Peter A Clarke

The Australian with Zero dollars showing on some accounts but AustralianSuper says no need to panic reports that AustralianSuper. The haul, $500,000. What is interesting about the cyber attacks is that they were co ordinated and the targets were all in Super Industry bodies. The means of entry, stolen passwords, known as credential stuffing.  They were possibly obtained from the dark web, which suggests they were acquired from a previous cyber attack.  The theft didn’t involve attacking the cyber defences themselves, but rather As usual in Australia the funds were keen to maintain silence about the breaches.  The Australian Retirement Trust denied this by saying that it notified regulators just not the public.  The spokesman was even more crafty with terminology by claiming the affected customers were notified but not all customers.  This lack of candour is not present in the USA when dealing with cyber attacks.  That is a much more mature approach.

The story is covered by the Guardian, the Australian Financial Review and Nine amongst others.

The Australian article provides:

AustralianSuper

AusSuper chief member officer Rose Kerlin said cyber criminals may have used stolen passwords to log into the accounts belonging to 600 of its members “in attempts to commit fraud”.

Four AustralianSuper customers have lost $500,000 in the cyber raids, although the fund moved to assure customers who were seeing a “$0 balance” on their profiles that they had secure accounts.

Rest Super

Rest Super chief executive Vicki Doyle said 8000 member accounts were affected.

It’s understood criminals attempted to use stolen passwords gathered from other hacks — and possibly shared on the dark web — to break into the accounts.

“Over the weekend of March 29-30, 2025, Rest became aware of some unauthorised activity on our online Member Access portal,” she said.

“No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”

Hundreds of Australian Retirement Trust members first had their accounts breached by cyber criminals about a month ago.

Australian Retirement Trust

Despite a spike of suspicious login attempts on March 8 affecting a few hundred Australian Retirement Trust customers, news about the attack – a co-ordinated hack carried out by cyber criminals on multiple funds – only emerged on Friday.

A spokesman for the fund, which manages more than $300bn in superannuation savings, told The Australian the customers were notified at the time.

He said regulatory agencies were notified soon after, and he denied the company kept news about the widespread cyber attack silent.

About another hundred customers were affected by the continued cyber attacks in the same way to that reported by AustralianSuper and Rest – referred to as “credential stuffing”. No ART account money was stolen.

Credential stuffing uses stolen passwords to gain unauthorised access to data.

Insignia Financial

Insignia Financial said it detected suspicious activity on 100 Expand Wrap Platform customers’ accounts early on Monday.

“At this stage there has been no financial impact to customers,” MLC Expand CEO Liz McCarthy said.

“Our Cyber Security team are actively working to apply additional monitoring and mitigations to protect customer accounts. As a precaution we have taken steps to restrict some activities on the Expand Platform.

“Some customers will receive communications prompting them to reset their passwords when they next login to their accounts.

Hostplus

Hostplus chief executive David Elia said the fund was investigating how its members were affected, but said “we can confirm that no Hostplus member losses have occurred”.

“We had seen various attempts to hack into members accounts but none have succeeded to date,” he said.

“We are of course continuing to monitor the situation and are remaining vigilant.”

Political response

Prime Minister Anthony Albanese sought to downplay the major cyber attack, saying they occur every six minutes.

Opposition home affairs spokesman James Paterson accused Mr Albanese of failing to take the superannuation account breaches seriously.

“The Prime Minister clearly doesn’t understand how serious this is when he described it as just ‘a regular issue’,” Senator Paterson said.

National cyber security

National Cyber Security Co-ordinator Lieutenant General Michelle McGuinness said she was aware “cyber criminals are targeting individual account holders of a number of superannuation funds”.

“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice,” she said.

“If you have been impacted or are concerned you may have been impacted, follow the advice provided by your super fund.”

A task force has this week been examining the breach, Home Affairs’ National Cyber Security chief is co-ordinating involvement of government agencies, including the Australian Securities and Investments Commission and Prudential Regulation Authority, plus major super funds.

The agencies are sharing information to investigate the incident.

Cyber CX chief strategy officer Alastair MacGibbon said there was a “very low chance” of catching the culprits behind the cyber raids.

He said the raids on superannuation accounts appeared to be fraud rather than a cyber intrusion, and should be a wake-up call for financial institutions to implement robust multi-factor authentication.

He said it looked like a case of “credential stuffing”, which involves using stolen usernames and passwords that are already circulating on the dark web.

