Ransomware attacks grown 13% year on year in 2022, an increase greater than the past 5 years

May 28, 2022

Verizon has just released its 2022 Data Breach Investigation Report which shows that Ransomware has grown 13% year on year in 2022.   The report is valuable because it records trends in ransomware attacks.

The report states:

  • the four means of accessing an organisations online site is via:
    • misuse of credentials,
    • Phishing,
    • Exploiting vulnerabilities, and
    • Botnets.
  • Error continues to be a dominant trend, and is heavily influenced by misconfigured cloud storage.
  • The human element continues to drive breaches. Whether it is the use of stolen credentials, phishing or simply an error, people continue to play a large part in incidents and breaches alike.
  •  data compromises are considerably more likely to result from external attacks than from any other source.
  • 80% of breaches are caused by individuals external to the organization

Read the rest of this entry »

National Institute of Standards and technology issues Blockchain for Access Control Systems NISTIR 8403

May 27, 2022

The National Institute of Standards and Technology (“NIST”) has issued a guideline Blockchain for Access Control Systems.   

The abstract provides:

The rapid development and wide application of distributed network systems have made network security – especially access control and data privacy – ever more important. Blockchain technology offers features such as decentralization, high confidence, and tamper-resistance, which are advantages to solving auditability, resource consumption, scalability, central authority, and trust issues – all of which are challenges for network access control by traditional mechanisms. This document presents general information for blockchain access control systems from the views of blockchain system properties, components, functions, and supports for access control policy models. Considerations for implementing blockchain access control systems are also included.

Blockchain systems provide an alternative (or complimentary) system for reliability, security, accountability, and scalability for AC systems. Blockchain characteristics – such as transparency, distributed computing/storage, and a tamper-evident/tamper-resistant design – help to prevent AC data from being accessed or modified by malicious users. Access logs are also recorded in blocks that allow for the detection of malicious activities. Blockchain system components and their advantages for AC systems are Read the rest of this entry »

Data breaches of health providers highlight the weaknesses in the health sector

May 25, 2022

The health sector is a regular target of cyber criminals.  It is also a sector which is notorious for having poor cyber security practices.  That is a terrible confluence.

Data breach today reports that 3 recent health data breaches have affected 1.4 million individuals. The three entities were:

ETCH and PHC were attacked in in March, involving various IT system disruptions, suggesting possible ransomware attacks. ETCH’s reportto Maine’s attorney general claimed the attack  affected nearly 423,000 individuals.  PHC reported its breach affected nearly 855,000 individuals. Acuity International’s breach affected nearly 123,000 individuals

The ETCH breach affected data may include name, contact information, date of birth, medical record number, medical history information and Social Security number.  The PHC breach involve unauthorized access to names, Social Security number, date of birth, driver’s license number, tribal ID number, medical record number, health insurance information, member portal username and password, email address, and medical information including treatment, diagnosis and prescriptions.

Other recent health related cyber incidents around the world include:

Given the breadth and depth of the attacks it is relevant to have regard to a very recent Joint Cybersecurity advisory prepared by cyber security authorities of the United States of America, Canada, New Zealand and the United Kingdom titled “Weak Security Controls and Practices Routinely Exploited for Initial Access”. 

The report sheets home much of the blame on Read the rest of this entry »

CBS Commercial Canberra Pty Ltd v Axis Commercial (ACT) Pty Ltd, in the matter of CBS Commercial Canberra Pty Ltd [2022] FCA 544 (12 May 2022): application to set aside statutory demand, offsetting claim,

May 15, 2022

The Federal Court, per Halley J, set aside a statutory demand in CBS Commercial Canberra Pty Ltd v Axis Commercial (ACT) Pty Ltd, in the matter of CBS Commercial Canberra Pty Ltd [2022] FCA 544 in finding that an offsetting claim constitutes a genuine dispute. It is a very good decision setting out the complications of offsetting claims arising from building contracts relied upon in setting aside a statutory demand which is based on a certificate and judgment obtained under the Security of Payments Act.

FACTS

CBS engaged Axis as a sub-contractor to undertake work at a building site located in Gungahlin in the Australian Capital Territory [12].

