Peter A Clarke

The London Borough of Hammersmith and Fulham has been reprimanded by the UK Information Commissioner’s Office for leaving personal information of 6,528 people, including 2,342 children (worse, of whom 96 were unaccompanied asylum seekers), on its publicly viewable site for almost 2 years. The breach was almost certainly caused by an action by an employee responding to an FOI request made by WhatDoTheyKnow.com in October 2021. In responding to the FOI request the council provided an Excel spreadsheet which contained 35 hidden workbooks. That material was posted on both the Council site as well as the WDTK site. It was WDTK that noticed the data breach when, in November 2023, while doing a review of information on its site it found the personal information and advised the Council. The information was immediately removed from both sites.

This type of mistake is quite common with government agencies.  It is human error.  Often a combination of a lack fo attention to detail and poor privacy training.

The ICO media release provides:

We have reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years.  

The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information.   Read the rest of this entry »

The Information Commissioner releases a report of data breaches semi annually. Those statistics are data breaches reported to the Commissioner under the Notifiable Data Breaches Scheme or because the organisation or agency chooses to report out of an abundance of caution or because the data breach has been reported in the media. There is not an automatic requirement to notify the Commissioner of a data breach. And there are entities that are exempt from coverage of the Privacy Act 1988, notably Small Businesses. And there are organisations that do their best to keep data breaches quiet. According to the report for the period July to December 2024 the Commissioner was notified of 595 data breaches. That makes for a total of 1,113 notifications in the year. That is over 200 more notifications than 2023 which had 893 notifications.

What needs to be understood is that these figures are only reflective of a trend in data breaches.  The number of actual data breaches suffered by Australian entitities is far larger that those reported to the regulator.

Some interesting statistics regarding Read the rest of this entry »

Governments hold masses of personal and financial information, usually acquired by compulsion. Which makes government websites a very attractive target for hackers. Government privacy protections can be spotty, good in parts and full of flaws elsewhere. Some departments are much better than others. In the UK the Legal Aid Agency has suffered a cyber attack resulting in criminal and financial information being stolen according to the Times. Meanwhile in Australia the MyGov network has been hacked and ATO refunds have been taken using stolen identies according to the Australian.  This has prompted a strident and very long response from the ATO.  The Australian followed up with an article about My Gov with More ATO tax hacking victims emerge as expert warns of myGov security issues.

Hackers are also running a worldwide cyber espionage campaign, dubbed Roundpress, using zero day vulnerabilities and n-day flaws.

The Times article Read the rest of this entry »

Children’s privacy is a strong focus of privacy regulators. The COPPA Rules have been in place for some time and do provide protection for use of children’s data and privacy online. They are quite effective in protecting children’s online privacy and have been relied on in taking action against companies who collect children’s data. In Australia there is no fit for purpose regulation dealing with the protection of children’s privacy. While the e Safety Commissioner has peripheral responsibility, dealing with the sharing of images, the Privacy Commissioner has primary responsibility through the Privacy Act 1988. Last year the Australian Parliament amended the Privacy Act to provide for a Children’s Online Privacy Code which will come into effect on 10 December 2026. Australia is definitely behind the regulatory best practice when protecting children’s data. To emphasise that point the US Government has updated the COPPA rules, which will take effect on 23 June 2025.

While the Australian Children’s Code will have its own focus and emphasis and operate within the strictures of the Privacy Act it is worth being across COPPA Rules.  Australian Codes are drafted in very broad and general terms.

Features of the updated COPPA Read the rest of this entry »

Another week, another attack on Australian companies. The latest trend is attack on bank related log ins. The latest is the theft of almost 100 staff log ins of staff at the Big Four Banks. Again the means of theft was via the infostealer malware which was on the staff’s personal devices.

The article provides:

Cybercriminals have stolen almost 100 staff logins from workers at Australia’s biggest banks, putting those businesses at higher risk of mass data theft and ransomware attacks, according to cyber security researchers.

The most serious risks arise from the fact that attackers could ultimately use those leaked logins to gain access to the banks’ corporate networks, they warned. Read the rest of this entry »

There has been another big data breach involvng 14,000 Commbank customers 7,000 ANZ customers. 5,000 NAB customers and 4,000 Westpac customers according to the ABC’s Banking passwords stolen from Australians are being traded online by cybercriminals. The passwords were stolen from users personal devices through the “infostealer” malware.

