As Australia reels from yet another ‘extremely dangerous’ data breach, the Australian Bureau of Statistics has revealed it has repelled nearly a billion census cyberattacks.
Australian statistician Dr David Gruen told the Melbourne Business Analytics Conference last week that after the 2016 distributed denial of service attacks that led to the first digital census being taken offline by the ABS for 40 hours, every effort has been made to protect the census and its data.
“In fact, everything went well even though there were just under a billion cyberattacks on our digital census system on Census Day, August 10, 2021,” he said.
“A billion is not a misprint.”
An ABS spokesperson said census systems were open from July 28, 2021 to October 1, 2021, and during that time public-facing systems were under constant attack.
“Although it is difficult to quantify what an attack is, in our case it was obviously malicious connections that we blocked, either automatically or manually,” they said.
“On Census Day alone, we blocked 308,735 malicious connections, and by investigating these, we blocked 130,000 IP addresses that were the source of this attack traffic.”
In response to Australia’s latest ransomware attack, which left Medibank customers worried about having their health information made public, cybersecurity minister Clare O’Neil said cyberattacks are part of “this new world”.
“There’s an element here that cybercrime is growing very rapidly around the world – there was an Interpol conference yesterday where the kind of police chiefs from around the world came together and their message to the community was that the cybercrime is now their primary crime of international concern,” she said.
“And that’s the new world we live in. We’re going to have relentless cyber attacks, basically starting now.”
Medibank is the second major data breach in less than a month after Optus systems were breached in September.
One in two Australians responding to an Essential poll earlier this month said they wanted stronger privacy laws in light of the Optus hack. O’Neil reported that the government was working on new legislation.
“I think [Medibank] combined with Optus, it’s a huge wake-up call for the country,” she said.
“And it certainly gives the government a very clear mandate to do some things that frankly probably should have been done five years ago, but I think are still critically important.”
O’Neil said she was particularly concerned because of the sensitive nature of the information held by Medibank.
“A lot of cybercrime involves financial or identity information, which is very problematic when it gets into the public domain – what we have here is information held by this organization, which is information about health care, and which alone are made public can cause immense harm to Australians,” she said.
The ABS launched its census security strategy in 2018, but said it was an ongoing project. Before the census, he prepared with DDoS tests, operational simulations and penetration tests of private and public organizations to ensure that the system was suitable.
ABS said it will continue to prepare for malicious cyberattacks and has taken additional steps to protect the data it holds, including testing its systems with registered information security assessors accredited by the Australian Cyber Security Centre.
“After data collection and processing, names and addresses are removed from other personal and household information,” the ABS spokesperson said.
“Names and addresses are separated from other census data to protect confidentiality. We store names and addresses securely and separately from each other.
“For the 2021 census, the ABS will delete all names within 18 months of the census and addresses within three years. All paper forms for the 2021 census have been destroyed.
AFP has opened an investigation into the Medicare hack.