Cyber Brief for CFOs: July 2024

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all the essential stories in our cyber brief so your team can stay secure.

CrowdStrike outage: scammers seize on opportunity

On 19 July, US cybersecurity firm CrowdStrike issued an ostensibly routine software update that caused a global IT outage, including millions of Windows devices. Amid disruptions to flights and businesses all over the world, cybercriminals have been quick to capitalise on the chaos.

Governments in the US and Australia have already issued warnings about related scams, with the Cybersecurity and Infrastructure Security Agency (CISA) flagging malicious activity such as phishing attempts. Meanwhile, Australia's National Anti-Scam Centre is urging caution around unsolicited calls or messages that promise to provide software patches or request remote access to fix a device impacted by the outage.

Remember: if someone is purporting to be a trusted contact like your bank or IT provider, contact them on an independently sourced number first.

Commonwealth fraud framework now in force

Earlier this year, the Australian federal government introduced and expanded standards around managing fraud and corruption risks, forming a three-part framework known as the Commonwealth Fraud and Corruption Control Framework.?

As of 1 July 2024, that framework is in effect.?

Part of the framework is the Fraud and Corruption Rule, which is binding for non?corporate Commonwealth entities and requires them to take steps to prevent, detect and respond to corruption and fraud. Even for other organisations, the government considers the requirements necessary for best practice, so it’s useful to understand the requirements around designing anti-fraud controls, documenting processes for auditors, and regularly assessing your defences.?

Read more about the framework and Fraud and Corruption Rule.?

Update on MediSecure attack: 12.9m Aussies' data stolen

Now-defunct eScripts provider MediSecure has revealed that a ransomware attack resulted in the theft of 12.9 million Australians' personal data. The attack was revealed in May but occurred far earlier, likely last year. The organisation had not previously disclosed how many Australians were impacted by the attack and has not contacted affected individuals directly.

The company, one of only two eScript providers in Australia until late last year, entered voluntary administration in June after the government declined to provide financial assistance. The Australian Federal Police is investigating the breach, while MediSecure cites financial constraints as a factor that limited its response to the attack.

Australian forensics inform new global warning about threat group APT40

Co-signed by cybersecurity authorities from multiple countries, a recent global advisory sheds light on APT40, a Chinese state-sponsored threat group.?

Australian investigations into 2022 cyber breaches form the basis of the advisory. It claims the group has targeted Australian and regional networks, exploiting vulnerabilities in popular software and using web shells. Two case studies reveal APT40's methods – one involving large-scale sensitive data access and lateral movement, the other exploiting a remote code execution vulnerability to steal login credentials.?

Learn more about APT40 and implications for finance leaders.

Westpac wins in $15m fruit stand fraud saga

A Sydney fruit stand, Fresh Xpress, and its owners are at the centre of a $15 million fraud case won by Westpac this month. The NSW Supreme Court found that the owners and staff fabricated financial records over five years to defraud the bank. The stolen funds were allegedly used to expand a Northern Territory farming operation and pay down mortgages in Sydney's inner-west. Westpac claims 90% of invoices from 2011-2020 were suspicious.?

The case has spanned the better part of a decade, illustrating how serious and wide-ranging the consequences of fraud can be, even when an organisation has the resources of a major bank.

Internet providers and platforms face new scam liability

By the year’s end, the Australian government plans to introduce a law requiring internet companies to proactively prevent scams – or else face substantial fines.?

The Australian Competition and Consumer Commission (ACCC) and Treasury are consulting with various industries to create a mandatory anti-scam code, legally obligating organisations to protect users and offer effective complaint services. The proposed law may see regulators facing off with tech giants, since it shifts legal liability onto internet providers. Non-compliance could result in fines up to $50 million or 30% of turnover.

Telstra slapped with $1.5m for scam exposure

Communications regulator ACMA has fined Telstra $1,551,000 for failing to follow proper customer identity verification processes 168,000 times between August 2022 and April 2023.?

These breaches occurred during high-risk requests like password resets and SIM card swaps, potentially exposing customers to mobile fraud and SIM-swap scams. The regulator emphasized the severe consequences of such scams, with victims losing an average of $28,000. Telstra attributed the delay in adhering to new rules to the complexity of implementing multi-factor authentication across all channels.