Massive Data breach at the ABC

November 17, 2017

To those who think the cloud is the answer to their security prayers think again. Vulnerabilities in a cloud service occur often enough.  Flaws in service provided by third party providers are a chronic problem.  The onus still remains with the party that collects the data but too many organisations assume that once it is stored via a third party provider, such as in the cloud, that responsibility disappears. Often times data in the cloud is not encrypted or otherwise protected.  ABC has learned these and a few other lessons with a data breach in its cloud services, being a misconfigured storage bucket, according to the the Australian article ABC caught in massive data leak. That data seems to Read the rest of this entry »

Report on proposed National revenge porn legislation to include civil penalties

November 10, 2017

Revenge porn,  non consensual posting of intimate pictures or videos on line, is currently regulated by means of criminal offences in Victoria, South Australia, New South Wales and the ACT.  There is no specific civil cause of action or a statute based tort of interference with privacy.  There have been successful prosecutions of individuals, usually ex partners of the victim who posted intimate images in their possession to humiliate and harm the victim.   And that is for the good.  However, a criminal prosecution is a very blunt instrument and one Read the rest of this entry »

With mandatory Data Breach Notification legislation coming into effect in February 2018 the Information Commissioner releases draft Notifiable Data breach guidelines and puts retailers on notice about their obligations.

November 6, 2017

It is less than 6 months before the mandatory data breach notification laws take effect.  February 22 2018 to be precise.  It will impact all organisations and agencies covered by the Privacy Act and may  require them to report data breaches of personal information.  This has been the norm in 48 states of the United States for some time.  In the United States receiving notices under whichever data breach legislation is in operation, if not common, then not unusual.  That is an indicator of the frequency and impact of data breaches on business and government.  Cyber crime for profit and malicious hacking is a chronic problem.  In Australia there has been no requirement to notify individuals whose personal information have been accessed through a data breach.  There have been self reported data breaches to the Information Commissioner, sometimes because of good corporate practice but more often because the breach had been publicised.

The Australian legislation is far from the gold standard. It is complex and quite imprecise. It will require considerable care by organisations and agencies to develop policies as early as possible to properly comply with the legislation when there is a data breach.  There is little point trying to comply while dealing with a data breach.  Notifications must be made within 30 days from the date the breach is detected.  That is the outer limit.  While the time frame seems generous, given the Read the rest of this entry »

UK Information Commissioners Office fines data supplier 80,000 pounds and sends a warning to the data broking industry

The Information Commissioner’s Office has been an active regulator in the United Kingdom.  The legislation in the United Kingdom, the Data Protection Act, empowers the ICO to levy heavy monetary penalty notices, technical terms for fines. In Australia the Information Commissioner can commence civil penalty proceedings which penalties of up to $1.7 million.  Each regulator has its own regulatory armaments.  The difference is that the ICO is active.  The Australian Information Commissioner is not.

This fine is the first by the ICO involing the data broking industry.

The ICO  issued a monetary penalty notice, fining Verso Group (UK) Limited for supplying personal information to another company, Prodial Ltd which used that data to make 46 million nuisance calls.  Prodial received a record fine but the investigation continued and went to the source of the data.  That is quite a common feature of regulatory investigations.  Commonly one investigation for Read the rest of this entry »

Personal details of up to 50,000 Australians posted on line in one of Australia’s largest data breach

November 2, 2017

Contractors and third party providers are notorious for being weak points in data security.  Some of the largest data breaches have occurred through poor data security of contractors.  The Sony and Target breaches were caused by hackers accessing sites through a contractors access point. It happens in Australia on a more regular basis than people appreciate. And it has now happened in Australia on a very significant scale.  Itnews reports that files, which included full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses was made available on line by a contractor.  In all personal information of 50,000 Australians were compromised.  Of that 50,000 Read the rest of this entry »

Deloite data breach in September has ongoing consequences in a month where an estimated 55 million records were compromised in data breaches

