ozcomms

🛡️ Cybersecurity
Mid-Size Australian Bank • Financial Services • Sydney, NSW

Penetration Test That Uncovered a 6-Month Active Breach — Zero Regulatory Penalties

6 Mo
Breach Duration
0
Regulatory Fines
$4.5M
Costs Prevented

The Challenge

A mid-size Australian bank engaged OzComms for a routine penetration test as part of their APRA CPS 234 compliance requirements. They had no reason to suspect a breach — their internal security team ran monthly scans and their SIEM showed no alerts. What we found shocked them: an advanced persistent threat (APT) had been operating undetected for 6 months, exfiltrating customer data through DNS tunneling.

The Strategy

Our penetration test went beyond automated scanning to simulate real attacker behaviour:

  • External penetration testing — tested all internet-facing assets: web applications, APIs, VPN endpoints, and email gateways
  • Internal network assessment — simulated insider threat and lateral movement scenarios after initial access
  • Social engineering — tested employee susceptibility to phishing, pretexting, and USB drop attacks
  • Wireless security testing — assessed Wi-Fi networks for weak encryption, rogue access points, and guest network isolation
  • Active threat hunting — analysed network traffic, DNS logs, and endpoint behaviour for indicators of compromise (IoCs)
  • Compliance mapping — aligned all findings with APRA CPS 234, ISO 27001, and NIST frameworks

The Discovery

During the internal network phase, our team identified anomalous DNS queries originating from a compromised workstation in the customer service department. Further investigation revealed:

  • An APT group had gained initial access via a spear-phishing email 6 months prior
  • The attackers had established persistence through WMI event subscriptions and scheduled tasks
  • Data exfiltration was occurring via DNS tunneling to avoid detection by traditional firewalls
  • Approximately 12,000 customer records had been accessed, though full exfiltration was prevented
  • The bank's SIEM had logged the DNS queries but they were buried in 2M+ daily events with no alerting rule

The Response & Results

We immediately escalated to the bank's CISO and incident response team:

  • Contained the breach within 4 hours of discovery — isolated affected systems, blocked C2 channels, and preserved forensic evidence
  • The bank self-reported to OAIC within 72 hours, meeting NDB scheme requirements
  • OAIC determined the bank had taken reasonable steps to detect and respond — zero fines imposed
  • Estimated $4.5M in costs prevented by early detection (average Australian breach cost is $4.5M)
  • No customer notification required — the data accessed was not considered "likely to result in serious harm" due to containment speed
  • Bank implemented our recommended 24/7 monitoring retainer and quarterly penetration testing

"We hired OzComms for a checkbox compliance test. They found an active breach that our $2M security stack missed for 6 months. Their penetration testing methodology is on another level. They didn't just find vulnerabilities — they found attackers."

Michael Roberts
Chief Information Security Officer, Mid-Size Australian Bank

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top