Information Commissioner releases report of data breaches for July to December 2023. A 19% increase of notifications, to 483, over the previous 6 month period. The Report Highlights the problems of data breaches by third parties

February 27, 2024

The Information Commissioner has released its semi annual data breach report, this time for the period July to December 2023. There was a steady increase in the reported breaches, 57 in July, 68 in August, 79 in September, 86 in October, 96 in November and 97 in December.  

Interesting issues arising from the report:

  • the health sector still remains the most affected by data breaches;
  • 65% of data breaches affect organisations of 100 people or fewer;
  • 67% of the data breaches were caused by malicious or criminal attacks.  There were 322 incidents, up 12%. 
  • while human error was responsible for 30% of data breaches, that was an increase of 36% over the previous period
  • 423 incidents involved Contact Information
  • 306 incidents involved identity information
  • 197 incidents involved health information
  • ‘193 involved financial details
  • 64% of the data breaches were identifed in 10 or fewer days
  • 23% of data breaches were identified in 30 days or more
  • 56 of the 211 notificatons involved ransomware while 59 involved phishing

Relevant extracts are:

Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians. Of the 26 breaches that affected over 5,000 Australians, 22 were caused by cyber incidents. The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).

Entities need to continually review whether appropriate controls and processes are in place to defend against and mitigate data breaches caused by cyber incidents. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has developed prioritised mitigation strategies – the Strategies to Mitigate Cyber Security Incidents– to help entities protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight. Read the rest of this entry »

Information Commissioner opens investigation into HWL Ebsworth data breach

February 22, 2024

The Information Commissioner has opened an Commissioner initiated investigation into the data breach of the HWL Ebsworth site which involved the loss of 1.1 terabytes of data. It has been some time in coming. HWL Ebsworth notified the Commissioner on 8 May 2023 and the Commissioner opened up a preliminary enquiry in June 2023. A flaw in the legislation and  the Commissioner’s approach to its regulation is the lengthy and drawn out processes.  It has been 8 months, or thereabouts, from the date the preliminary investigation opened and the date this investigation opens.  It will be months, probably many, before the Commissioner completes this investigation.  If civil proceedings are commenced that won’t happen for months.  And then a couple of years in the Federal Court.  The Commissioner’s regulatory action policy needs a significant overhaul.

The other problem with the Commissioner’s approach to regulation is that typically results of those investigations do not see the light of day.  Or the results are quietly announced with little coverage in the media.  This is significantly different to the regulators more expansive approach in the United States, the United Kingdom and the European Union.

HWL Ebsworth adopted a “batten down the hatches” approach to the data breach.  After an initial anodyne statement it kept its counsel.  It applied for and obtained an injunction against those using information leaked onto the dark web.  The utility of that application is problematical but it does restrain those who are not criminals who may be tempted to access or otherwise view that material.  Notwithstanding sporadic stories of which of HWL Ebsworth’s clients were affected the strategy seemed to overall effective.  HWL Ebsworth avoided the intense media scrutiny and censure that Medibank and Optus experienced even if the data stolen was at least as sensitive and sometimes even more sensitive than each of those other organisations. 

Given the large volume of data stolen, accross the breadth of the firm’s operations there will be serious questions as to the data storage policies, training, data handling processes, why so much data was retained for so long and how the hackers were able to range so widely across practice areas.

The Commissioner’s Statement provides:

The Australian Information Commissioner has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023. The decision follows the OAIC’s preliminary inquiries into the matter, commenced in June 2023.

The OAIC’s investigation is into HWLE’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.

The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred.

This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Australian Privacy Act 1988.

Under the Notifiable Data Breaches scheme in the Privacy Act, in certain circumstances organisations are required to take such steps as are reasonable to notify affected individuals of an eligible data breach and do so as soon as practicable.

The story has been covered by itnews with Read the rest of this entry »

Federal Government appoints Carly Kind as a Privacy Commissioner, reinstating the stand alone position, commencing on 26 February 2024

November 27, 2023

The Government today announced the appointment of Carly Kind as a stand alone Privacy Commissioner, effective on 26 February 2024. This is an appointment that was foreshadowed in May 2023. The Privacy Commissioner was never abolished, and is a statutory position. The Information Commissioner was created in 2010. The new Federal Government announced that it would abolish the Information Commissioner in the 2014 budget and for a time cut its funding drastically. The Information Commissioner also held the position of the Privacy Commissioner. The attempts to abolish the Privacy Commissioner ended in May 2016 and the Government increased its funding, Its funding situation has steadily improved since then. With data breaches being a high profile issue the Commissioner has received very significant funding increases. In this year’s May budget it received an extra $17.8 million for the 2023 – 24 financial year and $44.3 million to support privacy activities and another $9.2 million over two years to regulate privacy elements of Consumer Data Right, My Health Record and Digital Identity.

