AT & T lose 109 million US customer accounts from illegal download

July 15, 2024

Another telco has suffered a data breach according to Itnews reports in AT&T says data from 109 million US customer accounts illegally downloaded.  The pattern is very familiar, exfiltration of files via a weakness in the system over a few days.  What is also Read the rest of this entry »

AI Models using images of Australian children without their consent (meaning parent’s) consent

July 6, 2024

AI models and programs needing vast data on individuals, such as facial recognition technology, needs vast troves of data to be effective. Hoovering up that data has been the business model of companies in those fields. The level of discrimination has been low and respect for the privacy of those whose data is used has generally been non existent. This is highlighted in an ABC piece The world’s biggest AI models were trained using images of Australian kids, and their families had no idea.

The genesis of the ABC story is a report by Human Rights Watch titled Australia: Children’s Personal Photos Misused to Power AI Tools.

The article provides:

In short:

Images of Australian children were found in a dataset called LAION-5B, which is used to train AI.

The images have since been removed from the dataset, but AI models are unable to forget the material they’re trained on, so it’s still possible for them to reproduce elements of those images, including faces, in their outputs.

What’s next?

The federal government is expected to unveil proposed changes to the privacy act next month, including specific protections for children online.

Read the rest of this entry »

Australian Government signals that small business exemption will be retained in any Privacy Act amendment

July 3, 2024

Privacy reform is no easy task in Australia. Even when the need is clear. The Australian in Privacy relief set for small business reports that the small business exemption will likely be retained in any amendments to the Privacy Act. The Government says it will introduce a Bill in the August session of Parliament. The story relies on “sources” informing the reporter. The story is a classic informal signalling of intention by the Government without it making any announcement. It is a tried and true way method of setting the agenda and dealing with possible unwelcome commentary prior to the bill being introduced. It is all about politics, nothing about policy.

The retention of the small business exemption is a retrograde step. It makes little legal and policy sense.  The collection of data and the impact of a data breach or other interferences with privacy is not related to the size of an organsiation.  An arbitrary cut off of a $3 million dollar turnover determining whether an an organisation is required to comply with the Privacy Act or not never made much sense when introduced.  It makes less sense now given that a “small business” can collect and use more  data than an organisation covered by the Act.  It is more dependent on the type of business and its emphasis on data collection. 

In its massive 3 volume report, For your Information, the Australian Law Reform Commission specifically recommended removing the small business exemption.  In its executive report it stated:

The ALRC recommends that the number of exemptions be reduced—in particular, the existing exemptions for small business, employee records and registered political parties should be removed.

and

The small business exemption

When the provisions of the Privacy Act were extended to cover the private sector in December 2000, an exemption was granted to small businesses (including not-for-profit organisations) with an annual turnover of $3 million or less.[11] The exemption was explained, at that time, by the desire to achieve widespread acceptance for privacy regulation from the private sector, and a reluctance to impose additional compliance burdens on small businesses.

No other comparable jurisdiction in the world exempts small businesses from the general privacy law—and the European Union specifically has cited this unusual exemption as a major obstacle to Australia being granted ‘adequacy’ status under the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the EU Directive).[12]

The business community argued strongly for the retention of the exemption, primarily on the basis of the cost of compliance. However, almost all other stakeholders supported removal of the exemption arguing that there is no compelling justification for a blanket exemption for small businesses, as consumers have the right to expect that their personal information will be treated in accordance with the privacy principles.

The ALRC recommends that this exemption be removed. This would bring Australian privacy laws into line with laws in similar jurisdictions, such as the United Kingdom (UK), Canada and New Zealand, and could facilitate trade by helping to ensure that Australia’s privacy laws are recognised as ‘adequate’ by the European Union. The removal of the small business exemption would have the additional benefits of simplifying the law and removing uncertainty for many small businesses that have difficulty establishing whether they are required to comply with the Privacy Act.