The chronological events Read the rest of this entry »

Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022): ss 912A(1)(a) & (h) Corporations Act 2001 (Cth), failure to have adequate cybersecurity risk management in place,

May 14, 2022

The Federal Court, per Rolfe J, in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 made what has widely been described as a first occasion a corporation has been found to have breached its licence obligations in failing to have adequate risk management systems to manage its cyber security risks. The Court ordered declaratory relief requiring RI Advice to undertake work to improve its security under the supervision of an expert.  

The orders were made in terms agreed between the parties just before the trial was scheduled to commence.

I have followed this proceeding closely with posts ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security in August 2020 and ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022 in May 2021,

FACTS

The Court provided a factual background about stating that RI Advice :

  • was:
    • a wholly-owned subsidiary of Australia and New Zealand Banking Group Limited (ANZ). RI Advice up to and including September 2018;
    • from 1 October 2018, along with two other ANZ financial licensees, part of the IOOF Holdings Limited (IOOF) group of companies [12]
  • carries on a financial services business within the meaning of s 761A of the Corporations Act Act (“The Act”) under a third-party business owner model.
  • authorises Under s 916A of the Act, RI Advice independently-owned corporate authorised representatives (“ARs”) and individual authorised representatives to provide financial services to retail clients on RI Advice’s behalf and pursuant to the Licence [13]

The AR Practices (practices of groups of one or more Authorised Representatives):

  • electronically received, stored and accessed  confidential and sensitive personal information and documents in relation to their retail clients. The personal information included:

(a) personal details, including full names, addresses and dates of birth and in some instances health information;(b) contact information, including contact phone numbers and email addresses; and

(c) copies of documents such as driver’s licences, passports and other financial information [14].

  • since 15 May 2018 provided financial services to at least 60,000 retail clients [15]
  • had 9 cybersecurity incidents between June 2014 and May 2020, being:
    • in June 2014 an AR’s email account was hacked and five clients received a fraudulent email urging the transfer of funds, one of whommade transfers totalling some $50,000;
    • in June 2015 a third-party website provider engaged by an AR Practice was hacked, resulting in a fake home page being placed on the AR Practice’s website;
    • in September 2016 one client received a fraudulent email purporting to be an employee of an AR Practice asked for money. The AR Practice used an email platform where information was stored “in the Cloud”, with was no anti-virus software and only one password which everyone used.
    • in January 2017 an AR Practice’s main reception computer was subject to ransomware delivered by email, making certain files inaccessible;
    • in May 2017 an AR Practice’s server was hacked by brute force through a remote access port, resulting in file containing the personal information of some 220 clients being held for ransom and ultimately not recoverable;
    • between December 2017 and April 2018 (December 2017 Incident) an unknown malicious agent gained unauthorised access to an AR Practice’s server for several months  compromising the personal information of several thousand clients, some of whom reported unauthorised use of the personal information;
    • in May 2018 an unknown person gained unauthorised access to the email address of an AR and sent a fraudulent email to the AR’s bookkeeper requesting a bank transfer;
    • an unauthorised person used an AR Practice’s employee’s email address:
      • in August 2019 to send phishing emails to over 150 clients ; and
      • in April 2020 to send phishing emails to the AR Practice’s contacts [16].

Inquiries and reports following the cybersecurity incidents revealed thatthere were a variety of issues in the respective ARs’ management of cybersecurity risk, including:

  • computer systems not having up-to-date antivirus software installed and operating;
  • no filtering or quarantining of emails;
  • no backup systems in place, or backups not being performed; and
  • poor password practices including:
    • sharing of passwords between employees,
    • use of default passwords,
    • passwords and other security details being held in easily accessible places or being known by third parties [17].

Regarding the incidents Read the rest of this entry »

In the matter of Credit Clear Limited [2022] VSC 206 (29 April 2022): security for costs,

May 3, 2022

Justice Riordan considered an appeal against an order for security for costs in In the matter of Credit Clear Limited [2022] VSC 206.  The appellants were unsuccessful across the board. 

