Peter A Clarke

Australian Privacy Principles 12 and 13 of the Privacy Act 1988 permits individuals to have access to their personal information and correct that personal information respectively. Exercising those rights can be more complicated than it should be. Given companies engage in the over collection of personal information and are reluctant to remove personal information once they have no legitimate need for it this poses a real problem.  It is not an Australian only problem.  It is a worldwide problem where many companies wrongly take the view that personal information is to do with as they see fit. That explains their common resistence to requests to delete personal information.   This is explained in the excellent piece by The Markup with We caught companies making it harder to delete your personal data online.

There is nothing quite like an ex politician complaining about this or that aspect of the country when he/she did nothing about the problem when in power. It is even more galling when it is an ex Prime Minister. And so it is quite extraordinary that Malcolm Turnbull complains about the complacency in the market to cyber attacks in the Australian’s Malcolm Turnbull warns of alarming pattern in cyber attacks on Australian companies.  What needs to be understood is that the poor privacy culture has been an endemic problem for decades.  Successive Federal Governments have either ignored the issue or did the bare minimum.  Turnbull was a minister in the Howard Government, which did as little as possible to reform the Privacy Act and did nothing to enervate the Information Commissioner.  The Abbott Government, where Turnbull was also a minister, reduced funding to the Information Commissioner and removed the Privacy Commissioner as a position.  Turnbull was the Australian Prime MInister from 2015 – 2018.  No privacy reform took place then even though the Australian Law Reform Commission had published Serious Invasions of Privacy in the Digital Era (ALRC Report 123) in 2014.  it recommended comprehensive privacy reform.  His Government also had in its possession For Your Information: Australian Privacy Law and Practice (ALRC Report 108), an even more comprehensive 2008 report recommending privacy reform. If those reports had been properly acted upon, the regulator had been properly funded, a  more assertive person was at the helm of the regulator and the government had given a focus given to cyber protection things may have been different.  If there had been proper prosecutions with real consequences for malefactors the price of complacency may have been too high. But none of that happened and there is widespread complacency.

The article (in red), with a few of my comments (in black), provides:

New data from cyber security firm Semperis has revealed almost half of all attacks are on understaffed weekends, with hackers repeatedly targeting the same businesses in the past year.

Despite the strikes, politicians and business leaders aren’t taking the breaches seriously enough, with Mr Turnbull – who advises Semperis – saying many are “treating ransomware attacks as just a cost of doing business”. Read the rest of this entry »

It is common that Australian companies and organisations refer to liaising with the Australian Cyber SecuSecurity Centre amongst other authorities and agencies after a data breach. It is so common that it is now boilerplate. All of that relates to damage mitigation. What is less common is organisations using the guides prepared by the ACSC to improve cyber security so as to prevent data breaches. The ACSC publishes quite good guides, as does the Information Commissioner even if they tend to the general. Other resources include standards prepared by the NIST and the ISO series. The NIST guides while highly technical are the most useful. The UK Information Commissioner publishes guidelines which cover general issues as well as guides relating to UK legislation. Guidelines are already important but will take on greater significance as privacy related litigation grows. The question of whether a defendant acted reasonably and proportionately is likely to be determined on the facts having regard to appropriate standards and best practice. On 13 August 2025 the ACSC released Foundations for OT cybersecurity: Asset inventory guidance for owners and operators.  For practitioners whose clients manage critical infrastructure it is an important document.  It is generally useful in setting out the methodology when ordering and prioratising assets which may be the subject of internet access.   

The Executive Summary provides:

When building a modern defensible architecture, it is essential for operational technology (OT) owners and operators across all critical infrastructure sectors to create an OT asset inventory supplemented by an OT taxonomy. Using these tools helps owners and operators identify which assets in their environment should be secured and protected, and structure their defenses accordingly to reduce the risk a cybersecurity incident poses to the organization’s mission and service continuity. Read the rest of this entry »

Hackers have attacked the hallowed halls of Scotch College, one of the elite private schools in Melbourne by hacking its IT system.  Educational institutions are regular targets for cyber attacks.  Universities are often hacked. They have lots of challenges, numerous entreports, constantly changing authorisations which can be stolen and used for a cyber attack, legacy systems which have inbuilt weaknesses and a huge amount of data that make attacks worthwhile.  At the school level often IT systems are basic and not well maintained.  In my experience school administrations do not give sufficient attention to privacy training, making phishing and spear phishing quite easy.  Scotch College would have a wealth of information that Read the rest of this entry »

Universities are prime targets for data breaches. They offer so many opportunities for entrance, often through stolen or easily discerned authorisations. They also have legacy issues with ill fitting computer systems cobbled together with mergers and patch ups. The latest victim is the University of Western Australia whose data breach has been reported by the ABC in University of Western Australia suffers major data breach, staff and students locked out.  The method of attack was through unauthorised access to password information.  The UWA’s response was to lock out and reset passwords of students, staff and visitors.  At this stage the UWA admits to no data being stolen or ransomware being installed.  

The data breach has also been reported by News.com.au, iTnews and cyber daily.

The statement from UWA is cryptic to say the least. It provides:

The ABC article Read the rest of this entry »

Given the scope and sensitivity of the personal information lost in the Genea data breach it is hardly surprising that a number of firms, 3 at last count, are considering class actions. This looming herd/charge of class actions is covered by Nine with ‘Reopened those wounds’: IVF patients to sue clinic over data breach and the Sydney Morning Herald with ‘Emotionally devastating’: Victims of IVF data breach seeking class action. It is always difficult to predict what will or won’t be pleaded in class actions but the issues that are clearly relevant revolve around obligation to keep confidential material safe and secure and what steps were taken to keep the personal information secure. There may be issues relating to misrepresentations and perhaps breach of contract.  

The SMH article provide:

Read the rest of this entry »

It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

The statement from the Information Commissioner provides:

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. Read the rest of this entry »

Google has suffered a data breach by the notorious Shinyhunters, which it classified as UNC6040. It is reported by Bleeping Computer with Google confirms data breach exposed potential Google Ads customers’ info and Google suffers data breach in ongoing Salesforce data theft attacks. What is interesting is that the hackers targeted employees in voice phishing, known as vishing. An attack via social engineering. Much like the now infamous Qantas data breach. 

The Google suffers data breach article provides:

Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group.

In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked.

In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen.

“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations,” reads Google’s update. Read the rest of this entry »

The National Institute of Science and Technology’s guidelines and other publications are used as best practice standards for industry. It’s publications and standards are referenced by privacy regulators. For good reason. It has just released the Cybersecurity and Privacy of Genomic Data.

The Project Overview Read the rest of this entry »

The city of Hamilton in the United States was hit by a ransomware attack in February 2025. The cost of the ransomware attack is $18.3 million. The attack disabled nearly 80% of the city’s network. So far, not so unusual. Where this story falls into the category of salutory lesson is that Hamilton’s insurance declined cover. The reason for that was that Hamilton failed to implement multi factor authentication for on line services at the time of the attack. Data breach reports that ransomware is a growing problem with On the Rise: Ransomware Victims, Breaches, Infostealers.

Cyber insurance has become an important part of the protections organisations use to deal with the consequences of a data breach.  Insurance policies almost always have terms requiring implementation of processes, provision of hardware and other things related to providing protection against threat.  Hamilton didn’t have a basic level of Read the rest of this entry »