Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem

September 16, 2021

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

Data breaches everywhere with 2.3 billion records breached worldwide in February 2021 and the grand total of 539 breaches to the Australian Information Commissioner between July – December 2020. A lack of credibility in the Australian mandatory data breach notification scheme.

March 7, 2021

It governance has provided its list of data breaches and cyber attacks in February 2021, estimating that 2.3 billion records were breached. The cyber attacks range from the relatively modest in number, with 208 records of the Watermark Retirement Communities residents across 10 states being affected, to the catastrophically large attack, involving millions of user records of Raychat being destroyed and the records of 102 million consumers of two mobile operators in Brazil.  There were also other significant data breaches, including 400 million records of a delivery company, Bykea, being leaked in Pakistan and Australia’s Oxfam discovered that its database of 1.7 million records were being offered for sale on a hacker forum. The humiliating Oxfam data breach required it to issue the now all too familiar sort of candid post of where matters are at on 1 March 2021 which Read the rest of this entry »

Attorney General announces a review of the Privacy Act 1988 with submissions due by 29 November 2020

October 30, 2020

Today the Attorney General announced a(nother) review of the Privacy Act 1988.  That was part of a response to the ACCC Digital Platform’s Inquiry.  In doing so he released a 89 page Issues Paper. 

The media release provides:

The Morrison Government has today released the terms of reference and issues paper for a wide-ranging review of the Privacy Act 1988 (the Privacy Act). 

The Government committed to a review following the Australian Competition and Consumer Commission’s Digital Platforms Inquiry in 2019. Several recommendations from that Inquiry – which the Government has already agreed to in principle – will be considered as part of the review.

These include expanding the scope of the Privacy Act to cover technical data and other online identifiers; and strengthening privacy notice and consent requirements

The review will be conducted by the Attorney-General’s Department and public submissions can be lodged up until 29 November 2020. A further opportunity to comment will also be available following the release of a discussion paper early next year.

“Australians are spending more and more of their time online and more of their personal information is being collected, handled and stored,” Attorney-General Christian Porter said.

“Technology is also rapidly evolving in areas such as artificial intelligence and data analytics, which is why it is crucial that we have a privacy regime that is fit for purpose, can grow trust, empower consumers and support the growing digital economy.”

A report of the review will be released following government consideration. It is separate to the work already being undertaken to increase the maximum civil penalties under the Privacy Act, and to develop a binding privacy code for social media platforms and other online platforms that trade in personal information.

The issues paper and further information about the review and consultation are available on the Privacy Act review page on the Attorney-General’s Department website. Read the rest of this entry »

Government releases exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020

May 5, 2020

The Commonwealth Attorney General’s Department has released an exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020.

The Attorney General’s media release provides:

The COVIDSafe app is a critical tool in helping our nation fight the COVID-19 pandemic.

With more than 4 million COVIDSafe registrations many Australian’s are already doing their part to help protect and save lives.

Attorney-General, Christian Porter, today released draft legislation which will codify the existing protections for individuals’ data collected by the COVIDSafe app that have been established in the Health Minister’s Biosecurity Act Determination.

The Privacy Amendment (Public Health Contact Information) Bill 2020, will reinforce the protections set out in the Determination made by the Minister for Health under the Biosecurity Act 2015on 25 April 2020, placing the protections into primary legislation through amendments to the Privacy Act 1988. Read the rest of this entry »

Australian Information Commission v Facebook Inc [2020] FCA 531 (22 April 2020): application for service outside of Australia, the Commissioner’s prima facie case. The opening round in the first civil proceeding for breach of the Privacy Act by the Commissioner

April 26, 2020

On 23 April 2020 in  Australian Information Commission v Facebook Inc the Australian Information Commissioner successfully obtained interim suppression and non publication orders and orders to serve outside Australia and substituted service against Facebook Inc.

This is the first of what is likely Read the rest of this entry »

Information Commissioner releases report that 537 notifiable data breaches for the last half of 2019 while worldwide the estimate of data records accessed unlawfully in 2019 reached 12.3 billion!

March 15, 2020

At the end of February the Australian Information Commissioner released the Report of Notifiable Data Breaches for the July – December 2019 period.  There were 537 notifications, up from 460 in the previous 6 months and making 997 for the 2019 calendar year. 

