Poor security led to pathology hack | Information Age

/in


Pathology company Australian Clinical Labs has come under fire from Australia’s privacy watchdog for a 2022 cyber attack which saw credit card details and health records for more than 200,000 people leaked to the dark web.

The Office of the Australian Information Commissioner (OAIC) has taken ACL to court with allegations the company had “serious and systemic” failures leading to the attack.

In October of last year, while Australia had its focus on a landmark data breach at health insurer Medibank, the parent company of medical testing company Medlab – Australian Clinical Labs (ACL) – revealed it had suffered a significant cyber attack of its own.

The incident was largely overshadowed by similar happenings at Medibank and Optus, however, it saw the personal information of at least 223,269 individuals exposed to a hacker group known as Quantum, which exfiltrated 86GB of data including passport numbers, health information and credit card details.

Notably, the attack took place in February last year – eight months before being publicly confirmed by ACL.

Much of the stolen data appeared on the dark web in June 2022 – approximately four months prior to ACL’s public confirmation of the incident.

Serious allegations levied at ACL

The OAIC alleges ACL “seriously interfered with the privacy of approximately 21.5 million individuals”, whose personal information it held, by “failing to take reasonable steps” to protect said information from unauthorised access or disclosure.

In its concise statement, the commissioner notes ACL still does not know the precise time or method of the attack, but that it started “on or before” 25 Feb 2022 when Quantum attacked the Medlab computer network operated by ACL.

According to the statement, an employee discovered the attack at approximately 5:00am when they attempted to access a computer on the Medlab network, only to find a ransomware demand sitting on the desktop.

The employee soon after notified Medlab’s IT team, and by 9.00am the ransom note had appeared on other computers on the Medlab network in Brisbane and Sydney.

The OAIC notes ACL – which hit nearly $1 billion in revenue during financial year 2022 – did…

Source…