In late September this year Deloitte was the target of a successful sophisticated cyber attack which involved compromising client emails and confidential data of its clients, many of which are significant organisations. As is commonly the case with major data breaches the impact of the breach is not immediately known.  Often it requires a review to determine the extent of the breach.  It is not uncommon for hackers to remain undetected for weeks and sometimes months as they access data and decide what to steal or leak.  In the case of Deloitte’s breach was much larger than originally thought affecting the emails of 350 clients among which were US Government agencies including a server hosting emails for the US departments of state, energy, homeland security, and defense, the United States Postal Service, the National Institute of Health and the Federally guaranteed mortgage companies Fannie Mae and Freddie Mac.  The reputational damage to Deloittes has been immense, not least because it and the other big 3 accounting firms market themselves as experts in consulting in data storage, data security and compliance with privacy laws.

According to itgovernance in List of data breaches and cyber attacks in October 2017 – 55 million records leaked October was a bad but not untypical month in terms of data breaches which affected a broad range of companies.  There were financially inspired attacks such as Read the rest of this entry »

Commonwealth Parliament’s Joint Committee of Public Accounts and Audit report into Cybersecurity Compliance makes for melancholy reading about the poor data security of frontline Commonwealth Departments

October 31, 2017

Last week the Joint Committee of Public Accounts and Audit released its long awaited report into Cybersecurity Compliance. It is a valuable report which makes clear that the Committee “gets it” as far as the need to maintain proper cyber security by agencies which are increasingly reliant on data being stored, used and disclosed online by its users.   The Committee was also frank in its assessment that key agencies are falling down in this regard.  For those practicing in this area that comes as little surprise.  There remains a poor cyber security and privacy culture in Read the rest of this entry »

US President looking to increasing commercial use of drones. A taste of things to come.

October 30, 2017

Notwithstanding the seeming chaos and drama swirling around the White House last week there was some business being done.  As is the case with every administration.   Notably the President issued a Presidential Memorandum to the Secretary of Transportation titled Unmanned Aircraft Systems Integration Pilot Program.

Previously U.S. companies have faced tight rules regarding the use of drones including to protect Americans from potential harm. In the Presidential Memorandum the Secretary for Transportation has been directed to create a pilot program within 90 days that would effectively loosen regulations around drone usage in an “innovation zone”.  In that zone users can Read the rest of this entry »

Confidential legal files found in accessible bin in a public place highlights a poor data security culture.

Law firms are a particularly attractive target for hackers.  Legal offices usually hold a rich trove of clients’ confidential information, banking details, data from third parties such as witnesses and experts provides enough personal information for identity theft.  Last week the Telegraph reported on a law firm in Bermuda being hacked and client’s sensitive data being accessed.  Today’s Age in Dozens of confidential legal files found dumped outside Melbourne law firm reports on Read the rest of this entry »

X v Twitter Inc [2017] NSWSC 1300 (28 September 2017): equity, injunction regarding tweets, confidential information, Norwich Orders.

October 29, 2017

In X v Twitter Inc [2017] NSWSC 1300 the Supreme Court of New South Wales, per Pembroke J, issued a final injunction regarding a post on Twitter. In doing so the Court considered in detail the scope and operation of injunctions on Twitter, a platform with much of its operations located outside Australia.

FACTS

Between 16 and 19 May the first offending tweets appeared [6] with the author of the tweets used a twitter handle that falsely adopted the name of the plaintiff’s CEO.

On 19 May, the plaintiff’s solicitors wrote to Twitter Inc:

  • drawing attention to the tweets,
  • the offending information contained in them and
  • the user’s impersonation of the plaintiff’s CEO.
  • requesting Twitter Inc to:
    • remove the offending material from the Twitter website;
    • to deactivate the ‘fake’ user’s account;
    • to take all other steps available to it to prevent the user from publishing further confidential information on the Twitter website; and
    • to provide the identity and contact information of the user.

Twitter responded Read the rest of this entry »