The timid enforcement and spotty regulation of the Privacy Act 1988 has been attributed to the inadequate  funding in the past, especially in the 2014 – 2016 period, and beyond.  That is partly true but far from the whole story.  The Privacy Commissioner then Information Commissioner was a less than optimal regulator in the period pre 2014 and after 2016.  Since it obtained civil penalty proceeding powers in 2014 it has only commenced two actions, one of which was earlier this month.  That is regrettable. 

The Attorney General’s announcement of the appointment is:

Carly Kind has been appointed as Privacy Commissioner, reinstating the standalone position abolished by the Coalition. Ms Kind brings to the Privacy Commissioner role expertise in data protection; AI policy, practice and governance; privacy; and technology law and policy.

Ms Kind has held the role of inaugural Director of the London-based Ada Lovelace Institute since 2019. Between 2015 and 2019 she was an independent consultant to a number of human rights organisations, trusts and foundations, international organisations and the private sector. She has provided advice on legal, ethical and practical issues at the intersection of technology and human rights.

Ms Kind will commence on 26 February 2024. Ms Angelene Falk, the Australian Information Commissioner, will continue as Privacy Commissioner until that time.

When the Government amends the Privacy Act, probably some time next year, the Privacy Commissioner is likely to have stronger powers. In addition to the enhanced powers given to her this year.  The test will be whether they are used and how effective such regulation is.

 

The Australian Information Commissioner has commenced civil penalty proceedings against Australian Clinical Labs Limited in the Federal Court

November 20, 2023

After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

Information Commissioner announces that she will not seek a third term when her current term expires in August 2024.

November 13, 2023

Last Friday ( known trash day for those wanting to put out news that won’t get a run in the mainstream press) the Information Commissioner announced that she would not be seeking a third term. Her term ends in August 2024.  What is not clear from the statement was whether the Commissioner received an indication from the Government that  a third term was a reasonable prospect if she wanted it. 

Her statements is:

The Australian Information Commissioner Angelene Falk has advised the Attorney-General that after having the privilege of serving two terms she will not be seeking a third term.

The Australian Information Commissioner said: “I am greatly honoured to have led the Office of the Australian Information Commissioner (OAIC) through a time of exponential growth, technological development, heightened community expectations and great domestic and international change in the regulatory landscape. I remain focused on the protection and promotion of privacy and information access rights and ensuring the OAIC is well positioned for the challenges of the future.”

Commissioner Falk said the move to a three Commissioner model marked an exciting chapter for the OAIC.

“There is much I wish to do in the remainder of my term and a key priority is to support Commissioners in their roles and leverage our current strategic review so the OAIC can continue to serve the Australian community over the next decade,” she said.

The Attorney-General’s Department has advertised the position ahead of the conclusion of the Australian Information Commissioner’s term in August 2024.

Falk’s tenure has been more effective than her predecessors.  That is partly because she has had more resources of late and the pressures to do more given the increased number and size of data breaches have grown.  That said, previous Commissioners left a disappointing legacy.  Regulation has been weak and enforcement negligible.  As such Read the rest of this entry »

Legal and Constitutional Affairs Legislation Committee questions Office of Information Commissioner in Senate Estimates on 23 October 2023

October 27, 2023

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is Read the rest of this entry »

Information Commissioner releases Annual Report

October 25, 2023

Its annual report time. And the Information Commissioner is no exception to this exercise ordained by law. And, in the tradition of the Australian Public Service, it was released on a Friday. The 19th October to be exact, even though the Information Commissioner signed the report as being 3 October 2023. That way it avoids serous scrutiny by the traditional media. There is no time to push out a story for the weekend papers and the electronic media would have no interest in that being a weekend story. By Monday the caravan has moved on.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) delivered work for the Australian community through unprecedented times in 2022–23 as millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme.

Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.

“Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation. This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.

“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms.”

Commissioner Falk said the OAIC had sought to influence quality freedom of information (FOI) decision making by providing guidance to government agencies and working with them to improve the system. However, the OAIC still requires sufficient resources to meet current demand and address backlogs.

This year, applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years, and FOI complaints fell 2% to 212.

