Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • The US Federal Trade Commission gives warning about QR Codes being used to steal information

    December 13, 2023

    The challenge in privacy and cyber security is identifying and dealing with the constantly evolving threats.  Hackers are versatile while organisations and people are less so.  The difference is successful cyber attacks with the damage they cause.  Hackers are very good readers of psychology.  They are good are taking advantage of peoples’ habits.  They have moved into using QR codes to get access.  That is clever.  Many are now accustomed to using QR codes to sign in, order or obtain goods or services. The Federal Trade Commission has issued a warning about QR Codes to steal personal information.

    The media release provides:

    QR codes seem to be everywhere. You may have scanned one to see the menu at a restaurant or pay for public parking. And you may have used one on your phone to get into a concert or sporting event, or to board a flight. There are countless other ways to use them, which explains their popularity. Unfortunately, scammers hide harmful links in QR codes to steal personal information. Here’s what to know. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Apple releases report revealing 2.6 billion records compromised by data breaches and says the answer is encryption

    December 8, 2023

    It never ceases to amaze me how few businesses, and government agencies, encrypt their data. Given it is feasible the refusal to do so, particularly by organisations that collect and store masses of data is a major failure of cyber security. Apple released a report, titled The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase, in support of its push for end to end encryption.  The release provides:

    Today Apple published an independent study conducted by Massachusetts Institute of Technology professor Dr Stuart Madnick that found clear and compelling proof that data breaches have become an epidemic, threatening sensitive and personal consumer data the world over. The total number of data breaches more than tripled between 2013 and 2022 — exposing 2.6 billion personal records in the past two years alone — and has continued to get worse in 2023. The findings underscore that strong protections against data breaches in the cloud, like end-to-end encryption, have only grown more essential since last year’s report and the launch of Advanced Data Protection for iCloud.
    This year’s study, “The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase”, demonstrates threats that had already reached historic levels — as shown in last year’s report, “The Rising Threat to Consumer Data in the Cloud” — continue to rise. Increasingly, companies across the technology industry are addressing these threats by implementing end-to-end encryption, as Apple did with last year’s launch of Advanced Data Protection for iCloud.
    With Advanced Data Protection for iCloud, which uses end-to-end encryption to provides Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data even in the case of a data breach. iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection for iCloud, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes and Photos.
    “Bad actors continue to pour enormous amounts of time and resources into finding more creative and effective ways to steal consumer data, and we won’t rest in our efforts to stop them,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “As threats to consumer data grow, we’ll keep finding ways to fight back on behalf of our users by adding even more powerful protections.”As shown in this year’s report, the increasing digitalisation of users’ personal and professional lives has fuelled a dramatic rise in data breaches. Each year, thousands of data breaches expose the personal information of hundreds of millions of consumers. Hackers are evolving their methods and finding more ways to defeat security practices that once held them back. Consequently, even organisations with the strongest possible security practices are vulnerable to threats in a way that wasn’t true just a few years ago.The report also shows that even when consumers take all the right steps to secure their sensitive data, it’s still at risk of being compromised by hackers if it’s stored in a readable form by organisations they entrust it with. For instance, when attempting to infiltrate companies with robust security practices, hackers often start by targeting a different organisation with relatively weak security that has a technical business relationship with the ultimate target. They then steal credentials or information that helps them target employees or systems at the organisation that is their primary objective.As threats to user data continue to grow more frequent and sophisticated, Apple’s long track record of engineering powerful and innovative features make its products the most secure on the market. With Lockdown Mode, Apple developed a protection for those who may be targeted by extreme threats like mercenary spyware because of who they are or what they do. Apple’s Advanced Data Protection for iCloud is another feature the company has developed to protect users against growing threats to their data, keeping most user data in iCloud protected even in the case of a data breach in the cloud.The report illustrates that the historic threats to user data that saw the number of data breaches nearly triple between 2013 and 2022, compromising 2.6 billion records over the course of two years, are only getting worse in 2023. In the US alone, there were nearly 20 per cent more breaches in just the first nine months of 2023 than in any prior year. The target for cybercriminals was very clear, with a 2023 survey finding that over 80 per cent of breaches involved data stored in the cloud. This is after attacks targeting cloud infrastructure nearly doubled from 2021 to 2022.This is due in part to the increased targeting of consumer data by ransomware gangs and coordinated campaigns that compromised vendors or their products to target customers. The threat of ransomware has only grown in 2023, as shown by the fact that there were nearly 70 per cent more attacks reported through to September 2023 than in the first three quarters of 2022. In fact, experts found that there were more ransomware attacks through to September 2023 than in all of 2022 combined. This has led to alarming trends in the US and abroad, with more than double the accounts getting breached in the first half of 2023 compared to the first half of 2022 in the UK, Australia and Canada combined.

