The federal government agency responsible for the roll out of the My Health Record claims Australians’ health information is safe in the wake of a massive data exposure by the company contracted to secure MHR against cyber attack.
Global professional services company Accenture inadvertently exposed at least four cloud-based storage servers, leaving the contents unsecured and publicly downloadable. But the Australian Digital Health Agency said its data remains secure.
“There has been no impact on the My Health Record system following media reports of an alleged data breach at Accenture in the United States,” an ADHA spokesperson told Healthcare IT News Australia.
“The My Health Record system securely stores and can only ever securely store information in Australia, in accordance with Australian legislation.”
There must have been some initial concerns, with Accenture claiming the agency had sought confirmation from the company that My Health Record data was not affected.
“The Australian Digital Health Agency (ADHA) has sought assurance from Accenture and we have given it,” Accenture said in a statement.
Discovered by Australian and US cyber security company UpGuard, and revealed on Wednesday in a blog post, the Accenture oversight exposed a 137 gigabyte trove of highly sensitive information, including authentication credentials, decryption keys, certificates and customer information.
“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” UpGuard’s Dan O'Sullivan wrote on the company’s Breach Analysis blog.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The spectre of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”
According to UpGuard, Caltex Australia data was caught up in the security failure, but the transport fuel company claimed only 2 1/2 year old "dummy" data used for testing the Accenture Cloud Platform was exposed. Caltex said it chose not to buy the product.
“Enterprises must be able to secure their data against exposures of this type, which could have been prevented with a simple password requirement added to each bucket,” O'Sullivan wrote.
Accenture was chosen by the Department of Health and Ageing in 2011 to design and implement the Personally Controlled Electronic Health Record (PCEHR) system — now the My Health Record.
According to the Sydney Morning Herald, when an unidentified Accenture employee was asked if the company should be trusted to manage the national ehealth infrastructure, the reply was: “No.”
The exposure is now closed and an investigation is ongoing, Accenture has said.
It comes as the government conceded this week that poor cyber security by a sub-contractor providing services for the Department of Defence allowed hackers to steal 30 gigabytes of highly sensitive data, including information on Australia's naval vessels, warplanes and $14 billion Joint Strike Fighter program.
So lax was cyber security at the defence sub-contractor, it used default logins and passwords such as “admin”.
Yesterday, Australian Signals Directorate official Mitchell Clarke described the data breach as “extensive and extreme”, and said a “significant” amount of data had been stolen over four months in 2016.
Analysis showed the malicious actors gained access to the network by exploiting an internet-facing server and once inside were able to establish access to other private servers on the network.
But Defence Industry Minister Christopher Pyne told Radio National's Breakfast program today the government is not to blame.
“I don't think you can try and sheet blame for a small enterprise having lax cyber security back to the federal government. That is a stretch,” Pyne said.
Also this week, the Minister Assisting the Prime Minister for Cyber Security Dan Tehan, in an address to the National Press Club launching the Australian Cyber Security Centre’s 2017 Threat Report, said the ACSC had responded to 734 cyber incidents affecting private sector systems of national interest and critical infrastructure providers during the year. Another 7283 cyber security incidents had affected major Australian businesses.
The ACSC report found that cyber incidents had increased by 15 per cent on the previous year and attacks were increasingly more elaborate.
“It is clear that the malicious actors looking to target major systems and critical infrastructure are increasing the sophistication of their vectors,” Tehan said.
“In terms of government, in 2016/17 our networks were regularly targeted by cybercriminals, issue-motivated groups and individuals, and nation states.”
Reports to the ACSC also indicated losses of over $20 million from business email compromise in 2016/17, up from 8.6 million dollars in 2015-16 — an increase of more than 130 per cent.
Despite the alarming figures, cybercrime is still under-reported, Tehan said.
Accenture’s 2017 Global Risk Management Study claimed that cyber security was the leading concern for organisations.
“Cyber risk, for example, which was barely mentioned by our study respondents five years ago, has leapt to the top of the list of concerns. Dealing with these sorts of emerging risks requires organisations to invest in new capabilities, promote better integration across the business, and focus on smart technologies,” the Accenture report found.