Jeremy Lee v Superior Wood Pty Ltd[2019] FWCFB 2946; Full Bench of the Fair Work Commission considering breach of the Privacy Act, biometric data, unfair dismissal

July 1, 2019

The Full Bench of the Fair Work Commission recently handed down a very important decision in Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 regarding the application of the Privacy Act. The Full Bench undertook a careful analysis of the Act and applied the Australian Privacy Principles (the APPs) to the facts in the context of an unfair dismissal claim, in this case appeal from a Commissioner at first instance.

The Facts

Superior Wood operates two sawmills at Melawondi and Imbil [2] in Queensland. It had approximately 150 employees, 80 of whom, including Lee,working at the Imbil site. Lee was employed as a casual general hand and worked for  3 ¼ years. Superior Wood is Read the rest of this entry »

Landmark White considers sale as cash runs out. The reputational effect of data breaches.

June 25, 2019

The focus of reporting on data breaches is on the personal information which is taken, potentially to commit fraud and the distress that others have that information without permission.  What is less reported is the potentially catastrophic effect data breaches may have on an business’ prospects, if not survival.  

In the United States Retrieval – Masters Creditors Bureau filed for Chapter 11 bankruptcy protection after it suffered a data breach in March.  The fallout from the data breach has been described as creating a “cascade of events” with led to the bankruptcy.  In Australia the Australian Financial Review (AFR) has reported that Landmark White is considering a full or partial sale of its business as it suffers a liquidity crisis caused by its second suspension by its lender clients.  In both cases the Read the rest of this entry »

Tim Cook’s Commencement address at Stanford puts privacy front and centre of the current technology debate

June 24, 2019

Amongst the big 4 tech giants in their own given areas, Microsoft, Google, Facebook and Apple, Apple has made the strongest public stand on protecting its users privacy.  It too a stand as a civil rights issue in protecting privacy when in in 2016 when it refused to assist the FBI in in cracking a password on an iphone owned by a terrorist.  That included fighting the FBI in the Federal Court.

Facebook’s recent pivot to a privacy friendly future with the statement A Privacy-Focused Vision for Social Networking in March has been treated with some scepticism when the Guardian recently reported that Zuckerberg knew of poor privacy practices associated with the Cambridge Analytica scandal.  The evidence, emails uncovered by the Federal Trade Commission in its investigation as to whether Facebook has breached a 20 year consent decree, which it almost certainly has.  Facebook has reportedly set aside $3 billion in anticipation of a record fine from the FTC though the figure could be as high as $5 billion.  Today Facebook through Read the rest of this entry »

UK Information Commissioner prosecutes unauthorised access to personal information..part of a growing problem

June 11, 2019

Organisations and agencies that collect and use personal information have a chronic problem of staff accessing that information without authorisation.   It is a very significant problem in the health industry with staff looking into the health records of celebrities; George Clooney in 2007, of Brittany Spears in 2008, Michael Jackson’s health records in 2011 and Kim Kardashian in 2013 to name a few. Last year 2 staff members at the Ipswich Hospital were reprimanded and one sacked for accessing Ed Sheeran’s health records relating to his treatment for a writs injury caused by a bicycle accident.  These instances are a fraction of the breaches of this nature that occurs. The breaches rarely come to light because the organisations notify those whose personal information have been compromised.  And they are only occasionally notified to the regulator. 

A case of snooping that was reported to the regulator resulted in a successful prosecution. In the United Kingdom unauthorised access of personal information is criminal offence. The UK Information Commissioner successfully prosecuted a former customer services officer at Stockport Homes who unlawfully accessed personal data, being anti social behaviour cases 67 times in 2017.  The breaches were Read the rest of this entry »

Australian National University suffers hack, again (2nd time in a year) with personal information collected over 19 years affected.

