Major data breach of Family Planning New South Wales with dilatory notice to those affected
May 14, 2018 |
Family Planning NSW has had its database of personal information of all clients who contacted it for the past two and a half years compromised by a cyber attack.
The nature of the data could not be more sensitive, and is defined as sensitive information in the Privacy Act, being not only health information but that which relates to contraception and fertility. The nature of the breach was a bitcoin ransom demand according to the ABC.
The ABC story provides:
People who have booked abortions and sought information about contraception could have had their personal information stolen, after a major data breach at Family Planning NSW (FPNSW).
Up to 8,000 clients could be affected by the hack, which occurred more than two weeks ago.
Clients were alerted to the incident by an email signed by chairwoman of the FPNSW board, Sue Carrick, and chief executive Adjunct Professor Ann Brassil.
“These databases contained information from around 8,000 clients who had contacted Family Planning NSW through our website in the past two and a half years, seeking appointments or leaving feedback,” the email read.
The email claimed the hackers demanded a $15,000 bitcoin ransom on Anzac Day, and said the website was secured the following day.
“Since the attack we have had no evidence that this information has been used by the cyber attackers,” the email read.
Today, the organisation’s website was down for a “security update”.
FPNSW provides reproductive and sexual health services, and have five clinics around Sydney.
Adjunct Professor Brassil said the software FPNSW’s website had been built on was targeted.
“I think that’s important for people to understand, that this wasn’t about Family Planning, this was about a hack to software,” she said.
“We are really sorry that has happened and we take responsibility for that.
“It was one of a number of cyber attacks on that particular piece of software on or around the same time and the ransomware note was specifically for bitcoin.”
Adjunct Professor Brassil said refusing to pay the ransom was the only interaction FPNSW had with the hackers.
“It wasn’t that sophisticated, in that they were only after the money and once we didn’t pay the money they disappeared,” she said.
The story has been covered by the Sydney Morning Herald and the Australian. In Australia a patter has evolved which admits the breach, says there was no evidence that the information was used and say it was transitory. And it seems to work on the Australian Information Commissioner. Most of that is beside the point as the UK Information Commissioner and the US Federal Trade Commissioner realise when dealing with a similar fact situation. They recognise that the breach evidences a problem with data security and it is necessary to take firm action to deal with that transgression but also send a message to the broader community.
What is also interesting in the story is the delay between discovery of the breach and notification to persons affected. Almost 3 weeks of Family Planning sitting on its hands. That is a failure of process and policy. It would be entirely unacceptable under the European GDPR requirements of 72 hours.
Another aspect of the story is why 2 1/2 years of data are being stored in a database. It would be interesting to see how much of that data was required and how much should be been deleted some time ago.
As the ABC story states its website is getting a security update today with its homepage providing:
Our website is getting a security update. Thank you for your patience, we’ll be back online as soon as possible.
While “better late than never” might be the appropriate comment it does make one wonder how candid Family Planning NSW is about the problem being fixed.
The Office of the Information Privacy Commissioner issued a statement, after the media reporting (of course) stating that it has been advised of the breach. There is no suggestion that there will be an investigation or action taken. That is entirely regrettable. The problem with data protection regulation in Australia is the unwillingness of the Commissioner to take action where there has been a breach. And this instances is a very clear case of a data breach which may have involved inadequate data security steps being taken. The statement provides:
The Office of the Australian Information Commissioner was notified by Family Planning NSW about a data breach incident that occurred on 25 April 2018. The OAIC understands that Family Planning NSW is in the process of notifying individuals whose personal information may have been affected by the breach.
The Notifiable Data Breaches (NDB) scheme, which commenced on 22 February 2018, requires organisations to notify affected individuals and the OAIC where there is a likely risk of serious harm to any of the individuals whose personal information is involved in the data breach.
The OAIC has published a number of resources for those affected by a data breach and action they can take: https://www.oaic.gov.au/individuals/data-breach-guidance.
If anyone has concerns about this incident they can, in the first instance, contact Family Planning NSW directly on 1800 957 860 or respond@fpnsw.org.au and if not satisfied with their response they can contact the OAIC at www.oaic.gov.au or on 1300 363 992.
It is a statement which says very little. Very disappointing.