Australia has imposed sanctions against a Russian citizen over the Medibank cyber-attack in 2022, which saw the personal information of millions of Australians accessed, extortion threats made and many of the details published on the dark web after those threats were not acceded to.
Sanctioning foreign actors
While Australia has had laws which enable it to impose sanctions against other countries for many years, this is the first time the new laws which target individuals and organisations, have been enacted.
Foreign Minister Penny Wong announced the sanctions, putting them into place with immediate effect, by simply releasing a statement that says: “police and intelligence agencies had worked with international partners to link Aleksandr Ermakov “to the compromise of the Medibank Private network.”
About the Autonomous Sanctions Act 2011
The purpose of the laws is to enable the Australian Government to impose sanctions against foreign individuals or entities who commit or are involved in serious human rights abuses, corruption and cyber-crime.
The overriding objective of the legislation is punish alleged offenders by imposing travel bans, freezing assets and imposing other financial penalties.
Because cyber hackers, human rights abusers and corrupt officials often become wealthy through illegal activity, the sanctions prohibit them from accessing or spending the suspected proceeds of these crimes.
A secondary effect of the laws can be that the criminals may eventually be “flushed out” because they have limited means to keep hiding from authorities.
The powers of the Foreign Minister
There is no need for the Australian Government to lay charges or prove guilt before sanctions can be imposed.
Rather, the Autonomous Sanctions Act empowers the Foreign Minister, currently Penny Wong, to make decisions about sanctions.
Part 2 of the Autonomous Sanctions Regulations 2011 prescribes the criteria for the Minister to apply sanctions. The part also lists the nations or parts thereof to which sanctions currently apply, which at the time of writing are Syria, Russia, specific Ukraine regions and the Democratic Republic of North Korea.
There is no requirement for the Foreign Minister to report the basis upon which decision for making declarations are made, but the sanction determinations themselves can be accessed via the Federal Register of Legislation.
The types of sanctions that may be imposed are:
- financial sanctions (including freezing assets)
- travel bans preventing a person from entering or transiting through Australia
- restrictions on trade or the procurement of goods and services
- restrictions on engaging in commercial activities or dealing with assets, which can include, for example, purchasing shares or establishing a business
- preventing vessels or private aircraft from entering Australia.
In the case of Aleksandr Ermakov, the Australian Government has imposed targeted financial sanctions and travel bans.
Appealing the sanctions
Any person who has been declared to be the subject of sanctions, may apply for a judicial review of the Minister’s decision, in accordance with the Administrative Decisions (Judicial Review) Act 1977 and under common law.
The application is reviewed by the Federal Court, which will consider a number of factors including:
- whether a breach of justice occurred;
- if decision-making procedures were not observed; or the decision itself was contrary to the law
- if the decision-maker did not have the jurisdiction to make the decision
- if the decision was not authorised by the relevant legislation
- if there was an error of law
- if the decision was induced or affected by fraud
- evidence is sufficient to justify the decision
Penalties under the Autonomous Sanctions Act 2011
The penalties themselves are intended to both punish suspected criminal behaviour and deter would-be violators from engaging in such conduct.
But more than that, the laws criminalise those who engage in sanctioned conduct by, for example, by participating in commercial transactions in contravention of the sanctions; for instance in this case by providing assets to Mr Ermakov or otherwise dealing with him, whether through traditional financial systems or cryptocurrencies like Bitcoin.
The crimes are strict liability offences for corporate bodies, meaning it is not necessary for the prosecution to prove any fault element, such as intent, knowledge, recklessness or negligence.
The offences are punishable for corporate bodies by a fine determined by which is the greater amount – 10,000 penalty units or three times the value of the transaction.
For individuals, the punishment is up to 10 years in prison, and/or a fine determined by which is the greater amount – 2500 penalty units or three times the value of the transaction.
One Commonwealth penalty unit is currently equivalent to $313.
In applying the sanctions, Penny Wong said: “The use of these powers sends a clear message – there are costs and consequences for targeting Australia and Australians.
Similar laws around the world
The effectiveness of these laws are deterring cyber crime or stopping repeat offences remains to be seen.
The strength of the laws lies largely in how universally accepted they become, so as to stop offenders from undertaking ‘jurisdiction shopping’, whereby they conduct activities with nations that do not have such laws.
In that regard, similar legislation has also been adopted by other countries including the United Kingdom, the United States of America and Canada.
This alliance means that other governments can also decide to adopt the sanctions against Aleksandr Ermakov if they wish to do so, although it’s not compulsory.
The Medibank cyber attack
As a result of the Medibank cyber-attack in 2022, more than nine million Medibank records, including names, dates of birth, Medicare numbers and sensitive health details were stolen, and both Medibank and the Australian Government refused to accede to extortion threats.
Many of these records were then published on the dark web, leaving individuals vulnerable to the possibility of blackmail and also identity theft.
The Australian Government also believes that by naming Aleksandr Ermakov, they have also struck a blow, because anonymity is valuable for cyber criminals.
The Optus breach resulted in more than 10,000 customers’ passport, driver licence and Medicare numbers appearing online. The Woolworths breach affected about 2 million customers.
Both Medibank Private and Optus have engaged independent consultants to investigate the breaches, but disappointingly, they have both decided not to share the findings, which, it could be argued, help other businesses in beefing up their own cyber security.
Optus customers are currently launching a class action, so a significant amount of information about the Optus breach is considered highly confidential – at least until the class action lawsuit is either settled or resolved in court.
Under Australian laws, both companies could face large fines for putting customer information at risk.