Password reuse drives cyber risk for Australian businesses

Gallagher has issued a cautionary note to businesses regarding the increasing cyber risk linked to password reuse, noting that inadequate authentication protocols continue to create exposures for Australian firms, including those in the insurance industry.

The firm underscored that credential stuffing – where malicious actors exploit reused credentials from previous data breaches – is a frequent method used to infiltrate business systems. These attacks are automated, using tools that attempt thousands of logins with known passwords until access is gained. The practice exploits individuals’ tendency to recycle passwords across multiple online services.

Credential stuffing attacks draw focus to identity verification gaps

The tactic is suspected in a recent breach involving superannuation funds in Australia.

Attackers reportedly accessed user accounts using login details likely purchased on the dark web. Once logged in, they modified account details, such as SMS verification numbers, enabling unauthorised transactions. These updates often occurred late at night when users were less likely to respond to system-generated alerts.

Gallagher’s analysis suggested that this breach illustrates how the absence of unique multifactor authentication (MFA) can leave businesses and their customers exposed to significant financial and reputational harm.

Strategies for bolstering cyber defences

To counter such threats, Gallagher recommended businesses implement a structured approach to strengthen digital security:

• Adopt mandatory MFA – require MFA for all users without exception to reduce the risk posed by compromised passwords
• Monitor for unusual login activity – deploy alerts to detect and respond to logins from unfamiliar devices or locations
• Halt automation-based intrusions – use tools such as CAPTCHA, IP validation, and login rate limiting to deter bots
• Secure comprehensive cyber cover

What cyber policies may include

Gallagher noted that while cyber insurance offerings vary, most policies generally cover:

• Round-the-clock breach response assistance
• Revenue loss during system outages
• Restoration of data and applications
• Replacement of compromised hardware
• Costs of system improvements following an incident
• Coverage for cyber crime and phishing-related losses
• Regulatory fines and legal fees related to privacy breaches
• Liability for digital and media content issues

Perceptions of reputational risk evolving

The warning comes alongside findings from the latest Reputational Risk Readiness Survey by Willis, part of WTW.

According to the report, 65% of global executives now identify cyber attacks as the most significant reputational risk, compared to 52% the previous year.

ANZ-specific risk landscape

Supporting these trends, a survey by Arctic Wolf covering over 1,200 cybersecurity professionals found that Australia and New Zealand (ANZ) organisations reported higher-than-average incident rates.

About 85% of businesses in the region experienced at least one cyber incident in the past 12 months, compared to a 76% global average.

The study also found that ANZ companies were more likely to pay ransoms to avoid the fallout from data exposure. Approximately 91% of those affected relied on third-party negotiators, although less than half successfully reduced the payment amount.