Peter A Clarke

Ambulance Tasmania has suffered a massive data breach. According to the ABC’s Tasmania Police called in after ambulance patient details published online personal information of every Tasmanian who called the Tasmanian Ambulance Service since November 2020 has been accessed and posted on line by a third party.  The specific nature of the breach is unknown but it was to the paging system.  What makes this breach so damaging is that the data accessed is sensitive information, relating to a person’s health status as well as that person/s age, gender and address.

What is both surprising and disturbing is that the data hacked from Ambulance Tasmania has been publicly visible since November last year.

What is less surprising is that it appears that previously deficiencies had been identified in the communications system and processes.  That is quite a common situation.  The problems are apparent but there is no incentive to attend to those problems because time and money can be spent elsewhere which provides more immediate benefit and the legal consequences of a data breach are small because the legislation is weak and the regulators are timid.

The Government response follows the dreary, obsolete path adopted by many Australian Government agencies of the responsible minister being concerned, referring Read the rest of this entry »

The Internet of Things, with gadgets and devices previously stand alone now connected to the internet, has always been blighted by vulnerabilities to cyber attack.  The stories of baby monitors being hacked and taken over by criminals or just garden variety creeps are legion and have passed into cyber security folk lore.  Invariably the cause of the hack of a baby monitor is down to the usual problems with any form of security involving a device connected to the internet with some specific issues involving videos; poor security of wireless routers, no or a lousy password for the monitor (often factory settings are left in place), reusing stolen credentials, default log ins and easy to access settings and not updating or patching software as and when required. 

The BBC reports that the hackers have, disturbingly, gone further than standard interference with a device.  Hackers goes beyond accessing home cameras of a residence and now engage in swatting, where they contact or otherwise get police Read the rest of this entry »

As is my tradition on this site at Christmas I reprint one of the most affecting Christmas stories and a brilliant piece of journalistic prose the quality of which is not seen in the current mainstream media.  It is the Sun’s peice from 1897, Yes Virginia there is a Santa Claus.  From the very first time I read this wonderful editorial I was impressed by its clear and precise language.  Virginia O’Hanlon, all of 8 year old, wrote a sweet and touching query about Santa Claus’s existence to The New York Sun.  It wasn’t trashed, ignored or even turned into a joke.  Instead it evoked a response that was both honest and written to and for a young child but dealt with bigger issues of belief, philosophy and the evils of sneering skeptisism which afflicts us today more than it did over 120 years ago. 

It is deservedly one of the great editorials of journalism.  It holds up as well today as it did in that Gilded Age.  One can only hope to hold onto and embrace the optimism and enthusiasm for life and its wonders that the author, Francis Pharcellus Church, so marvelously described in what has become history’s most reprinted newspaper editorials. It was reprinted by the New York Daily News yesterday.

The letter from Virginia was:

DEAR EDITOR: I am 8 years old.
Some of my little friends say there is no Santa Claus.
Papa says, ‘If you see it in THE SUN it’s so.’
Please tell me the truth; is there a Santa Claus?

VIRGINIA O’HANLON.
115 WEST NINETY-FIFTH STREET.

The responding Editorial was:

VIRGINIA, your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except they see. They think that nothing can be which is not comprehensible by their little minds. All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, VIRGINIA, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to your life its highest beauty and joy. Alas! how dreary would be the world if there were no Santa Claus. It would be as dreary as if there were no VIRGINIAS. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus! You might as well not believe in fairies! You might get your papa to hire men to watch in all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove? Nobody sees Santa Claus, but that is no sign that there is no Santa Claus. The most real things in the world are those that neither children nor men can see. Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders there are unseen and unseeable in the world.

You may tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, nor even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernal beauty and glory beyond. Is it all real? Ah, VIRGINIA, in all this world there is nothing else real and abiding.

No Santa Claus! Thank God! he lives, and he lives forever. A thousand years from now, Virginia, nay, ten times ten thousand years from now, he will continue to make glad the heart of childhood.

In 1997 the New York Times did a wonderful piece setting out the history and analysis of the Yes Virginia editorial and its impact.  

I wish you one and all a wonderful Christmas and a prosperous 2021. 

