Another day another data breach involving medical records…this time of school students

October 13, 2018

The Age reports on yet another depressing and altogether avoidable data breach.  The accessing of medical conditions, photographs, names and identifying data of year 7 – 12 students at Manor Lakes P -12 College in Wyndham Vale in Melbourne.

The Education Department has adopted a standard straight bat response of “human error” and not due to a vulnerability in the school and IT systems. The excuse is, it could be a lot worse (as in a systemic fault involving a costly fix).  What is not, and won’t be, disclosed as to how the breach occurred, what remedial action is taken and what punishment is administered.  Without consequences, there is little incentive to take real and decisive steps to minimise poor data practices. Unfortunately the regulators at both the state and Federal level Read the rest of this entry »

Senator Fifield, Minister for Communications and the Arts gives speech about the internet, including privacy, and presages possible future action..or not

October 11, 2018

Senator Fifield in his capacity as Minister for Communications finds himself in the middle of one of the most exciting, dynamic, disruptive, confounding yet critical areas of public policy in Australia, or any other advanced economy; what to do with the internet if anything.  He recently gave a speech at the Sydney Institute titled The Internet – not an ungoverned space.  It is a broad ranging fly over of the issues associated with the internet; privacy, cyber bullying, copyright infringements (ie piracy), illegal wagering, fake news and the dominant role of the the big players on the digital platforms (Google, Facebook, Apple and Twitter in no particular order).  It hints at the likelihood of government involving itself in regulation of the internet, or at least its activities.  It is a speech written from within the bowels of the Department; safe, few rhetorical flourishes, quoting facts at a reasonable clip without being too dense, informative but not inspirational and hinting at but not committing to further action.  And it has plenty of wriggle room in the event that action is not taken.  It is useful as Read the rest of this entry »

Google exposes users data and fails to disclose breach to avoid reputational damage…a depressingly typical response by business

October 9, 2018

Alphabet attracts an enormous amount of  suspicion by civil society groups, commentators and an increasing number of governments; it is too big, it stifles development by swallowing up nascent competitors, its algorithms discriminate against some businesses and people, it is too willing to compromise its stated principles with dictatorships, to wit China, and it is secretive.   There is a reasonable amount of truth to all of that.  What Google does try to convince users that it is security conscious.  That claim has taken a massive hit with reports that it has been subject to a data breach courtesy of a bug which exposed personal information of hundreds of thousands of users.  Worse, Google didn’t disclose this breach after discovering the problem.  Why, because it didn’t want the regulators to review its activities and the ask the difficult questions.  Also it didn’t want the reputational hit.  That is a common reaction by organisations who have inadequate data protection and poor privacy culture.  It is all too common a response in Australia.

As result of this data breach Google is shutting down Google+.  This of course will not end Googles woes.  It is just the start.

This sad and sorry saga is Read the rest of this entry »

Tesco Bank fined 16.4 million pounds over cyber – attack in UK

October 4, 2018

Commonly a data breach affecting an organisation attracts the attention of multiple authorities in the United States and the United Kingdom.  A data breach in the United States can attract investigation from the Federal Trade Commission, for misleading representations as to privacy, and the Securities Exchange Commission, for breach of fiduciary duty.  And as Tesco Bank well truly understands poor data security can result in an investigation and fine from the Financial Conduct Authority (“FCA”) as well as an investigation by the Information Commissioner.  Tesco has been fined £16.4 million by the FCA for failing to exercise due care and diligence in protecting its personal current account holders accounts.  A cyber attack resulted in the theft of £2.2 million, which has been refunded. Such a fine is well in excess of what the ICO could impose at the time of the breach.  In addition to the swingeing fine the reputational damage to Tesco is significant as regulators are not wont to keep a low profile when they collect a big scalp.  And the FCA didn’t keep things quiet here, with Read the rest of this entry »