The OAIC finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 35% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.

“We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure,” Commissioner Falk said.

The OAIC performs an important privacy complaint handling role for the community. In 2022–23, it received 34% more privacy complaints (3,402, a record number) than in 2021–22.

In a year in which data breaches were so prominent, the OAIC received a 5% increase in notifications.

“Not surprisingly, our Australian Community Attitudes to Privacy Survey 2023 released soon after the end of the reporting period in August 2023, found that data breaches are seen as the number one privacy concern by the community,” Commissioner Falk said.

During 2022–23, the OAIC launched significant investigations into Optus, Medibank Private, Latitude Group and Australian Clinical Labs in relation to their data breaches. Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.

The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission. During 2022–23, the OAIC provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.

During the reporting period, the OAIC contributed to the Attorney-General’s Department’s review of the Privacy Act 1988. The Australian Government released its response to the review in September 2023 and legislation is expected in 2024.

“In the May 2023 Budget, the OAIC received additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future,” Commissioner Falk said.

“This is an opportunity full of promise and will occur alongside a change in the composition of the OAIC following the Australian Government’s announcement that the 3 statutory office holder model will be reinstated, with an Information Commissioner (as agency head), FOI Commissioner and Privacy Commissioner.

“The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”

Read the OAIC Annual report 2022–23.

Key 2022–23 statistics

    • Received 1,647 applications for IC review of FOI decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%).
    • Received 212 FOI complaints (down 2%) and finalised 124 FOI complaints (down 44%). The fall in complaints finalised was due to a focus on finalising IC reviews received in 2018 and 2019.
    • Received 3,402 privacy complaints (up 34%) and finalised 2,576 privacy complaints (up 17%).
    • Received 895 notifications under the NDB scheme (up 5%) and finalised 77% of notifications within 60 days against a target of 80%.
    • Handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%).

The overview provides:

In 2022–23 the OAIC delivered our work for the  Australian community through unprecedented times, as tens of millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme in 2018.
With the welcome support of additional government funding for privacy, we commenced and have
substantially progressed major investigations into these breaches. They have brought into sharp relief the requirement for boards across corporate Australia, Ministers and Secretaries of Departments, to prioritise investment in protecting personal information and limiting its collection and retention. As cyber-attacks become increasingly prevalent and impactful, it’s individuals who are at risk of harm but business and others with custody of personal information at risk of serious reputational damage.
This is why the OAIC seeks to serve the Australian people by putting the individual at the centre of our approach. We focus on applying our regulatory tools to promote access to government-held information and protect personal information. This means assessing where potential community impacts are most significant, being targeted in our approach, maximising the use of our resources, and adapting to a rapidly changing and increasingly complex environment.
Achieving that goal requires certain foundations to be in place: appropriate law, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and
importantly, collaboration.
The OAIC has developed these foundations to take a proportionate and proactive approach to identifying and reducing harms. We have sought to influence quality Freedom of Information (FOI) decision-making by providing guidance to agencies and working with them to improve the system. However, to achieve the vision for the OAIC’s role in FOI requires sufficient resources to meet current demand and address backlogs which have arisen since the office’s establishment, resulting in a legacy case load that persists and continues to grow.
This year applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years primarily attributable to the Department of Home Affairs; and FOI complaints fell 2% to 212.
We finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 37% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.
In 2018 the OAIC began efforts to garner support for a review of its functions and resourcing requirements, to ensure the organisation is positioned to meet the needs of the community. We have been consistent and persistent in our representations across all our functions. In the May 2023 Budget we were pleased to receive additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future. Read the rest of this entry »

Office of the Information Commissioner releases latest Data Breach Report. Useful but still under reports the number of breaches in Australia. While number of breaches notified reduced by 16% in this period there was the first breach involving over 10 million people.

September 11, 2023

The Office of the Information Commissioner has released the latest Data Breach Report for the first half of 2023. It was a reduction over the previous 6 months.  It should be noted that there are usually more data breaches in the second half of a year. 

Some of the interesting points made in the report was:

  • Health services continued to be the most affected by data breaches, with 63 notifications of the total of 409.
  • 42% of the data breaches resulted from cyber security incidents
  • 288 of of the attacks were malicious or criminal attack
  • human error breaches were the fastest to be identified in 30 days or fewer. 
  • 21 of the 23 breaches that affected over 5,000 Australians were caused by cyber incidents. Of these,

    • 7 were caused by ransomware,

    • 7 by compromised or stolen credentials ,

    • 4 by hacking and 1 each by brute-force attack, malware and phishing (compromised credentials).

