Another instalment in the HWL Ebsworth data breach…this time highly sensitive Victorian government files leaked. The firm has finally provided an update and will provide updates every Thursday at noon.

July 17, 2023

The HWL Ebsworth’s woes continue with another announcement of what documents were stolen. This time it is Victorian Government files according to ‘Highly sensitive’ Victorian government files leaked online by HWL Ebsworth law firm hackers. Not to be outdone Queensland also says its files were taken by the data breach. Meanwhile the Fair Work Ombudsman has released a statement .

The statement provides:

On 8 May 2023, national law firm HWL Ebsworth reported a cyber incident involving a data breach and possible unauthorised disclosure of personal information to the dark web.

Documents relating to a limited number of our (the Fair Work Ombudsman’s) files were included in the breach experienced by HWL Ebsworth.

Importantly, none of our systems have been compromised by the cyber incident.

We’re working with HWL Ebsworth to ensure individuals affected by the data breach are notified as a priority. Support and assistance will be provided to these individuals.

The Department of Home Affairs is investigating the extent of the breach, including exposure of the Australian Government’s information including personal information.

We’re also working with HWL Ebsworth to understand what information of ours may have been disclosed. We take our obligations under the Privacy Act 1988 seriously and we’re committed to ensuring appropriate systems are in place to maintain the privacy and the protection of personal information.

HWL Ebsworth released a statement on Friday. It has finally adopted a sensible approach when dealing with the public, especially those affected or just concerned.  To date the firm has been secretive and inward looking.  That is entirely the wrong approach.  But then again, having a cyber security system that lets a hacker with one person’s authorisation not detecting wholesale theft of data shows that Ebsworth has a long way to go in getting its cyber house in order.  

The statement is clearly curated by a cyber Read the rest of this entry »

Legislative Council of New South Wales Parliament commences inquiry into Artificial Intelligence

June 30, 2023

Along with the Federal Government the New South Wales Parliament has commenced an inquiry into Artificial Intelligence.

The terms of reference Read the rest of this entry »

Cyber Security Agency of Singapore release Cyber Landscape report for 2022. Phishing and Ransome continue to pose problems

June 28, 2023

The Singapore Cyber Security Agency has released its Cyber Landscape Report. The results are hardly surprising.  Phishing and ransomware are chronic problems.  They are growing in both volume and intensity.

The reports findings provides:

Key Malicious Cyber Activities in 2022

    1. Phishing. There were around 8,500 phishing attempts reported to the Singapore Cyber Emergency Response Team (SingCERT) in 2022, more than double the 3,100 cases handled in 2021. More than 50 per cent of reported cases involved URLs ending with “.xyz” – a popular top-level domain (TLD)1 among threat actors given its low cost and limited restrictions on usage. The average length of reported phishing links decreased by almost half, suggesting that threat actors are using URL shortener services more frequently to mask their malicious intent and track the click-through rate of their phishing campaigns. The most commonly-spoofed were Banking and Financial Services, Government and Logistics. More than 80 per cent of reported phishing sites masqueraded as entities within the Banking and Financial Services sector. They are often targets of phishing attacks as they are trusted institutions which hold sensitive and valuable information such as personal details and login credentials. Overall, the increase in reported phishing attempts mirrored global trends, with multiple cybersecurity vendors observing that phishing activities grew substantially in 2022. In all, SingCERT facilitated the takedown of 2,918 malicious phishing sites in 2022.
    2. Ransomware incidents. Ransomware remains a major issue both in Singapore and globally, with cybersecurity vendors reporting a 13 per cent increase in ransomware incidents worldwide in 2022. In Singapore, the number of reported ransomware cases saw a slight decrease with 132 cases reported to CSA in 2022, compared to the 137 cases reported in 2021. The cases affected mostly Small-and-Medium Enterprises (SMEs) from sectors such as manufacturing and retail, as they may hold valuable data as well as Intellectual Property (IP), which cybercriminals often seek to extort and monetise for financial gain. Many of such firms also lack dedicated resources to counter cyber threats.
    3. Infected Infrastructure2. In 2022, CSA observed 81,500 infected systems in Singapore, a decrease of 13 per cent from 94,000 in 2021. Despite a sharp growth of infected infrastructure observed worldwide, Singapore’s global share of infected infrastructure fell from 0.84 per cent in 2021 to 0.34 per cent in 2022. While this decrease in infected infrastructure in Singapore points to an improvement in cyber hygiene levels, the absolute number of infected systems in Singapore remains high. The top three malware infections on locally-hosted C&C servers were Colbalt Strike, Emotet and Guloader, while Gamarue, Nymaim and Mirai were the top three malware found on locally-hosted botnet drones, accounting for nearly 80% of Singapore IP addresses infected by malware in 2022. 
    4. Website Defacements. 340 ‘.sg’ websites were defaced in 2022, a decrease of 19 per cent from 419 in 2021. Most victims were SMEs. The downward trend could be attributed to hacktivist activities moving to other platforms with potentially wider reach, such as social media. In general, a downward trend in global website defacements was observed – with the exception of Ukraine and Russia, which have seen hacktivist activities spike amidst the ongoing conflict, including the defacement of more than 70 Ukrainian government websites just before hostilities broke out.

