Cyber Brief for CFOs: March 2024

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all the essential stories in our cyber brief so your team can stay secure.

VIC Police: Medibank breach linked to “over 11,000 cybercrime incidents”

In a submission to a parliamentary enquiry, Victoria police say they’ve linked over 11,000 cybercrime incidents to the Medibank data breach as part of Operation Guardian, a joint initiative combating the misuse of personal data from major hacks. Initially focused on the Optus breach, the operation expanded to address subsequent breaches, including Medibank, which affected 9.7 million customers. 

The number of linked incidents underscores the extensive exploitation of the stolen data, confirming what Eftsure warned about last year in our webinar “How data breaches land at Finance’s door.” 

“Recent attacks illustrate the severity [of cyber attacks],” reads the submission. “The Optus and Medibank Private data breaches impacted over 942,000 Victorians, many of whom continue to turn to Victoria Police for advice and support as they are at risk of identity crime. 

“Operation Guardian has so far linked over 11,000 cybercrime incidents to the Medibank data breach.”

Not sure if your details have been exposed in a data breach? Make sure to check out our free checker tool. 

Three Sydney men allegedly sent more than 80m scam texts

In an investigation into an SMS phishing operation, NSW police have charged three men who they say used large SIM boxes to send millions of fraudulent texts. The texts allegedly mimicked legitimate institutions for financial gain. 

During a raid, authorities also found SIM cards, mobile phones, drugs, and substantial identity information. The scam’s scale is notable, with one device sending over 80 million messages in five months. The men face charges related to the scam and identity misuse, with one also charged with drug possession. They were denied bail and await their next court appearance.

Australian businessman almost loses $25m to scammer

A recent scam attempt on an Australian businessman, “John,” highlights a worrying trend: scammers are using in-depth white-collar acumen to target executives and high-net-worth individuals, often with laser-focused targeting that would put even the savviest marketing teams to shame. 

Posing as a seasoned HSBC executive, the scammer nearly convinced John to transfer $25 million by leveraging his previous banking inquiries and offering slightly better investment rates, all underpinned by convincing financial jargon and forged documents. Read more about how it unfolded – and how John was alerted to the scam – as well as what finance leaders should take away from this alarming pattern. 

US health industry still reeling from ransomware attack

Deemed the most severe attack in the US healthcare sector’s history, the Change Healthcare ransomware incident has significantly disrupted services, with 60% of affected entities facing daily revenue losses of over $1 million. 

The attack has halted payments for healthcare providers, with some considering extreme financial measures to meet payroll. Examples include a cancer centre risking medication supply, a therapist missing substantial payments, and individuals paying out-of-pocket for essential medications. In response, the U.S. government and UnitedHealth Group have advanced billions to support providers, highlighting the attack’s profound impact on healthcare infrastructure and the urgent need for comprehensive cybersecurity measures.

Jail time for man who committed ANMM insider fraud

Roughly one year after the incident first landed in the press, a former IT support contractor for the Australian National Maritime Museum has been jailed for a minimum of 15 months following a ‘trusted insider’ fraud incident. At 25 years old, the Macquarie Park man manipulated financial systems to siphon over $66,000 from individuals and businesses associated with the museum. His spending spree included 4WD upgrades and sophisticated IT equipment.

Detected after the museum noticed financial discrepancies, he received a two-and-a-half-year sentence. The case is a stark reminder that external actors aren’t the only threat to your organisation, and that insider incidents unfortunately can and do happen.