    • 2 breaches that affected over 5,000 Australians in this period were caused by a rogue employee or insider threat and theft of paperwork or a data storage device.

  • 87% of information affected was contact information, such as an individual’s name, home address, phone number or email address.
  • in 78% of cases the breaches were identified in 30 days or less.

The media release provides:

The need for organisations to strengthen data security and promptly respond to suspected breaches is highlighted in the latest Notifiable data breaches report, released today.

The Office of the Australian Information Commissioner (OAIC) expects organisations to have robust and proactive procedures in place to protect the personal information they hold, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach. Read the rest of this entry »

The Office of the Australian Information Commissioner suffers a data breach courtesy of the successful hacking of HWL Ebsworth. Hackers 1, regulator zero.

June 14, 2023

As they say, “you couldn’t make this up.” The Office of the Australian Information Commissioner has suffered a data breach according to the Australian’s Peak privacy agency the latest to fall victim to Russia-linked cybercrime gang through the hacking of of HWL Ebsworth’s website. The regulator has regularly engaged HWL Ebsworth to provide legal services. That entails providing information for use by the law firm. And it is at least some of the information that has been compromised. While the Commissioner cannot be blamed for providing information to its trusted legal advisor it might be interesting to know whether the Commissioner enquired of HWL Ebsworth the privacy training it did of its staff and the state of security of documents it held under its control. Normally a victim’s answers to such questions are unsatisfactory. The Commissioner is being tight lipped in its initial response. The concession was made that if personal information collected was compromised then those persons would be notified.

This must be mortifying for the Commissioner. 

At some point the Commissioner would need to provide more than guarded comments. There is a question of making the public trust the integrity Read the rest of this entry »

HWL Ebsworth’s ongoing agony with hackers highlights the need for law firms to maintain proper data security. A very salutory lesson.

In late April Russian hackers successfully launched a ransomware attack against HWL Ebsworth, a national Australian law firm. On 30 April it made demand for a ransom. The ALPHV/Blackcat ransomware group posted on its website that 4 tera bytes of data had been hacked. The contents included employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map. As has become usual the firm responded to enquiries by stating that it had contacted the Australian Cyber Security Centre and will work with them. Further details were scarce. Nothing unusual in that. It has become a standard deflector shield against further enquiry.

That was in early May. But ransomware hackers don’t really care about what their victims say. Particularly hackers as effective as BlackCat. On 11 May the Australian Financial Review reported that the Ebsworth data was posted on BlackCat’s site on the dark web. The AFR also reported that clients, including the Commonwealth Bank, La Trobe Financial and ING Bank, had removed their files from the firm. Given the likely entry point for the hackers was via an email received on a staff member’s personal device this is a massive loss of billings and reputation for what was likely a preventable data breach. Human error is the cause of a vast majority of data breaches. And that human error is often caused by poor training and supervision. The fact that the firm only became aware of the hack when the hackers advised of the theft of data points to poor internal security. That 4 terabytes of data could be exfiltrated from various data banks of the firm points to no or inadequate programs to monitor and respond to unusual movements of data. Given that HWL Ebsworth is the largest firm by partner size that is quite extraordinary.

On 9 June the ABC reported that BlackCat had published published 1.45 terabytes of data on the dark web with a statement “ENJOY”. That happened after the demand for ransom payment within 10 days expired without any payment being forthcoming. As the ABC article makes clear the impact of the data breach goes beyond impact of personal information of staff and financial records.  It goes to personal information and other sensitive material belonging to clients such as government agencies and commercial institutions.  That leads to them having to take proactive measures to determine the extent of the loss of their data and what steps they need to take to advise their clients or other persons.  Law firms such as HWL Ebsworth hold masses of sensitive and personal information belonging to clients. The Tasmanian Government has reported suffering a possible data breach linked to the attack on HWL Ebsworth.

Given the nature of the data breach HWL Ebsworth’s focus is on dealing with clients whose clients or employees may have been affected rather than a broad notice to a set group of people.  That has been the tenor of its response to enquiries.  While that is understandable HWL Ebsworth has maintained a very restrained response.  As overseas experience and the Optus and Medibank data breaches attest that is not generally a good strategy.  Clearly given constraints on confidentiality apply however a broader explanation is often better than bromides, which is the nub of the response to date.  Given BlackCat has not finished with HWL Ebsworth it Read the rest of this entry »

Verified by MonsterInsights