [it] cannot completely deny it”.
Toyota also said that it would individually notify all those who were affected by the breach.
MyDeal data breach impacts 2.2 million people
Australian online retail marketplace MyDeal confirmed in October 2022 that it was the victim of a data breach that exposed the data of around 2.2 million customers.
The retailer, which is a subsidiary of supermarket chain Woolworths, said that it would be contacting all those affected by the breach via email, as well as alerting the “relevant regulatory authorities and government agencies”.
Woolworths said that the breach was caused by a malicious actor using “a compromised user credential” to gain unauthorized access to MyDeal’s Customer Relationship Management (CRM) system.
Customer information exposed during the cyber-attack included names, dates of birth, phone numbers and email addresses. For 1.2 million customers, the data exposed was limited to their email address. Confidential information like passport, payment card and drivers license details is not stored by MyDeal, and therefore was not exposed in the hack.
Vulnerabilities in GPS tracker could put 1.5 million vehicles in danger
A GPS tracker manufactured by Chinese company MiCODUS was been revealed to have numerous critical cyber security vulnerabilities that could allow bad actors to remotely hack a vehicle’s system in August 2022.
At the time of the discovery, the MiCODUS MV720 GPS tracking device had been sold to customers across 169 countries and installed in more than 1.5 million devices.
The critical cyber security issues were first discovered by cyber security startup BitSight. Following the discovery of the vulnerabilities, BitSight informed the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The CISA confirmed that “successful exploitation of these vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands and the disarming of various features (e.g. alarms)”.
In a report on the vulnerabilities, BitSight said it had found MiCODUS devices were being used by a range of organizations including “a Fortune 50 energy company, a national military in South America, a national government and a national law enforcement organization in Western Europe, and a nuclear power plant operator”.
It was also revealed that MiCODUS has a global customer base of 420,000, with 1.5 million devices sold. However, BitSight did note that it was unable to determine the number of MiCODUS MV720 units currently in use globally, as well as the number of MiCODUS devices used for personal or businesses uses.
Data breach sees Telstra employees’ details posted online
Australian telecommunications company Telstra revealed on Tuesday that it had been hit by a data breach that had revealed the details of 30,000 current and former employees.
The details included employee’s first and last names and email addresses, and were posted on hacking forum BreachedForums.
In a tweet, Telstra confirmed that the data leak “wasn’t a breach of any Telstra system” and that it has notified its employees and authorities first, before notifying former employees, despite “minimal risk” to them.
A Telstra spokesperson said the company had been “made aware of a data breach affecting a third party that included limited Telstra employee information from 2017.”
Of the information shared, 12,800 of the employees named were current employees.
Details of 11 million customers accessed in Optus data breach
Australian telecommunication company Optus suffered a devastating data breach on September 22, 2022 that led to the details of 11 million customers being accessed.
The information accessed includes customers’ names, dates of birth, phone numbers, email addresses, home addresses, driver’s license and/or passport numbers and Medicare ID numbers. Payment detail and account passwords were not compromised in the breach.
Optus confirmed that it has now contacted all customers to notify them of the cyber-attack’s impact, beginning with those who had been affected by the breach and finishing with those who had not had their data accessed.
Someone claiming to be the hacker told Australian journalist Jeremy Kirk that they had “accessed an unauthenticated API endpoint” meaning that they did not have to log in to access the data and that it was “all open to internet for any one[sic] to use”.
A person claiming to be the hacker responsible for the data breach posted a small sample of the customer data stolen to the hacking forum BreachedForums on September 23.
Using the alias optusdata, the hacker demanded that Optus pay them $1mn ransom, or they would leak the data of all 11 million customers affected by the breach. When Optus did not respond to the ransom demand, optusdata then posted a text file of 10,000 customer data records on September 26, allowing other malicious actors to use the data in their own phishing campaigns.
Victims of the breach reported on September 27 that they had been contacted with demands that they pay AU$2,000 (US$1,300) or their data will be sold to other hackers.
However, on the same day, the supposed hacker posted a new message on BreachedForums, rescinding their demand and apologizing to Optus.
The hacker said there were “too many eyes” so they will not be selling the data to anyone and claimed that they had deleted all the data from their personal drive, and that they had not made any copies. They offered an apology also to the 10,200 people who had their data exposed via their posts on BreachedForums, and to Optus itself, saying “hope all goes well with this”.
They finished by saying they “would have reported [the] exploit if [Optus] had [a] method to contact” and that while the ransom was not paid, they “dont[sic] care anymore” as it was a “mistake to scrape publish data in the first place”.