Zoom is now a verb.  The impact of video conferencing platform has made it ubiquitous and necessary to work from home and keep in touch with others during long weeks of shut downs. And it deserves its reputation as the go to platform; it is easy to use, it is free (for 40 minutes at a time), it allows for up to 100 people to join a meeting and it has many cool features such as separate rooms and messaging services.

It has also suffered from the growing pains that afflict technology that appear from nowhere and become massively popular overnight.  That included critical flaws in software for windows that allowed hackers to take over computers and flaws that lets an attacker to use a GIF to hack software and install malware and until recently not having end to end encryption. The list of flaws identified and fixed are set out in Zoom security issues: Here’s everything that’s gone wrong (so far).

As a result of the persistent flaws and inadequate privacy practices, now fixed, Zoom entered into a agreement with the New York Attorney General, on 7 May 2020, whereby Zoom would put into place and support new security measures and enhance privacy controls.

It was only a matter of time before Zoom’s privacy and security problems came to the attention of the US Federal Trade Commission.  It was investigated and earlier this month came to a settlement, again requiring it to provide better information security systems.  The jurisdictional basis for FTC bringing an action is that Zoom engaged in deceptive and unfair practices about it’s level of security, including representations about end to end encryption and the level of encryption.  The period of compliance with the Decision is 20 years.

The FTC issued a complaint  alleging that the misleading practices dated back to 2016.  The complaint highlights Read the rest of this entry »

Europe is taking decisive steps to increase its data protection with proposed legislation to create an EU wide data market which will enable the sharing of industrial and government information under the European standards. This is reported in the Wall Street Journal’s article Europe Doubles Down on Data Protection to Ward Off Silicon Valley, Chinese Influence.  This will probably be critisised as data localisation, a practice that warrants scrutiny given it is much loved by authoritarian governments for less than savoury reasons.   The scheme will involve data not exclusively involving personal information.

This development highlights Read the rest of this entry »

I have long posted on law firms being in the sights of cyber criminals.  I raised this as an increasing threat in September last year and attacks on Queensland law firms in 2017 and European law firms in 2016.

The Australian Financial Review reports, in Hackers threaten to publish data from attack on legal services firm, report on a cyber attack on 22 November 2020 by hacker legal services firm Law In Order suffering a Ransomware attack with the hackers threatening to publish data unless a payment is made. The story is also covered by itwire, insurance business mag, and itnews.  That list will grow.

Law In Order issued statements of what happens.  It is far from a best practice response.  General waffle.  Full candour is not always possible because investigations take time.  But that does not mean that writing excessive meaningless verbiage is the answer. That is particularly so when the Australian Financial Review has key information about the attack, for example that it was undertaken by Netwalker and is a ransomware attack.  That makes the statement look even sillier than Read the rest of this entry »

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

Universities are prime targets for cyber attack as well as just poor data handling.  In the former category the Australian National University suffered a massive and prolonged data breach over 2018/2019 caused by overseas actors, probably Chinese (my post here) while more recently the University of Tasmania had a significant data breach involving over 19,000 names through incompetent data protection (my post here).

Today the Victorian Privacy and Data Protection Deputy Commissioner commences an examination of how Victorian universities protect personal information.  The press release Read the rest of this entry »

New Zealand has come even later to mandatory data breach reporting.  Its legislation comes into effect on 1 December 2020. The New Zealand Privacy Act 2020 is, like Australia’s, far from the gold standard. But New Zealand does have a tort of interference with privacy which puts it well ahead of Australia.

Determining whether a data breach is notifiable can be a difficult weighing exercise under both the Australian and New Zealand legislation. Both Acts use serious harm as a threshold but provide no definition of what that is.  In the New Zealand Act the process involves consider quite general factors in section 113 which provides:

Assessment of likelihood of serious harm being caused by privacy breach

Mandatory data breach notification is a complicated process . The Privacy Commissioner has Read the rest of this entry »

The US National Security Agency prefers staying in the shadows. It is therefore notable that it has issued a very public cybersecurity advisory highlighting vulnerabilities Chinese hackers are using as part of their cyber attacks.

The advisory Read the rest of this entry »