Following the recent data breach affecting Australian consumer lender Latitude Financial, the government is currently trying to protect its citizens from proliferating ransomware attacks.
Latitude first reported the attack on March 16, when it announced that the company had detected unusual activity on its systems, most likely originating from one of Latitude's major vendors.
"The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers," the post stated.
According to Latitude's March 27 update, no suspicious activity was observed after March 16. However, the damage caused by the attack was so great that the Latitude hack became the largest cyber incident in the history of Australia and New Zealand.
"As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver’s license numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years. In addition, approximately 53,000 passport numbers were stolen. We have also identified less than 100 customers who had a monthly financial statement stolen," the official report states.
Latitude also estimates that "approximately 6.1 million records dating back to at least 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013." The company promised to reimburse customers willing to replace their stolen ID documents, as the stolen records contain important personal information such as names, addresses, birth dates, and phone numbers.
There are numerous ways that stolen information can be used by malicious actors, however, one of the most common is demanding a ransom. Although the Australian Cyber Security Centre (ACSC) recommends never paying a ransom, as there is no guarantee that victims will regain access to their information, while the stolen data may still be sold, posted online or even trigger further ransomware attacks, there is an ongoing debate about the possibility of introducing an official ban on paying ransoms.
In the subsequent April 11 update, Latitude shared with readers its decision not to pay a ransom to the attackers, calling the company's stance "consistent with the position of the Australian Government," and adding that Latitude "will not reward criminal behavior, nor do we believe that paying a ransom will result in the return or destruction of the information that was stolen. In line with advice from cybercrime experts, Latitude strongly believes that paying a ransom will be detrimental to our customers and cause harm to the broader community by encouraging further criminal attacks."
Meanwhile, some experts from the technology and legal sectors, including Andrew Truswell, director of technology law firm Biztech Lawyers, and cybersecurity minister Clare O'Neil, are considering the potential benefits of banning ransom payments.
"When we have an ecosystem where people are constantly paying ransoms then it makes it look like Australia is a soft target, and we are not a soft target," O'Neil told The Australian. "There are many Australian companies that do not pay ransoms, and certainly the advice with the Australian government is we would ask you not to do that," she added.
At the same time, not paying ransoms can cause serious damage. For example, the criminal group that attacked Medibank in 2022 released the personal data of the company's customers because it refused to pay a ransom. Some cases can even be life-threatening, and a complete ban on ransom payments can even cost lives.
Cryptocurrency and ransomware
If the Australian government decides to officially ban ransom payments, such a policy may also include new regulations on cryptocurrencies, which are one of the main mediums used by attackers to receive a ransom. Unfortunately, the benefits of cryptocurrencies, which are widely enjoyed by honest users, also make digital assets one of the best solutions for malicious actors. For example, according to statistics from Marsh, a global company specializing in insurance booking and risk management, nearly 98% of all ransomware payments are made in Bitcoin.
Besides low transaction fees and fast transfers without middlemen offered by cryptocurrencies, there is also pseudoanonimity.
Crypto transactions do not reveal any personal information about the parties involved in money transfers, although transactions are recorded on the general ledger. Anonymity can be further enhanced with the help of cryptocurrency mixers, special platforms used for mixing coins from different sources together and sending them back to their owners. Those, in turn, receive their money with an obfuscated origin, which makes it challenging to trace the history of transactions involving the money received as a ransom.