As usual health service providers top the list, with 117 notifications, followed by finance with 77 notifications.  Interestingly though less than 10% of notifications there were 40 notifications from the legal/accountancy and management services.  In terms of numbers of individuals affected 132 notifications, about 20%, affected only one person’s personal information but one breach affected more than 10,000,000. The majority of notifications, 309, affected from 2 to 1,000 individuals while 13 notifications covered between 25,000 – 10,000,000. 

Contact information was Read the rest of this entry »

The Australian Information Commissioner commences civil penalty proceedings against Facebook under section 13G of the Privacy Act

March 10, 2020

Yesterday, 9 March 2020, the Australian Information Commissioner commenced proceedings against Facebook in the Federal Court.  The actual citation is Australian Information Commissioner v Facebook Inc & Facbook Ireland Limited (court number NSD 246/2020).

It has taken 2 years for the Information Commissioner to conclude her investigations regarding Facebook’s actions in permitting personal information to be misused through the This is Your Digital Life app which was disclosed to Cambridge Analytica. The UK Information Commissioner resolved its investigation and issued a monetary penalty notice of 500,000 pounds in October 2018.  The US Federal Trade Commission imposed $5 billion penalty for its breach of the previous order in July 2019.

This litigation will be significant as it is the first consideration of the operation of section 13G of the Privacy Act, a civil penalty proceeding for serious or repeated interference with privacy.  Unfortunately the Information Commissioner has not proven to be an adept litigator to date though Facebook’s egregious conduct in permitting its users personal information to be misused is well documented.  What is less clear is how the Commissioner will convince the Court that the statutory limit of $1.7million for an infraction is a limit on each breach.  That will be a significant Read the rest of this entry »

Call to reform Privacy Act because of data haul by Google and others

November 11, 2019

Even after writing about privacy for a decade and more, it still never ceases to amaze me that media write in breathless tones about the problem with organisations using and misusing data and personal information as if it was some form of revelation.  The only thing that has changed has been the great efficiency in the misuse.  The latest offering is the Australian’s piece Giants’ data haul sparks call to reform privacy act which is a bit of a spruik dressed up as an article for a conference to be hosted by the Consumer Policy Research Centre on 19 November 2019.

The chief executive is calling for “urgent reform of the Privacy Act” to better protect consumers.  She also wants a Consumer Data Right.  The call to reform the Privacy Act is misconceived.  There is no point increasing the powers of Read the rest of this entry »

The Australian Information Commissioner releases a Guide to health privacy

October 12, 2019

The Australian Information Commissioner has recently released a Guide to Health Privacy.  At over 50 pages it is quite comprehensive.  It is less equivocal than previous guides published by the Information Commissioner.  That is not to say it does not descend into vague generality more than it should. The Commissioner’s guidelines have no force of law under the Privacy Act 1988.  That obvious fact has been stated by the Administrative Appeals Tribunal and the Federal Court.  As they are not regulations their use as a legal document is relatively limited.  They do however serve as a standard which the Information Commissioner expects agencies and organisations to follow in order to comply with the Privacy Act.

While some of the Commissioner’s previous and current guidelines are so vague, rubbery and equivocal as to be of little use that is not really the key regulatory issue.  The problem has always been the reluctance by the regulator in taking enforcement action.  That has been a 30 year problem. The powers available to the Commissioner have grown over the years.  That has not been matched by Read the rest of this entry »

Information Commissioner releases the 6th notifiable breaches report, revealing 245 notifications between April and June 2019. She also announces moving to reporting semi annually rather than quarterly

August 29, 2019

The Information Commissioner has released the latest report on reported, rather than actual data breaches, for the last quarter; April – June 2019.  The report highlights what has long been known, that human factors are a major cause of breaches.

The report reveals that:

  • 34% of the breaches were caused by human error;
  • 62% were motivated by malicious or criminal attacks
  • the number of reported breaches, at 245 is statistically greater than the breaches in the January – March period of 215 but in line with the previous 2 quarters of 245 and 262.
  • 1 breach affected over a million people, 21 breaches affected over a thousand but less than 5,000 people, 52 breaches affected between 100 and 1,000 and the largest category of 61 breaches affected a single person. The report does not identify which industries are affected by breaches impacting a large number of people.
  • contact information was affecetd in 220 of the breaches while financial details were affected in 102 and health information on 67 occasions.
  • as is commonly the case wrong email addresses were the cause of the most human errors. Most of those errors were in the health sector.
  • phishing is by far and away the most common cause of cyber incidents
  • the most notifications were from the health sector, 47, while finance had 42 notifications followed by lawyers and accountants, 24.

Read the rest of this entry »