FACTS

By originating process filed 15 July 2020, the plaintiffs made an application under:

(a) sections 175, 232, 233, 461(1)(k), 1041H(1), 1324(1) and 1325 of the Corporations Act 2001 (Cth) (‘the Act’);

(b) sections 12DA and 12GM of the Australian Securities and Investments Commission Act 2001(Cth) (‘the ASIC Act’);

(c) Sections 237 and 243 of the Australian Consumer Law, being Schedule 2 of the Competition and Consumer Act 2020 (Cth) (‘ACL’); and

(d) the inherent jurisdiction of the Court [2].

The plaintiffs sought the following substantive relief in their points of claim [4]:

(a) The first plaintiff (‘Mr McKendrick’) sought to be reinstated as a director of the first respondent (‘Credit Clear’).

(b) The appellant sought the following relief:

B. Declarations and or orders under s 1325 of the Act, alternatively s 233(1)(c) and or (j) of the Act, s 12GM of the ASIC Act and or ss 237 and 243 of the ACL, that the Separation Agreement dated 11 November 2016 and Intellectual Property Assignment Agreement dated 11 November 2016 (by which the plaintiffs were forced to give up their interests in the first defendant together with the intellectual property rights owned by the first plaintiff) are void on the grounds they were procured under duress, undue influence, unconscionable conduct and or misleading and deceptive conduct in contravention of 1041H(1) of the Act, s 12DA of the ASIC Act and or s 18 of the ACL;

C. A declaration that the second plaintiff is entitled to hold 20% of the issued ordinary shares in the first defendant;

D. Rectification of the share register of the first defendant pursuant to s 175 of the Act to reinstate the second plaintiff as a member and to record that it holds a number of fully paid ordinary shares representing 20% of issued shares in the first defendant alternatively that it holds 6,805,555 fully paid ordinary shares in the first defendant;

E. A declaration that the affairs of the first defendant are being conducted contrary to the interests of the members as a whole and or are oppressive to, or unfairly prejudicial to, or unfairly discriminatory against the second plaintiff, or in the interests of and to the benefit of the second to third defendants and not the first defendant or its members;

F. An order that the second and or third defendants purchase the second plaintiff’s shareholding in the first defendant at fair value; Read the rest of this entry »

Bioaction Pty Ltd v Ogborne, in the matter of Bioaction Pty Ltd [2022] FCA 436 (26 April 2022): 459G of the Corporations Act 2001, whether service within 21 days

April 27, 2022

In Bioaction Pty Ltd v Ogborne, in the matter of Bioaction Pty Ltd [2022] FCA 436 the Federal Court considered, for the first time by the courts, the deeming provisions of sections 105A and 105B of the Corporations Act regarding service applications to set aside a statutory demand within the 21 day time limit,.  

FACTS

By originating process filed on 3 February 2022, the plaintiff, Bioaction Pty Ltd, sought an order setting aside a statutory demand pursuant to s 459G of the Corporations Act dated 12 January 2022 served by the defendant, Gordon Ogborne (“Ogborne”) [5].

Bioaction  specialises in the design, manufacturing and installation of systems to eliminate or mitigate odorous, hazardous and corrosive gases & Ogborne was its Chief Financial Officer / Chief Operating Officer from December 2019 until November 2021, when he was made redundant [7].

Ogborne and Bioaction were in dispute as to his entitlements where Ogborne claimed he was entitled to any additional sum [8].

On 13 January 2022, Ogborne served the statutory demand on Bioaction seeking payment of $240,688.31 being unpaid:

  • salary,
  • superannuation,
  • salary in lieu of termination,
  • annual leave and
  • redundancy

pursuant to an employment contract [9].

The statutory demand was Read the rest of this entry »

NIST releases guides to Enterprise Patch management

April 11, 2022

The National Institute of Standards and Technology (“NIST”) releases excellent guides in relation to all manner of technology.  It is particularly helpful in providing processes to improve cyber security and deal with data breaches.

Last week the NIST through its  National Cybersecurity Center of Excellence (NCCoE) released

The focus of both guides highlights the importance of timely and appropriate patching so as to enable  organisations to have an adequate cybersecurity system.

Patching is a form of preventive maintenance of computing technologies.  It helps prevent compromises, data breaches, operational disruptions, and criminal acts.

SP 800 – 40

SP 800-40 Revision 4 recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and sets up processes for patching.

Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.

The publication refers to Read the rest of this entry »

Data Availability and Transparency Act 2022 passes and receives Royal Assent on 1 April 2022

April 10, 2022

On 31 March 2022 the Federal Parliament passed the Data Availability and Transparency Bill 2022.  It became law on 1 April 2022.  It’s genesis is traced back to reforms proposed by the Productivity Commission’s  Inquiry Report into Data Availability and Use (2017).

The Minister’s Second Reading Speech provides:

I am pleased to introduce this bill which will create the Data Availability and Transparency Act, appropriately abbreviated to DATA.

This bill establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests.

2020 has shown us how critical this piece of legislation is.

We started the year in the middle of one of the most disastrous bushfire seasons in recent memory, with thousands of Australians needing access to government services to support them through this difficult time.

Australians continue to face the onslaught of the COVID-19 pandemic, which has cost them their jobs and their livelihoods, and they are turning to their government for help.

Government data and digital services have been fundamental to the government’s response to these events.

Data allowed Australians to receive timely and reliable services in a time of need.

Data allowed Australians to access government services online instead of queuing at Centrelink shopfronts.

It was data that informed the development of essential programs like the JobKeeper payment, so that we could provide relief to Australians who have lost their jobs during this pandemic.

The government’s vision is that Australians experience the same seamless approach to government services every day, not just in times of crisis. Read the rest of this entry »

Stubbings v Jams 2 Pty Ltd [2022] HCA 6 (16 March 2022); equity, unconscionable conduct, reliance on certificates of independent advice

March 30, 2022

In a 5 – 0 decision the High Court allowed an appeal from the Victorian Supreme Court in Stubbings v Jams 2 Pty Ltd [2022] HCA 6 and the operation of certificates of independent advice and unconscionable conduct.  The lead judgment is that of Kiefel CJ, Keane and Gleeson with separate opinions by Gordon and Steward.

FACTS

The facts

The appellant owned two houses in Narre Warren, both mortgaged to Commonwealth Bank with weekley repayments of between $260 and $280 per week. The appellant did not live in either house.  He lived at rental premises at Boneo, where he worked repairing boats for the owner of the property [7].

The Appellant fell out with the owner,  ceased work and, needing to move house, sought to purchase another property on the Mornington Peninsua [7].

At the relevant time the appellant:

  • was unemployed
  • had no regular income
  • had not filed tax returns in several years and
  • was in arrears on rates payments in respect of the two Narre Warren properties [8]

After a home loan application to ANZ was rejected for lack of financial records, the appellant was introduced to Mr Zourkas [8] who described himself as a “consultant”, in the business of introducing potential borrowers to Ajzensztat Jeruzalski & Co (“AJ Lawyers”) [9]. The service AJ Lawyers provided to clients was to facilitate the making of secured loans by those clients [9].

The primary judge found that Zourkas played an “important and essential” role in these transactions, in that his involvement ensured that AJ Lawyers never dealt directly with the borrower or guarantor, such as the appellant [9]

When the appellant and Zourkas met on a number of occasions in 2015:

  • at the first meeting, the appellant said that he “wanted to buy a little house” to live in, to which Mr Zourkas responded that “there would not be a problem going bigger and getting something with land”  O which resulted in the appellant finding a five?acre property with two houses on it in Fingal, available for $900,000.
  • at another meeting, Zourkas told the appellant that he could borrow a sum sufficient to pay out the existing mortgages over the Narre Warren properties, purchase the Fingal property, and have approximately $53,000 remaining to go towards the first three months’ interest on the loan [10] .
  •  Zourkas advised the appellant that he could then sell the Narre Warren properties, reducing the loan to approximately $400,000, which the appellant could then refinance with a bank at a lower interest rate [10]

The calculation was that:

  • two Narre Warren properties and the Fingal property would secure the appellant’s obligations as guarantor
  • the existing debt to Commonwealth Bank secured on the Narre Warren properties totalled approximately $240,000.
  • on the basis that the two properties had a market value of $770,000, the appellant’s equity was thus worth about $530,000 [11].

On 30 June 2015, the appellant signed a contract to Read the rest of this entry »