“While it looks big, it’s not a cyber incident, per se. It’s fraud,” Mr MacGibbon said.

“No one has hacked anything. It’s putting usernames and passwords in, which is different from compromising some common thread between all of the superannuation companies.”

He said superannuation companies, like other financial institutions, needed to secure customers’ accounts with third-party multi-factor authentication systems.

Many super funds, including AustralianSuper and Australian Retirement Trust, have opt-in multi-factor authentication systems in place.

Mr MacGibbon said systems that used SMS messages were not sufficient, because phone SIM numbers could be transferred by fraudsters.

Association of Superannuation Funds of Australia said in a statement it was “aware that last weekend hackers attempted to get through the cyber-defences of a number of superannuation funds”.

“While the majority of the attempts were repelled, unfortunately a number of members were affected. Funds are contacting all affected members to let them know and are helping any whose data has been compromised,” the statement says.

Tanya O’Carroll commenced proceedings against Meta seeking orders that Facebook stop using her personal data to create targeted ads on subjects that it believed she would be interested in. She argued that Facebook’s campaign was direct marketing under the UK legislation. Meta has settled the claim agreeing to stop sending targeting advertisements using her personal information. The Information Commissioner’s Office is very happy. So happy that it issued a statement. The ICO has always regarded targeted advertising as being direct marketing under the legislation.it intervened in the case with an amicus curiae brief.

Under the Australian Privacy Act 1988 Australian Privacy Principle 7 addresses direct marketing directly, with the key issues being:

• APP 7 provides that an organisation must not use or disclose personal information it holds for the purpose of direct marketing unless an exception applies. APP 7 may also apply to an agency in the circumstances set out in s 7A.
• Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
• Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always:
  • allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and
  • comply with that request.
• An organisation must, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

There has been no similar case in Australia to O’Carroll v Meta.  There is a basis for making the same argument here given the content of APP 7.

The ICO statement provides:

A BBC article Read the rest of this entry »

Today the Privacy Commissioner announced that she has entered into an enforceable undertaking with Oxfam Australia arising from a large data breach on 20 January 2021. What is clear from the undertaking and the Commissioner’s blog is that Oxfam had poor data handling practices and held data for long after they were needed.  This is a common problem and aggravates the damage associated with a data breach.

The term of the undertaking is 2 years. The key obligations are found at paragraph 6 setting out obligations within 3 months to set up a coherent system of using shared credentials, password controls and multi factor authentication and within 6 months to destroy personal information held by Oxfam for more than 7 years or in other specific categories.  Oxfam must undertake a review of the all current uses of personal information within 3 months.  And expert will review compliance in 12 months time and implement any recommendations.  It will also engage in “a a program of public engagement” with the Commissioner and provide to her documents or information she requests from time to time to determine compliance with Undertaking.  

It is a reasonably stringent Undertaking by Australian standards. It is quite lax compared to actions the UK Information Commissioner takes and very easy going compared to the Federal Trade Commission’s enforceable undertakings which often involve swingeing fines and a period of 10 – 20 years of compliance with regular reporting. 

The media release provides:

Privacy Commissioner Carly Kind has accepted an enforceable undertaking (EU) offered by Oxfam Australia (Oxfam).

A data breach was experienced by the not-for-profit in January 2021, and reported to the OAIC in February 2021, following which, the Commissioner initiated an investigation. The data breach resulted in the loss of up to 1.7 million Oxfam records.

The Commissioner’s acceptance of the EU is not a finding that Oxfam has breached the Privacy Act nor the Australian Privacy Principles, but rather highlights the need for charities and not-for-profits to remain vigilant and follow responsible privacy practices.

Oxfam is undertaking a range of measures outlined in the EU, particularly in relation to not storing certain personal information longer than 7 years, avoiding the use of shared credentials, implementing password security controls, sharing staff guidance, procedures and training, and the use of privacy threshold assessments in relation to any project that involves handling personal information for testing purposes.

Oxfam has been working collaboratively with the OAIC across the investigation period, and since offering the enforceable undertaking has contributed to an awareness raising campaign directed at others in the not-for-profit sector in relation to the incident and its response to the incident.

The OAIC has used insights from its investigations into Oxfam’s experience, and the separate data breach which affected the telemarketing firm Pareto, to update its privacy guidance for not-for-profits. The guidance, updated in October 2024 (media release), includes expanded advice on security of information, and steps that not-for-profits can put in place to ensure compliance with their retention and destruction obligations.

