cythera-logo-darkmode
Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Case Studies
Real-world examples
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Always-on protection. Smarter security
Security Architecture
Security that drives real results, cloud to full stack
Digital Forensics & Incident Response
DFIR experts, ready when you need them.
Cyber Threat Intelligence
Real time insights from Cassini CTI
Managed Detection & Response
Our experts watch, so you don’t have to.
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audits you trust. Assurance that drives action.
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Level up your cyber security game
Penetration Testing
Penetration testing that spots weaknesses
Case Studies
    
Articles
    
Advisories
    
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Web Application Penetration Testing
Vulnerability Management
Vulnerability Assessment
vITSM
Virtual Security Architect (vSecArch)
vCISO
System Security Plan
System Architecture, Design & Implementation
Strategic Security Consulting
SWIFT CSCF
Specialist Testing
Source Code Review
Social Engineering & Phishing
Security Policy and Standard Development
Security Incident Response Testing
Security Awareness Training
Secure Access Service Edge (SASE)
Risk Management
Risk Assessment
Red Teaming
Purple Teaming
NIST CSF Maturity Uplift
Payment Card Industry (PCI)
OT/SCADA Network Penetration Test
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response Tabletop Exercise
Incident Response
Forensics
External Penetration Testing
Executive & Board Reporting
Executive and Board Security Governance Training
Essential Eight Assessment
Endpoint Protection
Email Security
DevSecOps Review & Implementation
Denial of Service (DoS) Testing
Design Reviews
Dark Web Monitoring
Controls Validation Audit
Continuous Certification
Compliance Programme Management
Configuration Reviews
Cloud Security Configuration
Cloud Posture & Security
CIS Critical Controls Assessment
Automated Patch Management
CI/CD Health Check
Artificial Intelligence (AI) Penetration Test
All of Government Marketplace
Advanced OSINT Training Course
Application Penetration Tests
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
External Penetration Testing
Essential Eight Assessment
Denial of Service (DoS) Testing
Dark Web Monitoring
cythera-logo-darkmode
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response
Talk to an expert
Resources
About Us
Articles
>
What can Australian business leaders learn from the $5.8M privacy fine
Cythera Cyber Security

What can Australian business leaders learn from the $5.8M privacy fine

CISOs are on notice after the Federal Court handed down a landmark $5.8M civil penalty - the first of its kind under the Privacy Act (1998).
Talk to an expert

CISOs are on notice after the Federal Court handed down a landmark $5.8M civil penalty - the first of its kind under the Privacy Act (1998). The Australian Information Commissioner initiated proceedings against Australian Clinical Labs for serious privacy failures and a lacklustre response to a data breach that struck just one month after acquiring MedLab. This case sets a startling new benchmark for regulatory enforcement and fundamentally reshapes how CISOs and CIOs must approach mergers, acquisitions, and technology integrations. The unmistakable message: organisations can no longer afford even short-term cybersecurity capability gaps.

I’ve summarised the three court findings, key failures and offer some recommendations for organisations to actively consider.

The court found three key contraventions:

  • $4.2M finding that ACL did not have adequate cybersecurity controls across the acquisition’s IT environment, so they “did not take reasonable steps to protect the personal information of those individuals that ACL held on certain Medlab servers from unauthorised access, modification or disclosure”
  • $800k finding that ACL failed to perform a reasonable and expeditious assessment of whether there were reasonable grounds to believe there was an eligible data breach.
  • $800k finding that ACL failed to prepare and give the OAIC a statement concerning the cyberattack as soon a practicable

There were stringent criticisms of ACL’s approach to the acquisition and integration of MedLab IT systems that have broad implications to the industry:

  • ACL did not identify the IT security vulnerabilities in MedLab systems prior to acquisition. While there was a 6-month plan for integration, the court found there were a number of key deficiencies including lack of Endpoint Detection & Response, weak authentication/MFA on high-risk services such as the VPN, insufficient log history on key security appliances and running EOL Microsoft servers.
  • ACL did not take ‘such steps as are reasonable in the circumstances’ to protect the personal information that MedLab systems held. The court explicitly highlighted the circumstances to be the size and nature of the ACL business, the volume and sensitivity of the information, the high industry cybersecurity risks facing ACL and the risk of serious harm to individuals if their personal information was breached.
  • There was inadequate testing of incident management processes as soon as MedLab was acquired. The ACL incident handler put in charge of the response had received no training on cybersecurity incident response, including malware and ransomware playbooks. Furthermore, it was found that those playbooks had multiple deficiencies in terms of role assignment, limited detail on containment processes and/or steps to mitigate data exfiltration.
  • The digital forensics investigation by the third-party provider was found to be inadequate due to their limited monitoring of the new environment, lack of research into the ‘Quantum Group’ ransomware group traits to determine if data exfiltration was likely and limited investigation of whether persistent mechanisms had been deployed by the group to stay connected to the environment. As ACL knew the investigation was limited it was found to be unreasonable to rely on that advice and conclude there had been no data breach.

These findings clearly challenge historical approaches to integration of new acquisitions and eliminates the preconception of a reasonable window of time to uplift operations falling short of cybersecurity benchmarks. While ACL cooperated with the OAIC, admitted liability and have committed to continuing to strengthen their data security, the $5.8M fine and public rebuke is impactful to any sized organisation and warrants fresh eyes on cyber security programs. To act on the clearly stated expectations of the Federal Court we recommend that organisations:

  • Perform an Essential Eight Cyber Maturity Assessment on your business and any acquisition targets to ensure you’ve covered the fundamental security technologies. We can perform this quickly with minimal stakeholder burden and board ready presentation outputs. Any gaps can be swiftly addressed with Cythera’s industry leading managed security suite of services.
  • Update cyber security incident and data breach response plans, likely with wholesale replacement of old artefacts with current best practices, and test them regularly with tabletop simulations at both the technical and executive levels.
  • Establish a digital forensics incident response (DFIR) retainer with Cythera’s expert team to enable lightning fast and appropriately comprehensive investigation of incidents to determine if a breach has occurred.

It is reassuring that the privacy of Australians is being protected in the courts. It’s now on Australian business leaders to investigate and uplift their cybersecurity practices. Contact us at Cythera for a pragmatic discussion on how to keep ahead of the curve.

Events

Latest events

Join Cythera experts for networking events, technical briefings, and hands-on workshops hosted throughout the year.
View all events
No items found.
Cyber security news

Latest advisories

Stay ahead of emerging threats with our expert blog posts, research, and industry updates.
Silverstripe - Host Header Injection
Silverstripe CMS is affected by a Host Header Injection flaw, which can be exploited to manipulate password reset workflows, potentially redirecting or compromising user data.
FarCry Core Framework - Multiple Issues
FarCry Core contains multiple vulnerabilities that could let unauthenticated users upload arbitrary files and execute remote code on the hosting server.
Silverstripe – Cross-Site Scripting (XSS) Vulnerability
With local organisation admin credentials, an attacker can exploit the API to create, delete, or revert virtual machine snapshots in other organisations’ Virtual Data Centres (VDCs), breaching isolation boundaries.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
Case StudiesArticlesAdvisoriesOur ISO 27001 Certificate
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
1300 298 437
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved