Australian Police link over 11,000 cyber crimes to the Medibank breach.

March 17, 2024

The Medibank breach was a seminal moment in Australian privacy and data security history. Together with the Optus breach it affected almost half the country’s population. It also highlighted the lax state of cyber security of large companies; minimal data security overall, a focus on perimeter defences over in depth defences, dreadful storage and security of data policies and retaining data long after they are required. But it is the knock on effect of . Itnews reports in Australian police link “over 11,000 cybercrime incidents” to Medibank breach . The knock on effect.  It is that consequential damage that regulators need to be constantly aware of when deciding how to enforce the legislation. Unfortunately in Australia a light touch enforcement has meant that the culture about data security at the board room level is still woefully lax, despite protestations to the contrary.  As a result data breaches are quite regular and escalating in frequency.

The article Read the rest of this entry »

Federal Trade Commission takes action against Blackbaud for inadequate security practices, seeks orders for it to delete unnecessary data

February 14, 2024

The Federal Trade Commission has taken action action against Blackbaud and required it to delete personal data that it does not need. The genesis of this outcome was the poor security practices that let a hacker access a trove of sensitive personal information in 2020, much of it which should not have been kept.  The FTC set out the multiple Blackbaud transgressions; failing to segment data, failing to have multi factor authentication and not notifying customers of the breach.  In this case, as in many others, a data breach doesn’t reveal one flaw but usually a system wide failure. 

The media release provides:

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. Read the rest of this entry »

Yes Virginia there is a Santa Claus

December 25, 2023

As per a long standing tradition I with all a very happy and holy Christmas with a one of the most wonderful odes to Christmas, Yes Virginia there is a Santa Claus. As a piece of prose it is superlative writing.  An economy of words which captures  the message of hope and optimism.  There is a wonderful story behind it with an 8 year old seeking advice and Virginia going on to live a wonderfully productive life.

I wish you all a wonderful Christmas and hope you approach 2024 with all the hope and optimism of the Yes Virginia editorial from all those years ago.

The letter provides:

Dear Editor,

I am 8 years old. Some of my little friends say that there is no Santa Claus. Papa says “If you see it in the Sun, it is so.” Please tell me the truth, is there a Santa Claus?

Virginia,

Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds.

All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, Virginia, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy.

Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove?

Nobody sees Santa Claus, but that is no sign that there is no Santa Claus The most real things in the world are those that neither children nor men can see.

Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.

Is it all real? Ah, Virginia, in all this world there is nothing else as real and abiding.

No Santa Claus? Thank God he lives and he lives forever. A thousand years from now, maybe 10 times 10,000 years from now, he will continue to make glad the hearts of children.

Written by Francis P. Church in 1897

.

DP World confirms that employee data was stolen during cyber attack

November 29, 2023

The DP World data breach caused major disruption at Australian ports around 13 November 2023 . There was no mention of personal information being accessed. Now the ABC reports in DP World Australia confirms employee data was stolen during cyber attack, warns of further freight delays ahead of Christmas rush that the personal information had been accessed.There is nothing on its website.  This knkowledge would have been in DP World’s possession for some time.  Often these late announcements immediately proceed an organisation finally notifying staff whose personal information was accessed.  It follows a poor practice play book.

The article Read the rest of this entry »

Major cyber attack on IT provider affects dozens of UK law firms. Another salient warning that law firms

Australian privacy and cyber security operators, or anyone who follows the news found at the front of the paper, doesn’t need to be told of law firms being a prime target of cyber attacks. The HWL Ebsworth data breach was one of the big data breaches of 2023. Given the firm had a large Government practice it is not surprising that the data breach affected personal information it held in its work for 65 government agencies.  It is also a salient example of the cobblers children going shoeless.  Its response to the data breach has been quite poor.

A reminder that  this is a chronic threat is an article titled Cyberattack on IT provider CTS impacts dozens of UK law firms.  The mode of the attack is familiar, through a third party provider with authorisations and poor cyber security.  Here the Read the rest of this entry »

Optus and its system crash highlights the need for a plan to explain, empathise and explain some more when things go wrong. A basic part of a response when there is a data breach which is usually ignored or messed up

November 9, 2023

The 12 hour collapse of Optus’s services showed that it has learnt little on how to respond to a catastrophic event, at least in talking to its customers. Optus executives effectively made themselves into a ball and hoped 10 million customers were happy to have the day off. The by product of this major fail was the reports about how it has not learnt from its data breach fiasco where the information flow was slow and sparse. The Australian’s article Has Optus learned from the cyberattack playbook? is fairly typical. It is quite amusing to read columnists lately stumble upon this basic need to be transparent with customers.

The thing is that issuing statements of bad news following a data breach has become a sophisticated exercise in the United States and should be treated seriously in Australia. Unfortunately it isn’t. I have been writing on the importance of Read the rest of this entry »

The UK Information Commissioner issues preliminary enforcement notice against Snap for failing to properly assess the privacy risk posed by its generative AI chatbot ‘My AI’

October 19, 2023

The privacy concerns regarding the use of AI have always been present. As usual, they have been pushed into the background as the potential and use of AI has dominated the debate. That does not mean that AI developers and users are exempt under the law. As Snap has discovered in the United Kingdom. The UK Information Commissioner has issued a preliminary enforcement notice against Snap regarding its failure to properly assess privacy risks when using its generative AI chatbot “My AI”. The UK Information Commissioner found that Snap’s risk assessment was defective, particularly as it related to children.

The media release provides:

    • Snap issued with preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’
    • Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.

The Information Commissioner’s Office (ICO) has issued Snap, Inc and Snap Group Limited (Snap) with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by Snap’s generative AI chatbot ‘My AI’.

The preliminary notice sets out the steps which the Commissioner may require, subject to Snap’s representations on the preliminary notice. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. This means not offering the ‘My AI’ product to UK users pending Snap carrying out an adequate risk assessment. Read the rest of this entry »

Federal Government releases its long awaited response to the Privacy Act Review Report. A cautious yes to reform. The major caveat is when the reforms will be enacted and whether they will be enacted as proposed.

September 28, 2023

On the long and winding road that is privacy reform another turn has been reached. The Federal Government today released its response to the Privacy Act Review Report.

The Attorney General’s media release sounds a triumphalist tone commiting the Government to stronger protection after a landmark review.  It provides:

The Albanese Government has committed to stronger privacy protections for Australians in its response today to the landmark review of the Privacy Act.

Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones. But when they are asked to hand over their personal data they rightly expect it will be protected.

The Government’s response to the review agrees, or agrees in-principle, with the majority of the review’s proposals, including:

    • giving individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information;
    • establishing stronger protections for children, including the introduction of a Children’s Online Privacy Code;
    • making entities accountable for handling individuals’ information and enhancing requirements to keep information secure, including destroying data when it is no longer needed; and
    • providing entities with greater clarity on how to protect individuals’ privacy, and simplifying their obligations when handling personal information on behalf of another entity.

The Government will also work with the small business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses.

These next steps build on legislation passed last year which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.

The Attorney-General’s Department will conduct an impact analysis and continue to work with the community, business, media organisations and government agencies to inform the development of legislation and guidance material in this term of Parliament. The Government will also consider appropriate transition periods as part of the development of any legislation.

Privacy reform will complement other critical reforms being progressed by the Government, including Digital ID, the 2023-2030 Australian Cyber Security Strategy, the National Strategy for Identity Resilience, and Supporting Responsible AI in Australia.

The Albanese Government is committed to ensuring Australians can benefit from the latest technologies, while knowing that their personal information is safe and secure.

Why it is necessary to continue to consult is a mystery. The Australian Law Reform Commission underwent a comprehensive consultation, taking submissions and then providing a massive report in 2008. It did this again before its 2014 Report.  The Victorian and New South Wales Law Reform Commissions have followed similar exercises.  And then the Attorney General’s Department issued an Issues Paper, then a Discussion Paper and finally a Report.  There is ample empircal data of how privacy legislation operates overseas.  Supporters of reform will remain supporters, opponents will remain opponents.  Another round of consultations and impact analysis will only delay reforms that should have been impleted 15 years ago.  It will give opponents another chance to water down reforms.  And they will take it if history is any guide. 

The Australian covers the release with Labor targets small business privacy hit and Major privacy overhaul will thrust TikTok into legal spotlight. The Guardian covers the release with New laws will give Australians the right to sue for ‘serious’ breaches of privacy. The Sydney Morning Herald covers the story with Personal data to get greater protection, but targeted ads will keep coming.  The ABC provides an overview with Government to overhaul privacy laws, including opting out of advertising, a right to be forgotten, and new rules for small businesses

Most of the coverage is of sweeping reforms in the offing.  But not all.  In Govt kicks Privacy Act can down the road Information Age, the publication of the Australian Computer Society highlights that the Government has agreed to immediate implementation of relatively few proposals, 38 of the 116 recommendations. The Government agreed in principle with 68 of the recommendations. The most significant proposals are only agreed in principle and with some, such as the small business exemption and employment records exemption the time frame is open ended. Similarly Itnews interprets the response as stalling on some privacy reforms in Gov stalls on some privacy reforms with conditional support.

Some context is required to gauge how significant the response is.  In 2008 the Australian Law Reform Commission published its landmark report on the Privacy Act, Report 108.  It contained a root and branch review of the Privacy Act and provided a full suite of reform proposals.  The Government of the day tentatively selected a few of the recommendations and amended the Privacy Act.  It was a missed opportunity.  Those recommendations are generally the gold standard in reform.  The 2014 ALRC report was quite good but not as comprehensive as its 2008 Report.  It was the basis of the Attorney General’s Privacy Review Report to which the Government responded to today.  That said the Attorney General’s Review was quite tentative and cautious.  It is a pale imitation of the 2008 ALRC suite of recommendations. 

If the Government implements all the recommendations it has agreed to or agreed in principle then the Privacy Act will be much improved and people will have greater privacy protecitons.  That said, it will be an incomplete reform because the Attorney General’s Department Report is incomplete.  The reforms will be significant but the concern remains as to when the reforms will be enacted and whether they will be watered down in the next round of consultations on the agreed in principle proposals. 

Not surprisingly the Information Commissioner welcomes the proposed reforms. The regulator is a big winner in the suite of reforms. Its media release provides:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Australian Government’s response to the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 as a crucial step in ensuring Australia’s privacy framework is strengthened for the future.

“This is a vital set of proposals that will deliver significant gains for the Australian community,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

The OAIC’s Australian Community Attitudes to Privacy Survey makes clear the high priority Australians place on having the right legislative framework in place to hold regulated entities to account for the way they handle personal information. The survey found 89% of Australians would like to see government pass more legislation that protects their personal information.

“As the privacy regulator, it is pleasing to see support for the positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework,” Commissioner Falk said.

“This is the most significant change to the Privacy Act in decades, and will require organisations to ensure that their practices are fair and reasonable in the first place.

“This will provide confidence to the Australian community that like a safety standard, privacy must be built into products and services from start.

“Key developments include enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community.”

Reforms will also provide a greater range of enforcement powers to the OAIC, establish stronger privacy protections for children and enhance requirements in relation to the security of personal information and its destruction when it is no longer needed.

“As privacy regulator, the provision of tools and support will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to identify systemic privacy issues,” Commissioner Falk said.

There are a number of proposals that are subject to consultation and developing sufficient impact strategies before legislation is finalised, including changes to the small business exemption and the employee records exemption.

“We support the removal of these exemptions and acknowledge that it is important to engage with the business community so that we can fully understand and assist with their transition. The OAIC stands ready to support small businesses to make their compliance with privacy requirements easy,” Commissioner Falk said.

The Australian Government will consult with stakeholder groups before drafting further legislation to go before Parliament in 2024. The OAIC is well prepared and committed to lending its expertise to the next phase of this ambitious reform.

The proposed privacy reforms follow the passing in November 2022 of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.

Part of the reason there is a poor privacy culture in Australia goes beyond the poor legislation.  It is the dreadful history of regulation by the Privacy Commissioner and now the Information Commissioner.  The regulator has been tentative and ineffective.  A quick example, the Commissioner has had civil penalty actions possible since 2014.  How many civil penalty proceedings were commenced.  Answer, one. Against Facebook, arising out of the Cambridge Analytica scandal.  And that has not even got to trial yet.  Have Australian companies been such paragons of virtue that there was no scope to bring any actions against them.  There have been many breaches where the Commissioner could have taken action.  To be fair, the current incumben is much better than her predecessors. 

The Report provides:

Introduction

The digital economy has led to innovation, advances in productivity and efficiency and a range of other benefits for Australians. However, the vast data flows underpinning digital ecosystems have also created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams. Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.

Australians are seeking greater protection in the handling of their personal information. The 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey (2023 ACAP survey) makes clear the high priority Australians place on the security of their personal information. Three in five (62%) of Australians surveyed see the protection of their personal information as a major concern in their life, and 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Only 32% feel in control of their data privacy, and 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation in this area. Read the rest of this entry »

Why it is necessary to continue to consult is a mystery. The Australian Law Reform Commission underwent a comprehensive consultation, taking submissions and then providing a massive report in 2008. It did this again before its 2014 Report.  The Victorian and New South Wales Law Reform Commissions have followed similar exercises.  And then the Attorney General’s Department issued an Issues Paper, then a Discussion Paper and finally a Report.  There is ample empircal data of how privacy legislation operates overseas.  Supporters of reform will remain supporters, opponents will remain opponents.  Another round of consultations and impact analysis will only delay reforms that should have been impleted 15 years ago.  It will give opponents another chance to water down reforms.  And they will take it if history is any guide. 

The Australian covers the release with Labor targets small business privacy hit and Major privacy overhaul will thrust TikTok into legal spotlight. The Guardian covers the release with New laws will give Australians the right to sue for ‘serious’ breaches of privacy. The Sydney Morning Herald covers the story with Personal data to get greater protection, but targeted ads will keep coming.  The ABC provides an overview with Government to overhaul privacy laws, including opting out of advertising, a right to be forgotten, and new rules for small businesses

Most of the coverage is of sweeping reforms in the offing.  But not all.  In Govt kicks Privacy Act can down the road Information Age, the publication of the Australian Computer Society highlights that the Government has agreed to immediate implementation of relatively few proposals, 38 of the 116 recommendations. The Government agreed in principle with 68 of the recommendations. The most significant proposals are only agreed in principle and with some, such as the small business exemption and employment records exemption the time frame is open ended. Similarly Itnews interprets the response as stalling on some privacy reforms in Gov stalls on some privacy reforms with conditional support.

Some context is required to gauge how significant the response is.  In 2008 the Australian Law Reform Commission published its landmark report on the Privacy Act, Report 108.  It contained a root and branch review of the Privacy Act and provided a full suite of reform proposals.  The Government of the day tentatively selected a few of the recommendations and amended the Privacy Act.  It was a missed opportunity.  Those recommendations are generally the gold standard in reform.  The 2014 ALRC report was quite good but not as comprehensive as its 2008 Report.  It was the basis of the Attorney General’s Privacy Review Report to which the Government responded to today.  That said the Attorney General’s Review was quite tentative and cautious.  It is a pale imitation of the 2008 ALRC suite of recommendations. 

If the Government implements all the recommendations it has agreed to or agreed in principle then the Privacy Act will be much improved and people will have greater privacy protecitons.  That said, it will be an incomplete reform because the Attorney General’s Department Report is incomplete.  The reforms will be significant but the concern remains as to when the reforms will be enacted and whether they will be watered down in the next round of consultations on the agreed in principle proposals. 

Not surprisingly the Information Commissioner welcomes the proposed reforms. The regulator is a big winner in the suite of reforms. Its media release provides:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Australian Government’s response to the Attorney-General’s Department’s (AGD) review of the Privacy Act 1988 as a crucial step in ensuring Australia’s privacy framework is strengthened for the future.

“This is a vital set of proposals that will deliver significant gains for the Australian community,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“With increasing use of high impact technologies, it is critical that these reforms proceed as a priority alongside other key initiatives that rely on a strong privacy foundation such as the Australian Cyber Security Strategy and Digital ID framework.”

The OAIC’s Australian Community Attitudes to Privacy Survey makes clear the high priority Australians place on having the right legislative framework in place to hold regulated entities to account for the way they handle personal information. The survey found 89% of Australians would like to see government pass more legislation that protects their personal information.

“As the privacy regulator, it is pleasing to see support for the positive obligation that personal information handling is fair and reasonable, as a new keystone of the Australian privacy framework,” Commissioner Falk said.

“This is the most significant change to the Privacy Act in decades, and will require organisations to ensure that their practices are fair and reasonable in the first place.

“This will provide confidence to the Australian community that like a safety standard, privacy must be built into products and services from start.

“Key developments include enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community.”

Reforms will also provide a greater range of enforcement powers to the OAIC, establish stronger privacy protections for children and enhance requirements in relation to the security of personal information and its destruction when it is no longer needed.

“As privacy regulator, the provision of tools and support will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to identify systemic privacy issues,” Commissioner Falk said.

There are a number of proposals that are subject to consultation and developing sufficient impact strategies before legislation is finalised, including changes to the small business exemption and the employee records exemption.

“We support the removal of these exemptions and acknowledge that it is important to engage with the business community so that we can fully understand and assist with their transition. The OAIC stands ready to support small businesses to make their compliance with privacy requirements easy,” Commissioner Falk said.

The Australian Government will consult with stakeholder groups before drafting further legislation to go before Parliament in 2024. The OAIC is well prepared and committed to lending its expertise to the next phase of this ambitious reform.

The proposed privacy reforms follow the passing in November 2022 of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which introduced significantly increased penalties for serious and repeated privacy breaches and greater powers for the OAIC to resolve breaches.

Part of the reason there is a poor privacy culture in Australia goes beyond the poor legislation.  It is the dreadful history of regulation by the Privacy Commissioner and now the Information Commissioner.  The regulator has been tentative and ineffective.  A quick example, the Commissioner has had civil penalty actions possible since 2014.  How many civil penalty proceedings were commenced.  Answer, one. Against Facebook, arising out of the Cambridge Analytica scandal.  And that has not even got to trial yet.  Have Australian companies been such paragons of virtue that there was no scope to bring any actions against them.  There have been many breaches where the Commissioner could have taken action.  To be fair, the current incumben is much better than her predecessors. 

The Report provides:

Introduction

The digital economy has led to innovation, advances in productivity and efficiency and a range of other benefits for Australians. However, the vast data flows underpinning digital ecosystems have also created the conditions for recent major data breaches affecting millions of Australians, with their sensitive personal information being exposed to the risk of identity fraud and scams. Strong privacy protections are critical to building the security, confidence and trust necessary to drive innovation and economic growth.

Australians are seeking greater protection in the handling of their personal information. The 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey (2023 ACAP survey) makes clear the high priority Australians place on the security of their personal information. Three in five (62%) of Australians surveyed see the protection of their personal information as a major concern in their life, and 75% consider that data breaches are one of the biggest privacy risks they face today (increasing by 13% since 2020). Only 32% feel in control of their data privacy, and 84% want more control and choice over the collection and use of their personal information. 89% would like the Government to provide more legislation in this area. Read the rest of this entry »

Dymocks suffers data breach, data placed on the dark web

September 11, 2023

 

Dymocks became aware of a data breach on 6 September 2023. It became aware via someone telling it that customer data had been put on the dark web.  Dymocks notified customers on 8 September 2023. That is quite a quick notification which was more inspired by stolen customers data being posted on the dark web more than best practice. Dymocks notification on its website is quite good, brilliant by the dismal standards usually displayed by Australian companies. The content of the notice makes it clear that Dymock’s is a long way from completing its damage assessment.  It put out the Notice to get ahead of the story.  That is generally a good idea.  To see how bad things can get when an affected organisation doesn’t advise its customers look at the way Optus and Medibank handled their respective data breaches. 

Dymocks doesn’t know much data has been exfiltrated (but it is reported elsewhere that up to 836,000 unique email addresses were stolen), it doesn’t know when the breach occurred, it doesn’t know what data was taken but suggests it is probably personal information but is definitely not financial information.  That Dymocks discovered the data breach from a party finding customer data on the dark web highlights a weakness in its data security.  It is passe to merely rely on a perimeter defence and have no other means of monitoring hostile activity within the site.  Organisations should use programs to test their cyber defences, such as Nessus and Metasploit.   Perimeter defences get breached, often by use of purloined authentications, as was the case with HWL Ebsworth.  Threat intelligence tools should be part of any organisation that collects and uses significant amounts of personal information.  Companies should be using intrusion detection systems such as SolarWinds Event Manager, to name one of many.    
The notice provides:

We recently became aware of a data breach of customer information. We have a strong commitment to customer privacy and data security and while the magnitude of the breach has not been confirmed or determined at this stage, we are taking immediate action to investigate the incident and protect customers information.

Below is a summary of what we know, what we’re doing, and how we’ll continue to communicate further updates.

We apologise for any inconvenience or concern this situation causes customers. We are committed to providing updates as our investigation progresses. All necessary steps will be taken to safeguard customer data.

How we will communicate

Customers will be notified via email as we know more. We will also update this webpage with the latest updates.

Read the rest of this entry »

Australian Community Attitudes to Privacy Survey released and results are consistent with overseas findings…that privacy is seen as important, there is an unease how their personal information is collected and used, there is a distrust of government and business in their attitude to privacy and data breaches are a major concern. These are hardly new findings. It is just that not much is done to fix the problems

August 13, 2023

The Office of the Information Commissioner has released the he Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them. The survey finds that Australians care about their privacy, they feel they have little control over it and are concerned how their information is handled. They want more to be done to protect their privacy. These findings reinforce findings of previous surveys in Australia. They are also consistent with the Pew Research Center’s 2019 survey of Americans with Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information in 2019.    

The problem has never been that discerning Australians’ attitude to privacy.  Repeated surveys show they value it and want it protected. The problems are well known as well; ineffective legislation & timid enforcement of what there is, chronic under investment in cyber security and privacy training and a lack of any right to take action for breaches.  Report after report into privacy legislation has made this clear.  What has been lacking is the will. Governments of both persuasions have alternated between hostility and tentativeness towards privacy reform.  The result has been minimum protection.   

The Government is considering the Privacy Act Review Report prepared by the Attorney General’s Department. The recommendations do not go far enough in legislating best practice privacy protections. If the Government accepted all of the recommendations the legislative structure will provide robust protections. Then it is a question of properly funding the regulator and staffing it with people who will be much more assertive in taking action against breaches. Even with greater powers provided in 2014 the Commissioner’s Office has been a timid regulator and poor litigator in the Federal Court.

The media release sets out a reasonable summary of the findings.  It provides:

There has been a sharp increase in the number of Australians who feel data breaches are the biggest privacy risk they face today, according to a major survey released today by the Office of the Australian Information Commissioner (OAIC).

The Australian Community Attitudes to Privacy Survey (ACAPS) 2023 provides a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them.

The survey tested attitudes on topics such as data practices, privacy legislation, data breaches, biometrics, artificial intelligence and children’s privacy.

“Our survey shows privacy is a significant concern for Australians, especially in areas that have seen recent developments like artificial intelligence and biometrics,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk. Read the rest of this entry »

Verified by MonsterInsights