Major data breach at the University of Tasmania

September 22, 2020

After the major data breach at the Australian National University which was probably caused by interference by a state actors one would have thought universities in Australia would review their data security practices, do some stress testing and monitor access points to their databases.  Maybe some did, but it is certain that the University of Tasmania didn’t.  Or didn’t worth a damn.  The Australian, in Serious data breach hits 20,000 Uni of Tasmania students, prompting credit, privacy concerns, reports on a very serious data breach where the personal information of, 19,900, students including their ethnicity, any disabilities and results.  The information was available for accessing by other students between 27 February and 11 August, 2020.  Unlike the data breach at the Australian National University, (see my post here) which involved a sophisticated cyber attack by a foreign player, the source of the data breach was incorrect configuration of settings for the Sharepoint database.

It is interesting, and begs more than a few questions, as to why the University would wait from 11 August, when the data breach was discovered, until 21 September when it was made public and students were notified.  It is longer than the Read the rest of this entry »

The Commonwealth Government releases the exposure draft of the Data Availability and Transparency Bill 2020

September 17, 2020

Yesterday the Australian Government released a Consultation Paper with the exposure draft of the Data Availability and Transparency Bill 2020 (the “DAT Bill”).

The Consultation Paper is a mere 33 pages.  The exposure draft of the DAT Bill comes in at 104 pages with the explanatory memorandum coming in at a relatively slender 74 pages.  The enactment of the DAT Bill will give rise to consequential amendments which are found in the Data Availability and Transparency (Consequential Amendments) Bill 2020 and accompanying explanatory memorandum.

The consultation period, for comments and submissions, closes at 5pm on 6 November 2020.  Given the breadth and depth of the DAT Bill that is quite a short time frame in the age of COVID.

The road has been smoothed for the introduction of this quite radical, on one view, and transformative, on another, change to the usage of data collected by public agencies.  The interim National Data Commissioner has framed the proposal, in her press release Modernising government data sharing, in terms of being Read the rest of this entry »

Zhenhua Data leak of the personal information of 35,000 Australians.

September 15, 2020

The collection and analysis of vast amounts of personal information is the hugely valuable for business, politics and public administration. It has been described as the twenty first century equivalent of what oil was to the twentieth century. It has revolutionised the way business is done and services are provided, for profit and otherwise.  The use of personal information has more dystopian uses, such as  surveillance by states as well as being able to used as part of a cyber campaign.

China is at the forefront of the cyber triaphilia; a keeness bordering on obsession with surveillance, a proficiency in cyber attacking and, finally a willingness and often desire to interfere with other states activities or at least individuals in those states.

Zhenhua Data is a company whose main clients are the Chinese Communist Party and the Peoples Liberation Army.  That is neither here nor there except that the ABC reports in Chinese database collects information on thousands of Australians, from PMs to pop stars it had built up a data base of 35,000 Australians according to a leak of 2.4 million entries in data leaked from Zhenhua Data.  The data base seems to have been built up with information publicly available but also sources which would normally keep that information private.

There has been much hand wringing as to why  a Chinese data firm collect information about a disparate group of people who seemingly have little to do with each other beyond them being public figures to a greater or lesser degree. The answer is quite straightforward.  Most governments Read the rest of this entry »

Australian Information Commissioner v Facebook Inc; Federal Court rejects application to set aside ruling granting the Commissioner leave to serve process on the US Based Facebook

September 14, 2020

The Federal Court today dismissed an application by Facebook against a previous ruling granting the Australian Information Commissioner leave to serve legal documents on Facebook USA.

The issue in the application was Facebook contending that it did not carry out business in Australia.

The terms of the application and the supporting affidavit are not publicly searchable, yet. The hearing took place on 6 May 2020.

The orders of Justice Thawley are:

  1. The interlocutory application dated 6 May 2020 be dismissed.
  2. The written reasons for judgment not be published beyond the parties until further order.
  3. The parties have until 12 pm on 16 September 2020 to advise the Court of any orders for redactions sought, together with a concise written explanation as to why those redactions ought be made.
  4. Unless any party applies within 7 days for a different order with respect to costs, the first respondent pay the applicant’s costs of the interlocutory application.

The Commissioner had a restrained Read the rest of this entry »

ASIC commences action against RI Advice Group Pty Ltd for failing to have adequate cyber security

August 22, 2020

Today the Australian Securities and Investments Commission (“ASIC”) commenced proceedings against RI Advice Group Pty Ltd (“RI”).   It has been filed in the Federal Court Victorian Registry.  

RI holds an Australian Financial services licence and at all relevant times was a wholly owned subsidiary of the Australia and New Zealand Banking Group Limited (the ANZ).

According to the Concise Statement :

  • on 3 January or 3 March 2017 RI became aware of a ransomware attack on the computer systems of one of RI’s authorised representatives in 2016 which made files inaccessible [5];
  • on 30 May 2017 RI became aware another authorised representative’s files were hacked which affected 226 client groups [6]. 

