Pathology company Australian Clinical Labs has come under fire from Australia’s privacy watchdog for a 2022 cyber attack which saw credit card details and health records for more than 200,000 people leaked to the dark web.

The Office of the Australian Information Commissioner (OAIC) has taken ACL to court with allegations the company had “serious and systemic” failures leading to the attack.

In October of last year, while Australia had its focus on a landmark data breach at health insurer Medibank, the parent company of medical testing company Medlab – Australian Clinical Labs (ACL) – revealed it had suffered a significant cyber attack of its own.

The incident was largely overshadowed by similar happenings at Medibank and Optus, however, it saw the personal information of at least 223,269 individuals exposed to a hacker group known as Quantum, which exfiltrated 86GB of data including passport numbers, health information and credit card details.

Notably, the attack took place in February last year – eight months before being publicly confirmed by ACL.

Much of the stolen data appeared on the dark web in June 2022 – approximately four months prior to ACL’s public confirmation of the incident.

Serious allegations levied at ACL

The OAIC alleges ACL “seriously interfered with the privacy of approximately 21.5 million individuals”, whose personal information it held, by “failing to take reasonable steps” to protect said information from unauthorised access or disclosure.

In its concise statement, the commissioner notes ACL still does not know the precise time or method of the attack, but that it started “on or before” 25 Feb 2022 when Quantum attacked the Medlab computer network operated by ACL.

According to the statement, an employee discovered the attack at approximately 5:00am when they attempted to access a computer on the Medlab network, only to find a ransomware demand sitting on the desktop.

The employee soon after notified Medlab’s IT team, and by 9.00am the ransom note had appeared on other computers on the Medlab network in Brisbane and Sydney.

The OAIC notes ACL – which hit nearly $1 billion in revenue during financial year 2022 – did not have a dedicated cyber security team in place during the incident, with its response being led by an IT team leader and overseen by the company’s chief information officer.

“None of those personnel had formal cyber security qualifications or experience in responding to a cyber attack,” reads the statement.

It goes on to outline the day of the attack, during which the IT team leader was provided with playbooks for dealing with ransomware and malware.

“Before then, the IT Team Leader had not seen, used, or received training on these playbooks.

“She had received no cyber security training at all.”

According to the OAIC, critical steps specified in the playbooks – such as analysing the ransomware to determine its capabilities or taking images of infected systems before wiping them – were not implemented during the incident response.

Furthermore, the commissioner noted ACL’s cyber security budget for 2022 was $350,000 – a figure which was “significantly lower than that of industry standards”.

During its response to the incident, ACL bought in third-party firm StickmanCyber for assistance.

While this engagement saw StickmanCyber spend 44.5 hours on the engagement, the OAIC found the company deployed monitoring agents on only three of at least 121 computers subject to ransomware.

According to the statement, StickmanCyber concluded the attack was carried out through a phishing email, but did not investigate the possibility of the threat actor having potentially established persistent mechanisms to retain access to the impacted Medlab network.

Furthermore, the commissioner noted StickmanCyber suggested ACL prepare a statement on the malware incident, but ACL did not act on said suggestion.

Slow to report data breach

At the time of its engagement, StickmanCyber concluded no data had been taken during the attack.

While swathes of stolen data later showed up on the dark web, the statement suggests ACL did not initially determine the attack as an “eligible data breach”, nor did it inform the OAIC about the attack.

In March 2022, the Australian Cyber Security Centre (ACSC) informed the company it had received intelligence of Medlab potentially being the victim of a ransomware incident, but ACL did not reopen its investigation.

The ACSC sent a second notification in June 2022, this time raising concerns of stolen data being published by Quantum including credit card details, personally identifiable information, and health information.

Some three weeks later, ACL provided the OAIC with a statement regarding the incident.

The commissioner alleges ACL failed to notify it as soon as practicable, effectively contravening certain requirements of the Privacy Act.

The case is ongoing, with the commissioner seeking both civil penalties and costs related to its allegations.