Timeline

• • On 20 January 2021 an unknown user gained access to an Oxfam Australia (Oxfam) database.
  • The data breach resulted in the loss of up to 1.7 million Oxfam records.
  • Oxfam was alerted to the incident on 27 January 2021.
  • Oxfam notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC) of the incident on 26 February 2021.
  • Oxfam Australia alerted its supporters of the potential risk on 4 February 2021.
  • On 1 March 2021 Oxfam began notifying their supporters about steps that they could take to protect personal information and provided access to IDCARE.
  • On 10 September 2021 the Australian Information Commissioner commenced an investigation into whether Oxfam’s acts and practices met its requirements under the Privacy Act.
  • Privacy Commissioner Carly Kind concluded the investigation in late 2024.
  • Following the conclusion of the investigation, Oxfam presented Privacy Commissioner Carly Kind with their enforceable undertaking on 18 December 2024.
  • Privacy Commissioner Carly Kind accepted the Oxfam enforceable undertaking on 20 December 2024.

Key privacy points for NFPs

• • NFPs may have obligations under the Privacy Act and Australian Privacy Principles when collecting and handling personal information.
  • Regardless of whether the Privacy Act applies to your NFP, good privacy practice can enable you to build trust and maintain stronger relationships with the community and reduce the risk of harm to your entity, staff and supporters which may result from a data breach.
  • It is important to ensure your NFP only collects personal information you need, stores that information securely and deletes the information when it is no longer required.
  • Your NFP should only retain personal information where there is an ongoing need to hold this information. You should make sure that your NFP has systems and processes in place for regularly reviewing whether the retention of information is still required, and destroying or de-identifying personal information that is no longer required.
  • Part of good privacy practice also means being prepared in case things go wrong. Ensuring you have a data breach response plan in place and are familiar with it, will enable you to respond quickly to a data breach.
  • When entering into arrangements with third parties, your NFP should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your NFP and the wider community. Read the terms of your agreement carefully, conduct periodic reviews of arrangements, and ensure the third party deletes any personal information at the end of the contract term.
  • Refer to our privacy guidance for not-for-profits for advice on security of information, and steps your NFP should put in place to ensure compliance with retention and destruction obligations. The guidance also covers what to consider when engaging third-party providers, such as for fundraising, or software vendors.

Note: Commissioner Kind wishes to note that she previously undertook consultancy work for Oxfam Great Britain. Oxfam Australia and Oxfam Great Britain are separate legal entities. Commissioner Kind’s consultancy work was undertaken prior to her appointment as Privacy Commissioner.

The Enforceable Undertaking Read the rest of this entry »

Genea is a large IVF provider has suffered a cyber attack. Today publicly announced that it has been the subject of a cyber attack. The statement, 19 February 2025: Important update about a cyber incident, is a model of saying precious little.

It provides:

Are Genea clinics still open and treatments being provided?

What should I do?We will communicate with relevant individuals if our investigation identifies any evidence that their personal information has been impacted.

Need to get in touch?

The statement is more about appearing to provide information while not doing any such thing.  There are no details of when the attack occurred, when it was detected, what data was accessed. The ABC’s sleuthing partially filled in those gaps.  The ABC suggests the attack occurred sometime on the weekend when Genea’s phone line went down (which it announced on 14 February – last Saturday) and its app was unusable and patients started posting on Genea’s Instagram account. It claims to be investigating the extent to which personal information has been accessed.  That is improbable.  If it is accurate then the resources it is deploying to determine whether personal information accessed is inadequate.  So Genea’s vague say not much media release is less than helpful.  IVF patients have a very strong interest in using the digital resources of Genea, are very proactive and many are quite sophisticated.  So throwing a digital blanket over a serious breach is a poor way of managing a crisis.  The reluctance by Genea to be more open may expose it to more media coverage. 

Given the nature of the treatment provided and the likelihood that very sensitive personal information was stored in Genea’s records it is almost certainly a notifiable data breach. 

The story has been reported in Read the rest of this entry »

The Guardian’s report Revealed: gambling firms secretly sharing users’ data with Facebook without permission is unfortunately hardly surprising. On this occasion the personal information is going from gambling companies to Meta for it to profile its users and place advertisements.