June 4, 2019

The Australian National University has had a very serious data breach.  Not just that a hacker or hackers breached its data security and accessed personal data, collected over a 19 year period, but that it started late in 2018 and was only detected two weeks ago.  That happens.  Sometimes hackers can remain in a system for years.  That may be a reflection on the sophistication of the attackers but it is more often a reflection on the adequacy of the organisation. 

This is second data breach in less than a year.  That bespeaks a real structural and governance problem with data security.  What also happens when data breaches like this happen is the data handling practices of the organisation come under the spotlight.  And ANU will have, or at least should have, a few questions to answer. Apart from the obvious about Read the rest of this entry »

Hack attack on Westpac PayID exposes data of 100,000

Financial institutions and health care facilities are by far and away the most attractive and attacked sites for hackers.  Accessing personal information to permit access and transfer of funds from financial institutions are an obvious attraction.  Health facilities as a matter of course collect names, addresses, dates of birth, insurance information, government identifiers and often times credit card information.  That accumulation of data in one place, which depressingly is what health facilities usually do, permits a hacker to sell that information on the dark web or embark on identify theft himself (most hackers, based on evidence to date, being male).

Westpac has suffered a data breach as reported in Almost 100,000 Australians’ private details exposed in attack on Westpac’s PayID.  The aim and partial success was to access personal information to later use to commit acts of fraud.

There are three interesting aspects to the story.  The first is that details of the attack became public only because someone close to or in Westpac, NPP or both posted details as an item of interest on Whirlpool.  The Second is that the attack highlightgs the vulnerability of apps and other services designed for quick and easy use of banking facilities.  There is often a trade off, at least in the developers mindset, of ease of use and protection from hacking.  Apps are often weak links in data security.  The third issue is Read the rest of this entry »

LandMark White suffers another data breach..if it wasn’t for bad luck it would have no luck at all.

May 31, 2019

LandMark White, LMW, a property valuation firm suffered a data breach in January 2019, which was notified to the stock exchange on 5 February 2019.  The data breach involved 137,500 valuation records being stolen by hackers.  Some of those documents were posted on a dark web forum.  As a result of the breach it lost its best customers in CBA and ANZ.  Banks have long complained about weak privacy protections by many organisations and have been very concerned about the Federal Government’s push to create a Consumer Data right with such a poor privacy and security structures in place.

LMW’s shares were suspended, not resuming trading until 7 May. By then the cost to the company was estimated to be about $7 million and the Chief Executive and 2 directors left as a result.  In May LMW returned to the valuation panels of the banks.

Good news.   Until now.

LMW has now suffered what was a probably insider attack which resulted in Read the rest of this entry »

Data breach hits Canva

May 30, 2019

View image on Twitter

Just because a company is a tech favourite and has a cool image doesn’t mean it can’t have a data breach that afflicts daggier businesses.  Data thieves tend not to respect trends, looks and reputations.  Their respect only runs to the effectiveness of privacy protections and data security.  And in that respect Canva has come up short.  Worse, Canva’s response to the data breach is a lesson in what not to do. Canva and its advisors don’t know or ignore what best practice is when dealing with a data breach, both legally as well as from a business and client management perspective. 

For starters it is a dreadful look for the data breach to be disclosed by the hackers.  Zdnet reported the story in Australian tech unicorn Canva suffers security breach last Monday with the notorious hacker, GnosticPlayers, claiming to accessed personal information held by Canva up until 17 May 2019 earlier that day.    Significant detail was provided to Zdnet and that resulted in a detailed story which provides:

Canva, a Sydney-based startup that’s behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned.

Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet.

Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.

Hack took place this morning

Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning.

“I download everything up to May 17,” the hacker said. “They detected my breach and closed their database server.”

Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available.

For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around.

For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password.

Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.

ZDNet requested a sample of the hacked data, so we could verify the hacker’s claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site’s staff and admins.

We used this information to contact Canva users, who verified the validity of the data we received. We also contacted the site’s administrators, informing them of the breach and requesting an official statement.

“Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses,” a Canva spokesperson told ZDNet via email.

“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution,” the company said.

“We will continue to communicate with our community as we learn more about the situation.”

One of the internet’s biggest sites

Canva is one of Australia’s biggest tech companies. Founded in 2012, the Canva website has become a favorite among regular users and large companies who often use it to build quick websites, design logos, or put together eye-catching marketing materials.

Since its launch, the site has shot up the Alexa website traffic rank, and has recently entered the Top 200, currently ranked at #170.

Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world’s biggest free stock content sites — Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker.

With today’s hack, GnosticPlayers has now stolen over one billion user credentials, a goal the hacker told ZDNet in previous interviews he was aiming for. If anyone’s still keeping count, that’s 1,071 billion credentials from 45 companies.

Previous coverage of GnosticPlayers’ hacks:

Round 1 + Round 2 [620 million + 127 million user records]
Round 3 [93 million user records]
Round 4 [26.5 million user records]
Round 5 [65.5 million user records]

Playing “Catch up” always puts a business behind in the news cycle. 

It gets worse when the statements say next to nothing.  By comparison to the Zdnet article, which would have been in Canva’s possession, Canva’s own statements are models of obfuscation and waffle which the only solid findings being:

  • the breach happened on 24 May, 2019
  • there was access to “a number of Canva usernames and email addresses.” 
  • passwords were obtained but only in their “cryptographically secure form” so are unreadable to external parties
  • there was no access to payment details
  • there have been “no indications that any user designs have been accessed.” 

As a result of this breach users need to change their password.  

The string of announcements provides:

Updated May 28, 08:14 AEST –

Our teams have been working around the clock to investigate the attack and communicate with our customers. We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers. We have also engaged forensic experts to investigate the incident.

Updated May 25, 08:53 AEST –

At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first.

On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).

We’re aware that a number of our community’s usernames and email addresses have been accessed. The hackers also obtained passwords in their cryptographically secure form (for technical people – all passwords were salted and hashed with bcrypt). This means that our user passwords remain unreadable by external parties.

However, in line with best practices, we recommend that you change your Canva password.

We apologize for the inconvenience. If you have any questions that you would like to discuss please contact us at We will communicate any further updates here.

Frequently Asked Questions

What information of mine was involved?

The security incident enabled access to a number of Canva usernames and email addresses. Passwords in their cryptographically secure form were also obtained (for technical people: all passwords were salted and hashed with bcrypt); this means that all Canva user passwords remain unreadable by external parties.

Does this mean my Facebook and/or Google login details have been compromised?

If you use Facebook or Google to log into Canva, rest assured those credentials are also encrypted and unreadable by external parties, so you do not have to change your password on Facebook or Google.

Were my designs accessed?

There have been no indications that any user designs have been accessed.

Have my credit card details been compromised?

At Canva, all our online payments are confidential and secure which provide encrypted connections for all debit card and credit card transactions. We do not keep any credit card information on Canva.

When did the breach happen?

We discovered an in-progress attack on our systems on Friday, May 24, 2019 (PST).

What should I do?

As a precaution, we recommend changing your Canva password. If you use the same email and password on other sites you should change the passwords on those sites too. The cryptographic techniques we’ve used (bcrypt hash + individual salt) makes brute forcing hard, but passwords that are common or easy to guess are simpler to crack.

Here are some recommendations for a strong password:

    • Avoid passwords containing your real name or username.
    • Use passwords with minimum length of 8 characters.
    • Include a minimum of three of the following character types: uppercase, lowercase, numbers, non-alphanumeric symbols (for example , ! @ # $ % ^ & * < > -).
    • Use a password manager to generate and securely store passwords
note: To learn more about changing your Canva password, click here.

Who do I contact for more information?

For more information, please visit or email us on

What steps is Canva taking to resolve the data breach?

As soon as we became aware, Canva immediately took steps to determine the nature and scope of the problem, and alerted law enforcement.

