a
A phone call may be coming your way. This week’s revelations show that cybercriminals stole personal data from as many as 6 million customers after breaching offshore IT call centers and accessing third-party systems.

This incident adds to a troubling trend of cyberattacks affecting major Australian corporations, including the personal information of millions linked to the recent breaches involving Optus, Medibank, and more recently, the $4 trillion superannuation sector in Australia.

The attack on Qantas follows recent targeting by a group known as “spiders,” focusing on various airline sectors. They employ social engineering techniques to manipulate employees and contractors into granting access, often bypassing multifactor authentication.

New technology brings old methods

Although companies can implement the latest software updates and safeguard their systems, hackers continue to exploit social engineering tactics, often targeting the weakest link: human behavior.

Social engineering is not a new concept; it revolves around tricking individuals into revealing sensitive information, predating the internet.

Phishing is the most common manifestation of social engineering, crafted to appear legitimate to lure unsuspecting users into divulging credentials.

The telephone variation, known as vishing, presents a greater challenge for attackers as they must employ persuasive tactics over the phone to manipulate employees into providing sensitive information.

The emergence of user-friendly artificial intelligence tools, including voice cloning, has made such attacks even simpler for cybercriminals.

The latest report from Australia’s intelligence commissioner covering the latter half of 2024 indicated a significant rise in complaints about social engineering attacks, particularly within government agencies, finance, and health sectors.

Qantas’ breach involved compromised details such as names, email addresses, phone numbers, birth dates, frequent flyer numbers, etc. While these breaches might not directly lead to financial theft, the growing number of incidents in Australia enables hackers to aggregate stolen data to target new vulnerable entities.

Data breaches lead to more data breaches

In April, the national pension fund acknowledged the risks associated with hackers collecting credentials from previous breaches to gain access to superannuation accounts, a tactic termed “eligibility smashing.”

Fortunately, only a small number of customers incurred losses totaling around $500,000. However, this could represent a significant number of fund holders who are yet to reach retirement age.

The Albanese government has been cautioned that this attack signals potential risks within the financial sector. In a recent advisory provided to the incoming government, released under the Freedom of Information Act, Australia’s Prudential Regulation Authority (APRA) warned that superannuation assets are susceptible to cyber threats.

“The prevalence and frequency of cyberattacks on large pension funds reinforce the necessity for enhancing our capabilities in managing both cyber and operational risks,” stated APRA.

“Despite only a small number of accounts reporting fraudulent withdrawals, it highlights the need for the sector to mature its cybersecurity and operational resilience.”

“As the sector expands and more members retire, continuity and increasing interconnectedness with the banking sector are crucial.”

APRA cautioned the industry in 2023 about the critical nature of multifactor authentication, yet some funds were unable to implement it before the April breach.

Regulators noted that there is an ongoing wave of cyberattacks targeting banking and insurance sectors, necessitating continuous testing of their defenses against emerging threats.

Who is at the most risk?

According to Craig Searle, global leader in cyber advisory at Trustwave, healthcare, finance, technology, and critical infrastructure sectors such as telecommunications are particularly vulnerable to cyber threats.

“The technology sector is especially at risk due to its pivotal role in digital infrastructure and interconnected supply chains,” he explained. “Recent high-profile supply chain attacks demonstrate how breaches of a single tech provider can ripple through to hundreds or thousands of downstream clients.”

“Overall, the sectors facing the highest risks are those that manage valuable data, maintain complex supply chains, and deliver critical services.”

Searle noted that attackers intentionally target third-party systems and outsourced IT support, which presents significant risks for large corporations, as exemplified by the breaches at Qantas.

“The interconnected dynamics of the digital supply chain can lead to vulnerabilities among partners or contractors, creating a ripple effect that compromises sensitive data far beyond the initial breach,” he remarked.

Christian Beek, senior director of threat analysis at Rapid7, highlighted that third-party systems are now integral to the operations of many organizations and thus become prime targets for cybercriminals.

“Organizations must apply adequate levels of due diligence when evaluating the security protocols of these third-party systems to mitigate the risk of data being compromised.”

Searle emphasized the necessity for organizations to adopt a proactive cybersecurity posture, swiftly applying software patches and establishing robust access controls, such as multifactor authentication.

Beek echoed that organizations need to be proactive, insisting that executive leadership must take responsibility for cybersecurity and board oversight.

“The new tactics utilized by modern cybercrime groups extend beyond standard security management protocols,” he warned. “These unconventional approaches compel us to rethink the typical defensive strategies, especially regarding social engineering tactics and how we counter them.”