Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem

September 16, 2021

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

Ben Stokes privacy action results in apology by the UK Sun and an apology

August 30, 2021

On 17 September 2019 the Sun published a story about the murder suicide of Ben Stokes mother’s ex husband 31 years previously in New Zealand.  The story is no longer available on line.  The murder was of his mother’s two children. This tragic event occurred before Ben Stokes, a prominent English cricketer, was born.  At the time Ben Stokes reacted furiously to the story describing it as disgusting and immoral.  The Guardian ran a detailed piece with Ben Stokes attacks ‘despicable’ Sun story about family tragedy.  The next month Ben Stokes and his mother, Deborah, issued proceeding in the UK Court of Chancery.  The Particulars of Claim was served on 22 January 2020 with the Defence filed on 16 April 2020. 

The nub of the defence was that, first, the story about the murders were covered by the New Zealand media and, secondly, the Sun obtained an on the record interview with the family and had approached Ben Stokes for comment.

At the time, and subsequently, there was a lively debate about whether the report was one of free expression and/or a legitimate story to report versus privacy.  On 18 September 2019 the independent came out in support of the Sun.  At the time the Conversation in Ben Stokes v The Sun: gross intrusion or simple reportage? How media privacy law works highlighted some of the issues, such whether a privacy claim can be brought when the information is in the public domain, and whether a claim can be made by a person when it relates to inter related parties. 

There was no trial on the merits.  The Sun and Stokes settled on favourable terms to Stokes. The Stokes’ solicitors released a statement confirming Read the rest of this entry »

Biggest crypto currency hack involves $600 million stolen from Poly Network

August 12, 2021

Poly Network a finance platform based in China which specialises in cryptocurrency transfers on the Binance, Ethereum and Polygon blockchain = has lost $600 million worth of crypto currency to a data breach.  The hacker exploited a vulnerability in the _executeCrossChainTx function between contract calls and was able to pass in data to modify the keeper of the EthCrossChainData contrac.  That let the intruder to declare themselves as the owner of any funds processed through the platform. Clever.  It also shows that coding errors can be fatal and part of cyber security should be to take steps to test and review coding.

Using repeated calls to the attacked contract, the hacker was able to exfiltrate funds from the Poly Network and then transfer them Read the rest of this entry »

Class action settlements over privacy claims against Zoom and others show that taking privacy seriously makes good business and legal sense

Zoom has reached a $85 million settlement arising out of a lawsuit, IN RE: ZOOM VIDEO COMMUNICATIONS, INC. PRIVACY LITIGATION (5:20-cv-02155),  which claimed its violated its clients’ privacy rights by sharing personal data with Facebook, Google and Linked In.  The claim also alleged that Zoom’s security practices were unsatisfactory as they let hackers zoom meetings.  That practice has become so notorious that it has a term, zoom bombing. There has been extensive coverage with reports it itnewsabc, BBC.   The Reuters coverage provides Read the rest of this entry »

Red Canary releases 2021 Threat Detection Report while Thales releases its Data threat report for 2021

July 29, 2021

Red Canary has released its 122 page 2021 Threat Detection Report.  It is useful in identifying the most prevalent techniques and threats and considers best ways to detect and mitigate specific threats and techniques. It is a highly technical document.

The top techniques are:

  • T1059 Command and Scripting Interpreter (24%)
  • T1218 Signed Binary Process Execution (19%)
  • T1543 Create and Modify System Process (16%)
  • T1053 Scheduled Task / Job (16%)
  • T1003 OS Credential Dumping (7%)
  • T1055 Process Injection (7%)
  • T1027 Obfuscated Files or Information (6%)
  • T1105 Ingress Tool Transfer (5%)
  • T1569 System Services (4%)
  • T1036 Masquerading (4%)

The report also noted:

  • Command-line parameters are by far the most efficacious for detecting
    potentially malicious PowerShell behavior
  • attackers use Windows Command Shell One by the use of  cmd to call native commands and redirect the output of those commands to a file on the local admin share.
  • to detect adverseries it is necessary to focus on the uncommon patterns of execution and patterns of execution  commonly associated with malice

It is a comprehensive report and worthy of a close read by not only technical operators but those who get involved with cyber security issues.

The Thales report is more a strategic overview Read the rest of this entry »

Call for privacy controls on Tik Tock

July 27, 2021

In today’s Age the National Children’s Commissioner in TikTok: Time’s up to protect children’s privacy highlights the alarming privacy invasive practices of Tik Tok as well as the cumulative data collecting on children through social media and other sources.  While the impetus of the story was on Tik Tok’s focus on children there is not much new to Anne Hollands’ piece.  Social media sites have been in the business of collecting personal information since their inception. Google’s business model is predicated on collecting and aggregating data through alogorithms so as to sell targeted advertising.

Hollands’ concern about Tik Tok and other sites collecting personal information without proper consent is well placed.  The ACCC has similar concerns.  The potential problem is part of her solution, to have provisions in the Privacy Act requiring anyone collecting children’s data to have some form of best interests of children provision relating to the collection and use of that data. The problem with this approach is that it creates additional protections for specific types of data.  The resulting danger is that there will be silos of strong protection amidst weak protection overall.  That is what happens in the United States of America.  There the Children’s Online Privacy Protection Act (“COPPA”).  COPPA sets stringent requirements on websites or services directed at children,  strong health records protections with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and even protections over records of video renting with the Video Privacy Protection Act of 1988.  But many other areas of activity in the USA have weak privacy protections at the Federal level.