ASIC alleges that in relation to each of those incidents RI should have but failed to:

 (a) properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls; and (b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.

  • between 30 December 2017 and 15 April 2018 an unknown malicious agent obtained and retained remote access to an authorised representative’s remote access to its file server and spent 155 hours accessing sensitive client information.  That resulted in 27 clients reporting unauthorised use of their personal information with that there were 3 attempts to redirect mail and multiple bank accounts being opened upon without consent.  There was a notification to the Australian Information Commissioner.  An investigation revealed that 8,104 individuals were exposed to the breach.

ASIC alleges that the risk management systems and resourcing relating to cybersecurity and cyber resilience were inadequate Read the rest of this entry »

Android handsets track users movements and send information to Google…even when location history is turned off

August 18, 2020

Stories about Google knowing more about its users than the users themselves are so ubiquitous, like Google, that they rarely make their way onto the back page of a paper let alone the front page.  What is more concerning and noteworthy is recent run of stories of social media platforms, like Facebook, and data collecting companies, like Google, collecting and using data contrary to the supposed settings.  The Australian reports on the latest example of this egregious behaviour with Google knows your every move even with ‘location history’ off.  In short Google is tracking a phone’s movements even when settings to protect privacy are activated.  The way this was determined was through a test where software was installed to detect (described as tap) data being sent to Google.  This data stream was identified.  The nub of the problem is that the consent to use data went beyond that which was agreed, with that data being sold by brokers to police forces, governments and spy agencies.  The data collected includes Read the rest of this entry »

Australian Competition & Consumer Commission sues Google for misleading and deceptive conduct… but it really is a breach of data privacy case

July 27, 2020

Last Friday the Australian Competition & Consumer Commission (“ACCC”) announced that it has commenced proceedings against Google LLC alleging misleading and deceptive conduct in failing to inform consumers and obtain their informed consent  from 2016 that it was combining their personal information in Google accounts with information gleaned from their activities in non Google sites which use Google technology.  The ACCC also alleges that Google misled consumers about changes to its privacy policy.

The ACCC has not released the concise statement and the case has not appeared on the Federal Court website as yet.  It is interesting, and something of a relief, that the ACCC is stepping up and taking on privacy related cases instead of the Australian Information Commissioner.  Unfortunately the Commissioner has a lamentable track record in enforcing privacy breaches, particularly in the Federal Court.

The nature of the case as described by the ACCC seems to follow a tried and true approach used by the Federal Trade Commission in the United States, attacking privacy and data breaches through breaches of contractual terms or misleading and deceptive conduct.  It is also an approach that the Federal Court is more comfortable with.  To date the Federal Court has produced judgments that betray a bewildering befuddlement regarding privacy principles; namely Read the rest of this entry »

Consumer Data right effective today

July 1, 2020

The 1st July 2020 is the commencement of the Consumer Data Right.  Under the legislation consumers an request their banks to share data for deposit and transaction accounts as well as credit and debit cards.  As of today there are two accredited data recipients however a further 39 providers have started the process.  Data from home, personal and investment loans and joint accounts will commence on 1 November.

The regulatory structure is interesting.  There are two regulators who will be responsible for regulation, the ACCC and the OAIC.  They come from two ends of the spectrum.  The ACCC is a good regulator by Australian standards while the OAIC is a dreadful regulator by any standards.  The ACCC is run by a thoughtful and insightful chairman, I can’t recall who runs the OAIC.  The Compliance and Enforcement Policy is Read the rest of this entry »

Cyber attack at BlueScope Steel and MyBudget highlights a chronic problem facing businesses, particularly those with poor privacy protocols

May 16, 2020

This year has seen some major cyber attacks which have crippled businesses.  On 31 January 2020 Toll Transport’s systems were infected with Ransomware, a variant of the Mailto or Netwalker ransomware.  It operates by encrypting all the common file types outside the operating system.  the files are rendered unusable. That meant it couldn’t perform its core service, delivery.

Mailto is usually spread through a compromised email attachment but it can also be done through a combination of user credential theft or a brute force attack on passwords in combination with usernames.   Attacks by  email involves the Mailto activating an infected payload through what appears to be a legitimate file. Attacks are commonly sent from a domain with a high reputation.  Sometimes they are sent from compromised email accounts.  These forms of attack easily Read the rest of this entry »

Privacy Amendment (Public Health Contact Information) Bill 2020 passed the Federal Parliament

May 15, 2020

The Privacy Amendment (Public Health Contact Information) Bill 2020 passed the Senate yesterday without any amendment to the Bill passed by the House of Representatives.  The amendments proposed by Senator McKim and Senator Patrick were not accepted. 

The bill, soon to be Act, can be found here.  The explanatory memorandum can be found here

The passage of the bill is covered by itnews in Read the rest of this entry »