It is that time of year. Christmas. I wish you all a happy and holy Christmas and that in 2025 all your hopes and dreams come true. As per my tradition I republish one of the great journalistic pieces on Christmas, Yes Virginia there is a Santa Claus. It struck me when I first read it as an 18 year old and I still marvel at the beautiful prose. It is what all good writing should be; clear, spare and lively. This piece also has a touch of literary fairy dust. To write like this is a noble aim.

Here it is:

Dear Editor,
I am 8 years old. Some of my little friends say that there is no Santa Claus. Papa says “If you see it in the Sun, it is so.” Please tell me the truth, is there a Santa Claus?

Virginia,
Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds.

All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, Virginia, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy.

Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove?

Nobody sees Santa Claus, but that is no sign that there is no Santa Claus The most real things in the world are those that neither children nor men can see.

Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.

Is it all real? Ah, Virginia, in all this world there is nothing else as real and abiding.

No Santa Claus? Thank God he lives and he lives forever. A thousand years from now, maybe 10 times 10,000 years from now, he will continue to make glad the hearts of children.

Written by Francis P. Church in 1897

In the digital age the common belief is that data breaches involve a cyber attack, disclosure of information on a web site or by an errant email. As the ABC reports in Documents containing personal information of NT residents found dumped in bushland in Darwin rural area data breaches can, and often does, occur through documents being left in public. There have been many instances of records being left in filing cabinets that are then offered for sale, medical records being stored and forgotten or documents being left in public.

In the most recent example the documents left in the bush contained personal information including medical and bank records and phone numbers.  This may constitute a breach of the Privacy Act 1988 by the entity that collected then didn’t dispose of the documents properly.  In this case it involved records created by the Northern Territory Government.

Document management, either in hard or soft copy form, is critically important and quite straightforward if there is decent training and a workable system.  Businesses often do not regularly review what documents they have and ask themselves why they still have personal information that they don’t need.  Medical practices are notorious for holding records of long since deceased patients or individuals who have moved to other doctors or left the Read the rest of this entry »

As if any more proof were required that privacy and data security is not an ideological issue the Attorney General of Texas has announced an initiative to protect “Tex­ans’ Sen­si­tive Data from Ille­gal Exploita­tion by Tech, AI, and Oth­er Companies.”

The press release Read the rest of this entry »

The UK National Cyber Security Centre has published a guidance on dealing with attacks on business emails. known as a business email compromise (“BEC”).

BEC involves criminal access to a work email account in order to trick someone into transferring money or stealing valuable or sensitive data. The usual method of entry is by using targeted phishing emails to an individual within an organization.  Standard email spam filters generally do not detect them, especially if they come from a legitimate email account that has already been hacked.

The guidance recommends organizations take steps to make them less prone to BEC attacks including:

• reducing the digital footprint of senior staff and executives;
• help staff and users to identify and detect phishing emails;
• implementing two-step verification for accounts; and
• applying the principle of least privilege.

These are quite standard issues for privacy professionals but quiet often unknown to organisations.

The press release provides:

Business email compromise (BEC) occurs when a criminal accesses a work email account in order to trick someone into transferring money, or to steal valuable (or sensitive) data. For this reason, BEC attacks are often directed at senior staff, or those that can authorise financial transactions.

Unfortunately, BEC attacks (which are a type of phishing attack) are on the increase. A recent government report on cyber attacks revealed that in 2023, 84% of businesses and 83% of charities have experienced a phishing attack in the past 12 months.

The goods news is that the NCSC has recently published new guidance on BEC that includes practical steps that will reduce the likelihood of your organisation suffering from a BEC attack. It is specifically aimed at smaller organisations who might not have the resources (or expertise) to implement the NCSC’s existing guidance on phishing attacks in full. Read the rest of this entry »

The Medibank breach was a seminal moment in Australian privacy and data security history. Together with the Optus breach it affected almost half the country’s population. It also highlighted the lax state of cyber security of large companies; minimal data security overall, a focus on perimeter defences over in depth defences, dreadful storage and security of data policies and retaining data long after they are required. But it is the knock on effect of . Itnews reports in Australian police link “over 11,000 cybercrime incidents” to Medibank breach . The knock on effect.  It is that consequential damage that regulators need to be constantly aware of when deciding how to enforce the legislation. Unfortunately in Australia a light touch enforcement has meant that the culture about data security at the board room level is still woefully lax, despite protestations to the contrary.  As a result data breaches are quite regular and escalating in frequency.

The article Read the rest of this entry »