We are working with a forensics team that specializes in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack. We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again.

It is a highly massaged series of statements, designed to provide maximum reassurance with vague wording, reassurances, technical terminology and little else. 

The detail provided by Zdnet and the lack of detail by Canva, even after the Zdnet story is published highlights the poor response plan and dreadful advice being provided to Canva. It is possible to be forthcoming on the nature and extent of a breach without revealing personal data and compromising the existing system.  Canva’s response invites the question, “What is really going on?”  And if something is not going on then Canva is doing itself deep reputational damage. 

The email to its clients seems to have followed this pea and shell game announcement, under which over worded statement is the real explanation.  This deplorable approach was highlighted in the article “Marketing fluff”: What startups can learn from Canva’s data-breach response which provides:

It’s been a wild week for Aussie unicorn Canva, with the bumper news of two acquisitions and a huge $3.6 billion valuation being dampened somewhat by a breach that’s seen the data of 139 million users stolen.

Canva has said it detected the data breach on Friday, May 24, and users were informed the next day. However, it’s not the breach itself that has affected users riled up, it’s mostly the manner of communication.

The initial email telling customers about the breach has been criticised for leading with positive news, as well as new t-shirt printing capabilities in the US.

It’s not until the second paragraph the email reveals “we have today become aware of a security incident”.

The wording of the email has been criticised by Twitter users as “marketing fluff” distracting recipients from important security information.

In a later email, the messaging was changed to lead with the details of the breach.

It appears some users received the first version of the memo, while others received the updated version. Others again have reported not receiving an email notification at all.

In a statement shared with StartupSmart, Canva said the second version of the email was sent in response to some of the feedback.

“We listen to our customers’ feedback very carefully. We had some early feedback, and iterated on the email immediately,” the statement said.

“We have also been communicating to users within the platform, on social media, and via our customer support channels.”

The statement confirmed passwords were obtained in their encrypted form, meaning they’re currently unusable to external parties.

News of the breach first broke when the hacker themselves tipped off tech news site ZDNet, saying they had taken the data of about 139 million Canva users.

The hacker breached Canva’s systems and downloaded “everything up to May 17”, before Canva detected the breach and shut down the server, they reportedly told ZDNet.

Stolen data includes customer names and usernames, as well as email addresses and city and country information.

ZDNet verified the claims, it said, by requesting a sample of the data. The publication received data for more than 17,000 accounts, including account details for Canva staff and admins.

Canva then verified the validity of this data, the ZDNet story said.

The breach comes just days after two huge Canva announcements. Last week, the Aussie unicorn announced it is acquiring stock photography websites Pexels and Pixabay.

A few days later, Canva announced it had closed a $101 million funding round valuing the company at $3.6 billion.

At the time, co-founder Melanie Perkins told StartupSmart the new funding will be used to grow awareness of Canva on a global level, with schools and Fortune 500 companies being potential growth areas.

“We’re raising this round to get into every workplace across the globe,” Perkins said.

Fluffing around the problem

Speaking to StartupSmart today, Felicia Coco, co-founder and director of startup-focused PR firm LaunchLink, said something that can often happen with startups is “they’re not prepared for these things to come up”.

When you’re working with people’s personal information, there are always certain risks you have to consider, she says.

“As you grow as a startup and you gain more awareness and you are on the radar of more people, the chances of something like this happening do grow.”

Startups should always have “a plan of attack in case something like this does happen”, she adds.

At its core, this is a trust issue, Coco says. While the data has been compromised, users want to know exactly what is going on, and they want the company involved to be straight with them.

“Because you’re talking to such a wide audience, there is a temptation to minimise it or soften the blow,” she explains.

But, having worked with companies managing data breaches herself, when they haven’t gone well it’s been “because we fluffed around the problem”, Coco says.

“You have to get straight to the core of the issue, let people know what’s happening in as much detail as you can, and then you want to follow up and keep them updated,” she says.