The ALRC appreciates that the removal of the small business exemption will have cost implications for the sector—although nowhere near as great as is sometimes predicted.[13] An independent research study commissioned by the ALRC indicated that a lower proportion of organisations will be affected—since not all small businesses collect personal information from customers—and the costs should be considerably more modest—about $225 in start-up costs and $301 per year thereafter for each small business—than the predicted $842 and $924 per year respectively cited in the Office of Small Business costing.[14] Further, the ALRC is confident that additional savings will be achieved by the substantial simplification and harmonisation of privacy laws recommended in this Report.

Nevertheless, the ALRC remains attentive to the economic concerns of small business owners, and recommends a number of other initiatives aimed at supporting small businesses and minimising the compliance burden. Before the exemption is removed, the OPC should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Privacy Act. This should include a national hotline for small businesses, education materials and templates to assist in preparing privacy policies.

If anything the need to remove the exemption now is greater than it was Read the rest of this entry »

Another report on Australian police improperly accessing data bases affecting than more than 2,000 people. Quelle surprise

June 28, 2024

The Guardian has undertaken an investigation of police misusing databases in with Revealed: Australian police accused of improperly accessing force databases more than 2,000 times.  

The story makes for depressing reading but is nothing that I have not written about for years.  The controls remain ineffective and the consequences for misusing this data are inadequate.

The article provides:

Advocates say complaints about unauthorised access of police databases may be ‘tip of the iceberg’ – and are particularly worried about cases involving family violence

Fran* noticed her son-in-law’s behaviour was escalating. She says he was increasingly controlling of her daughter Sarah’s* life – monitoring her finances and being verbally abusive.

The three were all living together and the situation felt particularly risky because he was a police officer. He had surveillance skills and access to information that seemed to give him a sense of power, and he held it over their heads.

This blew up after Simon*, a family friend, started pushing back on her son-in-law’s conduct. Simon called “a spade a spade”, Fran says, and he wouldn’t back down.

‘It’s hard to have compassion’: can interventions change violent men’s behaviour?

Read the rest of this entry »

Information Commissioner publishes concise statement in its civil penalty proceeding against Medibank Private

June 18, 2024

Yesterday the Australian Information Commissioner published its Concise statement in its civil penalty proceeding against Medibank Private. It has been reported in the ABC under the heading “The absence of multi-factor authentication led to the Medibank hack, regulator alleges.” The story has also been covered by the Guardian with Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges.

The Commissioner has listed Important Facts as being:

  • For the financial years ending 30 June 2021, 2022, and 2023, Medibank generated revenue of approximately $6.9 billion, $7.1 billion, and $7.1 billion and annual profit before tax of $632.3 million, $560 million, and $727.1 million,respectively.
  • As at 30 June 2022, Medibank employed approximately 3,291 full time employees
  • the personal information collected and held by Medibank included:
    • names,
    • dates of birth,
    • home addresses,
    • phone numbers,
    • email addresses,
    • employment details,
      passport numbers,
    • Medicare numbers,
    • financial information
    • sensitive information such as:
    • sensitive information about customers’
      • race and ethnicity
      • illnesses,
      • disabilities or injuries,
      • health services
  • Prior to 7 August 2022 an IT Service Desk Operator who was an employee of a Medibank contractor had access to Medibank Admin Account using his Medibank Credentials.
  • the contractor saved his Medibank username and password (Medibank Credentials) to his personal internet browser profile on his work computer. When he subsequently signed into his internet browser profile on his personal computer, the Medibank Credentials were synced across to his personal computer
  • the the Admin Account had access to most (if not all) of Medibank’s systems, including:
    • network drives,
    • management consoles, and
    • remote desktop access to jump box servers (used to access certain Medibank directories and databases)
  • on or about 7 August 2022 the Medibank Credentials were stolen from the IT Service Desk Operator’s personal computer by a threat actor, commonly and better known as a hacker  using a variant of malware which is known to the parties but not publicly disclosed
  • on 12 August 2022, log onto Medibank’s Microsoft Exchange server and test the Medibank Credentials for the Admin Account
  • on or around 23 August 2022 the hacker authenticated and log onto Medibank’s “Global Protect”
    Virtual Private Network (VPN) solution (which controlled remote access to the Medibank corporate network) & began typing malicious script
  • the hacker actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required
  • on 25 and 25 August 2022 Medibank’s Endpoint Detection and Response (EDR) Security Software sent alerts the hacker’s activities  to a Medibank IT Security Operations email address. These alerts were not appropriately triaged or escalated by either Medibank or its service provider, Orro, at that time.
  • from 25 August 2022 until around 13 October 2022 the hacker used Medibank Credentials to access numerous Medibank IT systems and exfiltrated 520 gigabytes of data including names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health related information and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, treatment dates).
  • On 11 October 2022, Medibank:
    • triaged a high severity incident for a alert that identified modification of files needed to exploit the “ProxyNotShell” vulnerability.
    •  engaged Threat Intelligence, its existing digital forensics and incident response partner, to perform an incident response investigation.
  • Until at least 16 October 2022, when a Threat Intelligence analyst noted that there had been a series of suspicious volumes of data exfiltrated out of Medibank’s network, Medibank was not aware that customer data had been accessed
  • on 19 and 22 October 2022 respectively, Medibank was contacted by the hacker and provided with files containing sample data that had been exfiltrated from Medibank’s systems
  • Between 9 November 2022 and 1 December 2022, the hacker published data exfiltrated during the data breach on the dark web.

Read the rest of this entry »

Cyber attack on London hospitals by Russian Crime Group impacts delivery of blood transfussions

June 13, 2024

The health industry is a prime and consistent target for cyber attacks as well as more analog data breaches, as I have posted many times in the past. A recent attack by Russian crime groups on London hospitals, in particular King’s College hospital, Guy’s and St Thomas’ and Synnovis, a pathology services firm, has had a catastrophic impact on their operations. The damage has been so severe that the NHS has called for O – type blood donations because the cyber attack has meant that the hospitals cannot match patient’s blood. This is against a backdrop where the Norfolk and Norwich University Hospitals NHS Foundation Trust paid out 47,000 pounds in compensation for data breaches between 2020 and 2023. Last year NHS trusts were discovered sharing patient data with Facebook without consent.

The problem has become so endemic in the UKI that the Information Commissioner issued a press release on 10 May 2024 titled Organisations must do more to combat the growing threat of cyber attacks.

There is no reason to believe the situation is any better in Australia as recent massive data breaches at Optus and Medibank Private highlight that inadequate data security and the pervasiveness of cyber attacks is an international problem. 

The Commissioner’s press release Read the rest of this entry »

MediSecure placed in administration, weeks after data breach

June 6, 2024

The cost of remedial work after a data breach has always been significant and sometimes extreme. Those costs typically start with bringing in cyber security experts and other IT people to locate the malware and find the point of ingress. Then there is repair work to be done. There may be significant damage to systems. Then there is the cost of assessing the damage, determining what has been stolen. Reconstructing files. There is the notification obligations and the prudent steps to advise clients of what has happened. That involves PR/human resources staff. Then there are the potential legal issues, sometimes involving the regulator, sometimes a class action. Sometimes getting advice. And the costs continue. In the United States in 2023 the average cost of a data breach was $4.45million according to Ponemon. The average costs of a data breach in the Middle East was $8.07 million, in Canada it was $5.13 million, in Germany the sum of $4.67 million, and in Japan at $4.52 million. These figures are almost certainly understatements. There is significant under reporting and not all expenses are included in the calculations.  CEOs and CFOs are invariably shocked by the initial cost and the ongoing costs of dealing with a data breach.  The phrase a “spoonful of prevention is worth a pound of cure” is apt.  In my experience that rarely happens.  Organisations often have the C suite as far away from the IT and cyber security operations.  Even CIO’s focus on data collection and impressive homepages.  Having a comprehensive data security system is a secondary concern.  And often times there is no data breach response plan.