BUPA fined 175,000 pounds for data protection failures

October 3, 2018

As Bupa has discovered, data breaches caused by employee misbehaviour can be as devastating for an organisation as a cyber attack.  A rogue Bupa employee accessed and sold onto the dark web personal information of Bupa’s customers.  When it was discovered by a third party the Information Commissioner investigated and found systemic failures and non compliance with data security.  That is a common outcome.  The breach is generally bad however the investigation usually turns up more than just one problem with an organisation’s data security.  As was the case with Bupa.  There were systemic failures on Read the rest of this entry »

Data breach of UK Conservative party app highlights the problems with app design

October 2, 2018

Apps are notorious for their poor security. App developers spend most of their time designing and writing code for an app which will attract a quick and widespread pick up.  The focus is working out what tool will be popular and useful then working frantically to release it to the market.  Data security is generally generic and an afterthought.  There is little money in security.  Until things go wrong.

Apps in politics and with civil society actions are becoming part of the woodwork.  Communicating and mobilising via an app is considerably cheaper than a phone tree and more accessible for younger activists than email.  And political parties are keen to appear connected to younger voters and members.  Which is what the conservatives attempted with its app for a recent conference starting last Sunday

Of course the problems with data security apply.  As the UK conservative party found when its conference app failed, revealing MPs phone numbers and other personal information as reported by the BBC and the Guardian.   The design failure was quite stark, by pressing the attendees button and typing in the MP’s email address, which is hardly secret.  Once done the app revealed the MPs personal information.  A big mistake.  The chairman of the conference is under pressure to resign. Read the rest of this entry »

UK Information Commissioner’s office fines Equifax half a million pounds for security breach in 2017

October 1, 2018

First the breach, then the disastrous publicity and just when things seem to be getting better the enforcement action.  That is the way of it with UK and US privacy breaches.  Equifax’s travails have followed this path.

In 2017 Equifax suffered a data breach through a cyber attack.  The impact was, even by modern standards, massive with personal information of 146 million people being compromised.  That involved 200,000 credit card numbers and expiration dates and government issued documentation such as drivers’ licences and passports. A total of 15 million UK citizen’s personal information was compromised, giving the Commissioner jurisdiction.

The cost of the breach has been enormous, running to $275 million as at March this year.

The Equifax data breach is a “how not to” store information, set up proper data security and respond to the data breach.  As the UK Information Commissioner found Read the rest of this entry »

Drones used to stalk victims, in ongoing issue of drones and privacy

The ABC in Perpetrators using drones to stalk victims in new age of technology fuelled harassment  again highlights what has long been known about the potential of drones for being an effective privacy invasive tool. It also goes on to set out the range of ways new technology is being used to interfere with privacy and harrass.  All the while the law lags.

In the United States there have been specific state laws to Read the rest of this entry »

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 introduced into the House of Representatives today

September 20, 2018

The Attorney General has introduced The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 today.  It is a monolith of a Bill, extending beyond 300 pages.  The Explanatory Memorandum is of similar length.  What it is about has been the subject of significant debate between the rarified world of privacy, digital and techie activists and experts and law enforcement and the Federal Government.  Its aim is to permit law enforcement to access encrypted communications.

The Minister’s second reading speech provides:

That this bill be read a second time.
New communications technology, including encryption, is eroding the capacity of Australia’s law enforcement and security agencies to investigate serious criminal conduct and protect Australians.

Read the rest of this entry »

British airways suffers massive data breach affecting personal information of 380,000 customers

September 11, 2018

Notwithstanding poor data security and inept regulation data breaches have a very significant impact on both reputation and bottom line, oftentimes one being tied in with the other.  British Airways suffered a data breach, by means of a cyber attack by criminal hackers, sometime between 21 August and 5 September 2018 which compromised personal and financial information, being credit card details, of more than 380,000 customers.   Unfortunately British Airways has been hacked before with its Executive Club being hacked in 2015.

Properly advised and motivated it is possible to contain the damage from a data breach, even one as large as that of British Airways.  The key is Read the rest of this entry »