Penetration Test That Uncovered a 6-Month Active Breach — Zero Regulatory Penalties
The Challenge
A mid-size Australian bank engaged OzComms for a routine penetration test as part of their APRA CPS 234 compliance requirements. They had no reason to suspect a breach — their internal security team ran monthly scans and their SIEM showed no alerts. What we found shocked them: an advanced persistent threat (APT) had been operating undetected for 6 months, exfiltrating customer data through DNS tunneling.
The Strategy
Our penetration test went beyond automated scanning to simulate real attacker behaviour:
- External penetration testing — tested all internet-facing assets: web applications, APIs, VPN endpoints, and email gateways
- Internal network assessment — simulated insider threat and lateral movement scenarios after initial access
- Social engineering — tested employee susceptibility to phishing, pretexting, and USB drop attacks
- Wireless security testing — assessed Wi-Fi networks for weak encryption, rogue access points, and guest network isolation
- Active threat hunting — analysed network traffic, DNS logs, and endpoint behaviour for indicators of compromise (IoCs)
- Compliance mapping — aligned all findings with APRA CPS 234, ISO 27001, and NIST frameworks
The Discovery
During the internal network phase, our team identified anomalous DNS queries originating from a compromised workstation in the customer service department. Further investigation revealed:
- An APT group had gained initial access via a spear-phishing email 6 months prior
- The attackers had established persistence through WMI event subscriptions and scheduled tasks
- Data exfiltration was occurring via DNS tunneling to avoid detection by traditional firewalls
- Approximately 12,000 customer records had been accessed, though full exfiltration was prevented
- The bank's SIEM had logged the DNS queries but they were buried in 2M+ daily events with no alerting rule
The Response & Results
We immediately escalated to the bank's CISO and incident response team:
- Contained the breach within 4 hours of discovery — isolated affected systems, blocked C2 channels, and preserved forensic evidence
- The bank self-reported to OAIC within 72 hours, meeting NDB scheme requirements
- OAIC determined the bank had taken reasonable steps to detect and respond — zero fines imposed
- Estimated $4.5M in costs prevented by early detection (average Australian breach cost is $4.5M)
- No customer notification required — the data accessed was not considered "likely to result in serious harm" due to containment speed
- Bank implemented our recommended 24/7 monitoring retainer and quarterly penetration testing
"We hired OzComms for a checkbox compliance test. They found an active breach that our $2M security stack missed for 6 months. Their penetration testing methodology is on another level. They didn't just find vulnerabilities — they found attackers."