The chronic problem is weak privacy protections Read the rest of this entry »

UK Information Commissioner fines transgender charity Mermaids 25,000 pounds for failing to keep personal data secure

July 19, 2021

The UK Information Commissioner’s office has fined Mermaids £25,000 for failing to keep personal information secure.  The nature of the breach was personal information found in emails and documents created by staff at Mermaids or its clients were publicly available on line.  Mermaids were advised by a newspaper of this fact in June 2019.  Mermaids contacted the Commissioner that day.

Mermaids is a charity that offers support to young people and their families regarding gender non comformity.  As such the nature of discussions and personal information were very sensitive.

The media release provides:

The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019. Read the rest of this entry »

New cyber security rules proposed. Another discussion paper on privacy and cyber security. A good paper, the question is whether anything will come of it.

July 18, 2021

On 13 July 2021 the Federal Government released a comprehensive discussion paper titled Strengthening Australia’s cyber security regulations and incentives as part of its attempts to make the digital economy more resilient.  The focus is on cyber security.  It summarises the issues and raises options across the broad subject headings of:

  • Governance standards for largebusinesses
  • Minimum standards for personal information
  • Standards for smart devices
  • Labelling for smart devices
  • Responsible disclosure policies
  • Health checks for small businesses
  • Protecting consumers
  • Clear legal remedies for consumers

As papers go it is comprehensive and a good resource in itself as it sources US, UK and European actions (which are far ahead of Australia’s) in cyber security.  But there is nothing stated in the report which hasn’t been written before.  It is candid enough to state that the primary current regulatory framework of the Privacy Act 1988, the Australian Consumer Law and the Corporations Act as well as other more specialised acts are not effective in this area.  Refreshingly the Paper highlights the dissatisfaction with the Information Commissioner’s approach to enforcement of the Privacy Act stating Read the rest of this entry »

ASIC v RI Advice Group Pty Ltd cyber security civil penalty trial pushed off from a 29 November 2021 hearing date to a date in April 2022

May 17, 2021

The civil penalty proceeding in the Federal Court of ASIC v RI Advice Group is a significant case regarding the effectiveness of the Corporations Act 2001 in dealing with cybersecurity issues. ASIC commenced proceedings against RI Advice alleging that authorised representatives of RI advice were subject to data breaches between 2016 and 2020,  ASIC alleges that RI Advice failed to implement adequate policies and systems and provide sufficient resources to manage cyber security and cyber resilience risk.  ASIC alleges that these failures constitute a breach of the general obligations of RI Advice’s financial licence under section 912A of the Corporations Act.  I provided a detailed analysis of the pleaded case in August last year. 

On 19 February 2021 Mr Justice O’Callaghan set down the timetable of the interlocutory steps before trial, being:

  1. The Plaintiff has leave to file and serve an Amended Originating Process substantially in the form served on the Defendant on 26 October 2020.
  2. By 4.00pm on 24 February 2021, the Plaintiff is to file and serve its Amended Originating Process.
  3. By 4.00pm on 1 March 2021, the Plaintiff is to file and serve any Reply to the Defendant’s Defence to the Amended Statement of Claim.
  4. By 4.00pm on 30 April 2021, the Plaintiff is to file and serve the lay witness statements and expert reports upon which it proposes to rely at trial, and a list of documents which it proposes to tender at trial.
  5. The matter be listed for a further case management hearing at 9.30am on 14 May 2021.
  6. The proceeding is tentatively listed for trial with an estimate of 2 to 3 weeks commencing on 29 November 2021.
  7. Costs are reserved.
  8. There is liberty to apply.

RI Advice’s defence was filed on 12 February 2021.  ASIC did not file a Reply.  ASIC’s expert report was filed on 30 April 2021.  So far so good. 

Last Friday RI Advice claimed Read the rest of this entry »

Privacy Awareness week has come and gone and not much has changed

May 10, 2021

It is better to have Privacy Awareness Week than not.  It is just that it is  poorly promoted and the regulator has relatively little to say.  That is a major pity.

This year the Commonwealth Information Commissioner in addition to an anodyne joint statement by information commissioners did put out a glossy tips for home, tips for work, tips for parents and carers, what to do if individuals  receive a data breach notification  and  10 steps to undertaking a privacy impact assessment. OVIC had a modest program.  The media coverage was thin on the ground with the most notable coverage being ABC News Radio doing a 6.21 minute piece Does privacy still exist in 2021?  It is little wonder Governments feel not much in the way of pressure to bolster privacy rights in Australia.

What is interesting is the recounting of the 2020  Australian Community Attitudes to Privacy Survey.  It is something of a behemoth running to 121 pages. Some of the findings are:

  • 70% of Australians see the protection of personal information as an important issue and a major concern in their life.
  • 84% think identity theft and fraud, and data security and breaches, are the biggest privacy risks.
  • Most Australians have a clear understanding of why they should protect their personal information (85% agree), but half (49%) say they don’t know how.
  • 84% feel privacy of information and data is important when choosing a digital service.
  • 87% want more control and choice over the collection and use of their personal information.

These figures are hardly surprising but always worth recounting because there remains a sub current of cynicism about privacy and unfounded statements that people have given up on their privacy and are prepared to sacrifice privacy for services or security, or both.  As if it is a binary choice.  Which it never has been.

The Information Commissioner delivered a speech on 7 May titled Fair, flexible, fundamental: the future of data protection in a digital world where she Read the rest of this entry »