Medical testing company Australian Clinical Labs had “serious and systemic failures” that resulted in a cyber-attack that led to more than 200,000 customer health records and credit card details being published on the dark web, the Australian information commissioner has alleged.
In October last year, in the midst of the Medibank and Optus cyber-attacks, Medlab’s parent company, ACL, confirmed it had been the victim of a cyber-attack eight months earlier in February.
The hacker group responsible – known as Quantum – was able to exfiltrate 86GB worth of data, including customer passport information, health information, and credit card details including number, expiry date and CCV.
The data had been published on the dark web on 16 June last year, four months before ACL publicly confirmed the attack.
This month, the Office of the Australian information commissioner (OAIC) took ACL to court over its failure to protect customer data during the breach. The OAIC’s concise statement, released last week, alleges significant failures by the company to protect customer data and inform the commissioner about the breach when required.
According to the documents, within four hours from the time the first employee noticed the ransomware message on a desktop computer in Medlab, it had spread to other computers in Brisbane and Sydney, which were then encrypted by the attackers.
ACL, which generated revenue of almost $1bn during the 2022 financial year, did not have a dedicated cybersecurity team, the documents state. Its response was led by an IT team leader, overseen by ACL’s CIO and head of technical services, but the OAIC alleges none of these staff had formal cybersecurity qualifications or experience in responding to a cyber-attack.
The head of technical services provided the IT team leader with the company’s playbook for ransomware and malware, but the IT team leader had not been trained to use these books, and OAIC alleges critical steps in the playbook were not followed, including analysing the ransomware.
The company then brought in a third-party company, StickmanCyber, to assist in the response. The OAIC found that monitoring agents were only deployed on three of the at least 121 computers infected with ransomware.
StickmanCyber’s short engagement with ACL, including reviewing one hour of firewall logs and dark web scans, concluded at the time no data had been taken.
By 21 March 2022 the IT team leader, after a conversation with the company’s general counsel, sent an email stating “as per information available to the IT department there was no unauthorised access, disclosure, or loss of any personal information … as a result of the incident”. The company did not inform the OAIC about the attack.
On 25 March, the Australian Cyber Security Centre informed ACL it had intelligence that Medlab may be a victim of a ransomware attack, and reminded ACL of its notification requirements. ACL did not investigate further, OAIC alleges.
ACSC alerted ACL again on 16 June that data had been published to the dark web. It would take the company nearly one month (10 July) to inform the OAIC, which OAIC alleges is in breach of the act. ACL would take until October to announce the breach publicly.
The OAIC alleges ACL was “aware of serious deficiencies in its cybersecurity framework” at least nine months before the cyber-attack, and did not take appropriate steps to protect personal information.
The OAIC said the failures were “serious and systemic”, noting that ACL’s IT budget was $1.3m in 2022, with a cybersecurity budget of $350,000 – “significantly lower than that of industry standards”, the OAIC alleges.
The OAIC is seeking civil penalties and costs.
A spokesperson for ACL said the company is “vigorously defending the action”.
The case continues.
The OAIC is still investigating Optus and Medibank over cyber-attacks last year, which could lead to similar court action against the two companies.