Read the rest of this entry »

Federal Government appoints innaugural National Cyber Security Coordinator

In the 1980s it was fashionable in the The Federal Government to create tsars. The term signified that they were doing something important and had enhanced powers. There were drug tsars and education tsars. The terminology was a bit unfortunate. Tsars historically had a habit of coming unstuck in horrible ways. Nothing like that happened in America but not much was done either. Australia is not nearly so grandiose. In Australia the tradition is to appoint directors or co ordinator. In that tradition the Government has announced the appointment of Air Marshal Darren Goldie AM CSC as the innuagural National Cyber Security Coordinator. The position is administrative. It is probably a good idea however the real need for improvement in cyber security is at the ground level with organisations and agencies applying fit for purpose programs, keeping them up to date and training staff to avoid making mistakes that lead to a data breach. Not nearly enough of that is being done.

The media release Read the rest of this entry »

The continuing ripples from the HWL Ebsworth data breach; NAB bank data leaked online

June 20, 2023

Large data breaches are rarely resolved quickly. That is why I am so surprised that organisations with the means and structures are so complacent with their data security. The focus is minimal compliance rather than security that is fit for purpose. The HWL data breach will be a long and excruciating process. The latest development is that data belonging to NAB have been found on line. See the Australian’s story NAB the latest to be confirmed as victim of HWL Ebsworth hack, with bank data leaking online . Beyond the revelation that the NAB has been affected the article itself is something of a reheating of earlier reporting. 

NAB has been motivated to issue a statement which provides:

“We are aware that HWL Ebsworth, a law firm engaged by NAB for some legal services, has been impacted by a cyber-attack. NAB’s systems were not impacted and remain secure. We are working with HWLE as they continue to get more information in relation to the content of these matters.”

There will be more statements like this from affected HWL Ebsworth clients (or ex clients). 

Based on the limited information provided to date it appears that the transfer of documentation from clients to the firm was not through access provided to the firm, as often happens with third party services providers working with an entity.  In those circumstances the danger is the initial hack will give rise to another hack as permissions and authorisations are stolen and used to access the other organisation.  Here HWL Ebsworth and its clients probably adopted the more traditional, and logical, means of transfer of documents.  The clients provided Read the rest of this entry »

The HWL Ebsworth data breach; the ripple effect. Its government clients set up working groups to sort through the rubble and work out what happens next

June 16, 2023

.

With large organisations/firms/government data that are comrpromised often belong to third parties such as clients or other organisations. With law firms that involves information provided necessary to permit advice work or litigation. And so it is with the HWL Ebsworth data breach. Which has led to the inevitable round two of the data breach, the clients of the firm doing damage assessments of what has happened to their data. The Australian reports in Fears government data has been stolen by cyber criminals grow as law firm’s clients are revealed that government departments have set up committees to determine the extent of the damage. And not before time.  Black Cat has not released 2/3rds of the data it exfiltrated. That is likely to happen at the most inopportune time given HWL Ebsworth has stated it will not pay a ransom. 

The Australian article provides:

The Albanese government has established a crisis group to examine what commonwealth data has been stolen by Russian-linked hackers who infiltrated the systems of HWL Ebsworth, the giant law firm that has tens of millions of dollars of contracts across at least 40 government departments and agencies. Read the rest of this entry »

To pay or not to pay ransomware hackers..the Government says no pay and the Business Council says provide a safe harbour

June 9, 2023

The Verizon’s 2023 Data Breach Investigations Report finds that ransomware was tied to 16% of all data breaches. That is double compared to last year’s report and that ransomware continued to be a factor in 24% of all data breaches. Interestingly in 93% of security incidents involving ransomware, victims reported no financial losses, at least based information submitted to the FBI. The remaining 7% of victims reported a median loss of $26,000. That was double what victims reported two years prior.

The overall costs of recovering from a ransomware incident are increasing while the ransom payouts are lower. This is due to the increase of automation and efficiency of ransomware operators.

The question of paying a ransom is vexed. Ransoms are paid and more often than observers think. Sometimes the hackers abide by the agreement and provide the key which unlocks the data. Sometimes the hackers behave like the criminals they are and take the ransom and provide no key and in fact release the data they exfiltrated from the site, if that was part of the data breach. Some provide the keys but upon unlocking the owner finds the ransomware program has damaged the data. Regulators generally advise against paying ransoms but acknowledge that it is a reality.

The Australian Government is considering making ransomware payments illegal. This has been met with some push back by cyber insurers. The Australian Business Council of Australia has called for a Safe Harbour. This has been reported by the Australian Financial Review at Businesses call for ‘safe harbour’ during major cyber incidents.