A cost often not properly considered is the reputational damage to an organisation and the consequential loss of market. To highlight that MediSecure suffered a data breach a few weeks ago. It has now appointed an administrator after its attempts to have the Federal Government bail it out failed. The ABC has covered the story stating:

The health company at the centre of a recent cyber attack has gone into administration, just weeks after it asked the federal government for a bailout.

Script provider MediSecure at centre of ‘large-scale ransomware’ data breach

National cyber security coordinator Michelle McGuinness says the Australian Federal Police is also looking into the breach.

Some of the information stolen, including patient data relating to scripts and the personal information of healthcare providers, is now on the dark web for sale. The dark web is only accessible via specialised web browsers and is often used to sell illegal items, including stolen data. Read the rest of this entry »

GhostR claims it has stolen data from Australian logistics company Victorian Freight Specialists

June 5, 2024

These days hackers are quite sophisticated in announcing successful attacks. Often that is done via forums in the dark web. And so GhostR, a financially motivated hacker group, claims to have stolen have stolen data from Australian logistics company Victorian Freight Specialists. There has been nary a word from Victorian Freight Specialists.That does not mean Victorian Freight are being especially clever or this is part of its strategy.  More often than not companies have no data breach response plan. GIven GhostR claims to have breached the company on 26 May and taken  846 gigabytes of company data taken on May 26. Sample data appears to include internal data taken from an SQL database and screenshots of logon screens. Information Security Media Group could not immediately verify the legitimacy of the data. The company website appeared to briefly go dark, although it is currently working. Victorian Freight Specialists did not immediately respond to a request for comment.

GhostR only recently threatened to Read the rest of this entry »

Office of the Information Commissioner commences civil penalty proceedings against Medibank today

The Australian Information Commissioner has issued civil penalty proceedings against Medibank Private Limited arising from the massive October 2022 data breach. That is 20 months after the breach. This adds to Medibank’s litigation arising from that data breach. There is also a class action in the Federal Court against Medibank, Zoe Lee McClure v Medibank Private Limited (ACN 080 890 259).   It is also subject to a representative complaint.

Medibank did not issue a press release but it did released a notice to the Australian Stock Exchange stating:

Medibank advises that the Australian Information Commissioner has today commenced civil penalty proceedings against Medibank in the Federal Court of Australia in connection with the 2022 cybercrime event.

The proceedings relate to the Commissioner’s own investigation into the 2022 cybercrime event. The Commissioner alleges that Medibank breached Australian Privacy Principle 11.1.

Medibank intends to defend the proceedings.

The Commissioner’s press release provides:

The Australian Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach.

The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

The proceedings follow an investigation initiated by Australian Information Commissioner Angelene Falk after Medibank was the subject of a cyber attack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web. Read the rest of this entry »

Australian Information Commissioner announces a notification of MediSecure data breach

May 21, 2024

It is hardly a surprise that MediSecure would make a notification under the mandatory data breach notification provisions of the Privacy Act 1988. It is a very significant data breach involving very sensitive information. Today the Information Commissioner’s Office has announced a preliminary inquiry.

It is interesting that the Privacy Commissioner has used this statement to call for reform of Privacy laws.  That is topical given the Government has announced that it will introduce a Bill into Parliament in August.  By making something more than an anodyne statement the Privacy Commissioner has done something quite new.

The statement provides:

The Office of the Australian Information Commissioner (OAIC) has been notified of the data breach involving MediSecure.

The National Cyber Security Coordinator is working with agencies across the Australian Government, states and territories to coordinate a whole-of-government response to this incident. The OAIC is actively engaging and collaborating with other agencies in this process, with a particular focus on the privacy of individuals and their personal information. Read the rest of this entry »

Verified by MonsterInsights