“Give a really clear breakdown of what the situation is,” she advises, even if you don’t know the full details yourself.

“It’s really good to issue a heads up to the key stakeholders,” she adds.

And that includes anyone with a vested interest in the business, including users, the media and the wider public.

Finally, Coco suggests announcements about data breaches, or other significant bad news, “really need to come from the top”.

Startups should address the situation in a formal way, and give an official and clear statement.

“And it needs to come from the CEO,” she says.

Users want a rundown of what has happened, and how they’re going to move forward, and that’s how they can start working towards rebuilding that trust.

“They need to have clear steps about how they’re going to address the specific situation and how they’re going to work towards ensuring that this doesn’t happen again,” Coco says.

For Canva, specifically, no account has actually been breached yet, Coco points out.

“They’re a fantastic company,” she says.

“They will absolutely bounce back from this.”

However, their response to the weekend’s data breach potentially stands as a warning sign to other companies that may not have the same traction or as high a profile, and may not have the ability to bounce back.

“We have to really get tight with these strategies,” Coco says.

Right Click Capital partner Benjamin Chong also stresses the importance of being open and upfront with users in the case of any crisis.

Mistakes happen, he says, and “most users will respond well to companies who are forward about it”.

This is largely about giving those users the ability to act on the information as soon as possible, by changing their passwords on the affected site and anywhere else they may use the same one.

“You want to give your users as much opportunity to do what they need to do to protect themselves,” Chong says.

Do this well, and “you can use this as an opportunity”, he adds.

For Chong, the Canva breach serves as “a reminder for everyone” to ensure they employ good cyber security practices.

Also, startups should learn the value of having a plan.

“Have a disaster-recovery plan and a comms plan, so that it’s ready to go if you need to share things,” he advises.

Even if there’s only a very small chance of something happening, if you have pre-planned responses using best-practices from experts, “then if you do get caught, you’re able to respond quickly and clearly”.

For any startup, the more you grow, so to do your chances of being breached.

“You’re likely to have more users, and therefore, if an attacker is able to breach your system, they’re able to get more access to more user data,” Chong says.

“I would suggest all startups wanting to grow put in place the necessary safeguards.”

The breach has been widely reported, in the tech press such as Computer World with Australian ‘unicorn’ Canva hacked and in the mainstream media, such as the Australian with Massive data breach hits Canva.

The Australian article provides:

Australian tech darling Canva has been hit with a massive data breach with the graphic design outfit telling its 139 million users to change their passwords.

According to Canva, its systems were attacked last Friday with the hackers stealing usernames, their email addresses and password

It added that the passwords had been stolen in their encrypted form, making it harder for the hackers to sell them piecemeal on the web.

Read the rest of this entry »

Victorian Information Commissioner release guidelines on dealing with data breaches

May 26, 2019

The Victorian Information Commissioner has released guidelines on managing the privacy impacts of privacy breaches.  While it relates to entities covered under the Privacy and Data Protection Act 2014, primarily government agencies and contractors engaged by them it does provide another useful point of reference to those wanting to develop a comprehensive understanding of what is the best way of dealing with a data breach.

It is a starting point only.  The structure and operation of a business will dictate Read the rest of this entry »

Mandatory notifiable data breaches in Australia 12 months on

May 20, 2019

Mandatory data breach notification has been law for over 12 months now.  The legislation is complex, convoluted and vague in parts but it does set out an obligation for organisations and agencies to notify the Information Commissioner of data breaches. As expected that has produced a volume of reported instances of data breaches in excess of those reported when reporting was voluntary there.  Based on overseas experience, where the obligations are more specific and the legislation less vague, the number of actual data breaches is far larger than those reported to the Information Commissioner. 

The Commissioner has released the Notifiable Data Breaches Scheme 12?month Insights Report.   

The Commissioner’s media statement Read the rest of this entry »