The BCA Read the rest of this entry »

Real Estate Institute of Australia call for retention of small business exemption in Privacy Act review. Nothing particularly new in the complaints

May 20, 2023

The small business exemption is a real weakness in the Privacy Act. The exemption applies to businesses with a turnover of $ 3 million or less. It was included in the amendments which brought the private sector under the regulation of the Privacy Act in 2001. The rationale for the exemption was not legal. Far from it. The stated reason was a concern about regulatory burden and cost of compliance. Given other universal regulatory obligations at the time and since, exempting small business operators from keeping records secure and not interfering with customers privacy was poor public policy. It remains so. In 2001 the volume of data held by the typical small business was modest compared with now. As costs of storing data decrease and the speed of processing increases coupled with programs to analyse data small businesses are as enthusiastic in collectng and analysing personal information as their larger counterparts. It is not hard setting up loyalty schemes and email lists. Or just want the information full stop. Real Estate agents are, generally speaking, voracious collectors of data. Of more concern is that many Real Estate agents collect more information than they need to deal with renters and register interest of potential purchasers. They have also been the subject of significant data breaches (see here, here, here, here and here).

It is then more than passing strange that the President of the Real Estate Institute of Australia, Hayden Groves, resists reform to the Privacy Act by removing the small business exemption as reported in Real estate agents push back against Australian privacy law changes designed to protect personal data. The arguments encompass the original justification for the exemption, the cost fo compliance, and then moves onto a claim that other form of regulations make coverage by the Privacy Act unnecessary. No details are provided. Of course. The additional cost complained off is not specified. There has never been Read the rest of this entry »

Commonwealth Attorney General announces the (re) creation of the Privacy Commissioner.

May 3, 2023

Today the Attorney General announced that the Government will create a stand alone position of Privacy Commissioner. The statement provides:

The Albanese Government will appoint a standalone Privacy Commissioner to deal with the growing threats to data security and the increasing volume and complexity of privacy issues.

Australians rightly expect their privacy regulator to have the resources and powers to meet the ongoing challenges of the digital age and protect their personal information.

The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.

This action is in significant contrast to that of the former Liberal Government, which left Australia disgracefully unprepared for this challenge by failing to strengthen privacy laws, and scrapping the position of a standalone Privacy Commissioner.

The Albanese Government takes privacy regulation seriously and has already acted to significantly increase penalties for companies which fail to take adequate care of customer data and give the Australian Information Commissioner improved and new powers.

The Australian people rightly expect greater protections, transparency and control over their personal information and the appointment of the standalone Privacy Commissioner restores the Office of the Australian Information Commissioner to the three-Commissioner model Parliament originally intended.

Currently, the Australian Information Commissioner, Ms Angelene Falk, holds a dual appointment as the Privacy Commissioner. I thank Ms Falk for her dedicated service in this role since 2018. Ms Falk will remain Information Commissioner and head of the OAIC.

A merit-based selection process to fill the role of Privacy Commissioner will commence today. Ms Falk will continue as the Privacy Commissioner until this process is finalised.

Freedom of Information Commissioner

In light of the recent resignation of Mr Leo Hardiman PSM KC as Freedom of Information Commissioner, I am also pleased to announce that we have appointed Ms Toni Pirani as acting Freedom of Information Commissioner, effective 20 May 2023. I thank Mr Hardiman for his significant contribution and wish him well in his future endeavours.

Appointing an acting FOI Commissioner will ensure that the OAIC can continue to undertake its FOI functions until a permanent appointment is made.

A merit-based selection process to select the ongoing FOI Commissioner vacancy will also commence today.

Read the rest of this entry »

The Information Commissioner’s Office releases submission of the 2023 – 2030 Cyber Security Strategy

April 21, 2023

There are no shortage of discussion papers involving Cyber Security/privacy/data management at the moment.  One of the most recent is the the Department of Home Affairs 2023-2030 Australian Cyber Security Strategy Discussion Paper. It is not particularly long or detailed. Being a Strategy it focuses on high policy and directions rather than detailed amendment and analysis. The Information Commissioner has published Submission to 2023–2030 Cyber Security Strategy Discussion Paper.

The Commissioner’s submissions are consistent with one agency commenting on power arrangements of other agencies, strong on administrative analysis and recommendations The Commissioner’s recommendation that the Strategy.  The Commissioner’s key recommendation is that any strategy has to sync carefully with the amendments to the Privacy Act.  The Commissioner also identifies the need for regulatory frameworks to work cohesively.  Unfortunately in this area matters have gone rapidly from weak regulation to multiple Acts and agencies.  It has been entirely responsive, after years of ignoring the threat of cyber attacks and failing to keep up with regulation.  The Commissioner is right to be concerned that even with multiple agencies and legislation they should cohere and avoid regulatory gaps.  Better to have overlap than gaps.  The Commissioner’s recommendation that she be permitted access to protected information in relation to matters involving data breaches is sensible as is the recommendation to ensure that reporting of breaches be consistent across the board. 

The key with any strategy is enforcement.  There is little point having comprehensive regulation and the affected organisations and agencies ignoring it because they know the regulators are timid and the penalties small.  There has long been a cultural problem in Australia in putting time, effort and money into maintaining proper data protection, of both the analog and digital kind.

The Submission provides, Read the rest of this entry »