The article provides:

More than 31,000 passwords belonging to Australian customers of the Big Four banks are being shared amongst cyber criminals online, often for free, the ABC can reveal.

Despite the anti-fraud protections in place at those banks, cybersecurity experts warn victims could “definitely” lose money as a result. Read the rest of this entry »

The list of data breaches in Australia continues to grow. It is not extraordinary compared to similar countries like the United States, Canada and the United Kingdom. The exposure to regulatory action is greater now that the Privacy Act has been amended. Whether that comes to pass is the question. With the statutory tort of interference with privacy coming into effect on 10 June 2025 there may be exposure if the actions or omissions giving rise to the data breach were reckless.

The breaches, or at least those that we know Read the rest of this entry »

The EDPB has released a report titled AI Privacy Risks & Mitigations Large Language Models (LLMs). A dry title on an important issue.

The AI Privacy Risks & Mitigations Large Language Models (LLMs) report sets out a comprehensive risk management methodology for LLM systems and, importantly, mitigation measures for common privacy risks in LLM systems.

LLMs is another important advance in artificial intelligence. They  process and generate human-like language trained on extensive datasets.

It is a long and very technical document but one that privacy practitioners should Read the rest of this entry »

Law firms are a prime target for data breaches. They hold significant personal information and sensitive information of corporations and government agencies. The UK Information Commissioner’s Office has imposed a very hefty fine of 60,000 pounds on the Merseyside-based DPP Law Ltd following a cyber attack in June 2022 which resulted in the loss of 32GB of data. The firm only became aware of this loss when it was contacted by the National Crime Agency which advised it that the data had been posted on the dark web. DPP Ltd had poor cyber security with a brute force attack being sufficient to gain access to an administrator’s account and then having the ability to move laterally across its network.  That bespeaks a very rudimentary system.  Then after being notified of the breach it regarded the loss of personal information as not constituing a personal data breach.  It waited 43 days before notifying the ICO.  It is a case study of what not to do.  Which in fact the ICO has done in publicising the litany of errors committed.

The ICO media release provides:

Cyber attack details

In June 2022, DPP suffered a cyber attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system. This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.

You can read the full details of the incident in our monetary penalty notice.

Legal requirements and our guidance

The law requires organisations to take continual and proactive steps to protect themselves against cyber attack. This includes ensuring all IT systems have MFA or equivalent protection, regularly scanning for vulnerabilities and installing the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations, including the duty for all organisations to report personal data breaches.

Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Australian firms have been hit with significant and damaging data breaches recently. The HWL Ebsworth data breach via a cyber attack in April 2023. resulted in approximately 2.2 million documents being affected. The Information Commissioner opened an investigation in February 2024, 14 months ago. There has been no public resolution of that investigation. It is the subject of a class action, with the National Justice Project is now representing 12 National Disability Insurance Scheme (NDIS) participants in a class action against HWL Ebsworth. In March cyberdaily reports in Brydens Lawyers suffers alleged 600GB data breach following ransomware attack that the firm had suffered a significant data breach in February 2025. Also in February 2025 Slater and Gordon suffered a humiliating data breach by Read the rest of this entry »

The co ordinated attack on Australian Super Funds was always going to generate a lot of press. But despite what some cynics might suggest, the press need something to write a story. Unfortunately the handling of the data breach has been, at best, pedestrian. The first problem is the lag between discovering the breach and notifyng any authority. It is not mandatory to notify the police and under the mandatory data breach notification laws an affected organisation has up to 30 days (rather than the more rigorous 72 hours in the GDPR). That said the optics in Australia seems to be that prompt notification gives organisations some cover. According to the Australian

story Tony Burke goes soft on Big Super as cyber attack sinks into farce the organisations are confused as to what they did and when they did. The AFP was notified 5 days after the attack and says that the Victoria Police would lead the investigation. The Victoria Police is yet to formally investigate. The bigger concern is the evidence appearing that suggests that there were repeated warnings for the funds to strengthen their online security and nothing was done about it. Those warnings did not just come from agencies and organisations but also from customers who wanted multi factor authorisation and were fobbed off. Multiple regulators have Read the rest of this entry »