    The report itself makes Read the rest of this entry »

    Posted in Privacy | Post a comment »

    ACMA fines Telstra $300,000 for privacy failures and customer safety breaches

    December 4, 2023

    Optus may have had an annus horribilis as far as data breaches go but Telstra has had anything but a good record in terms of protecting privacy. The latest iteration is Telstra being fined by ACMA for privacy and safety breaches. It has also issued an infringement notice and entered into an enforceable undertaking.  This fine is on top of a $2.5 million fine in 2021 for breach of IPND rules.

    Telstra’s media release provides:

    Telstra has paid a $306,360 infringement notice issued by the Australian Communications and Media Authority (ACMA) for failing to provide accurate details of thousands of customers to the Integrated Public Number Database (IPND).

    The IPND is used by Triple Zero to help locate people in an emergency, for the Emergency Alert Service to warn Australians of emergencies like flood or bushfire, and to assist law enforcement activities. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Queensland Parliament passes mandatory data breach notification legislation for Government agencies. To come into effect on 1 July 2026

    December 3, 2023

    On November 29, 2023, the Attorney General, the Minister for Justice, and the Minister for the Prevention of Domestic and Family Violence announced that the Information Privacy and Other Legislation Amendment Act 2023 was passed by the Queensland Parliament, creating, among other things, a mandatory data breach notification scheme (MDBN Scheme).

    The press release, found here,provides:

    Queensland government agencies will be subject to new requirements for managing personal information, and a mandatory data breach scheme will be established, after the Information Privacy and Other Legislation Amendment Act 2023 was passed by parliament today. 

    The information privacy reforms are currently expected to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme as it applies to local governments not commencing until 1 July 2026.

    The legislation improves privacy protections available to individuals while the mandatory data breach notification scheme will strengthen and regulate the response to data breaches by government agencies.

    It will require agencies to notify affected individuals and the Office of the Information Commissioner of eligible data breaches that could result in serious harm. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    UK Information Commissioner reprimands Charnwood Borough Council for disclosing the new address of a domestic abuse victim to her ex partner. Meanwhile in Australia there is a serious data breach involving 11,000 records of National Disability Insurance Agency.

    November 30, 2023

    Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.

    The ICO’s media release provides:

    The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.

    The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.

    They should make sure:

      • Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
      • A proper process is in place for address changes
      • Data protection training is carried out, including refresher training.

    In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner. Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    Federal Government appoints Carly Kind as a Privacy Commissioner, reinstating the stand alone position, commencing on 26 February 2024

    November 27, 2023

    The Government today announced the appointment of Carly Kind as a stand alone Privacy Commissioner, effective on 26 February 2024. This is an appointment that was foreshadowed in May 2023. The Privacy Commissioner was never abolished, and is a statutory position. The Information Commissioner was created in 2010. The new Federal Government announced that it would abolish the Information Commissioner in the 2014 budget and for a time cut its funding drastically. The Information Commissioner also held the position of the Privacy Commissioner. The attempts to abolish the Privacy Commissioner ended in May 2016 and the Government increased its funding, Its funding situation has steadily improved since then. With data breaches being a high profile issue the Commissioner has received very significant funding increases. In this year’s May budget it received an extra $17.8 million for the 2023 – 24 financial year and $44.3 million to support privacy activities and another $9.2 million over two years to regulate privacy elements of Consumer Data Right, My Health Record and Digital Identity.

    The timid enforcement and spotty regulation of the Privacy Act 1988 has been attributed to the inadequate  funding in the past, especially in the 2014 – 2016 period, and beyond.  That is partly true but far from the whole story.  The Privacy Commissioner then Information Commissioner was a less than optimal regulator in the period pre 2014 and after 2016.  Since it obtained civil penalty proceeding powers in 2014 it has only commenced two actions, one of which was earlier this month.  That is regrettable. 

    The Attorney General’s announcement of the appointment is:

    Carly Kind has been appointed as Privacy Commissioner, reinstating the standalone position abolished by the Coalition. Ms Kind brings to the Privacy Commissioner role expertise in data protection; AI policy, practice and governance; privacy; and technology law and policy.

    Ms Kind has held the role of inaugural Director of the London-based Ada Lovelace Institute since 2019. Between 2015 and 2019 she was an independent consultant to a number of human rights organisations, trusts and foundations, international organisations and the private sector. She has provided advice on legal, ethical and practical issues at the intersection of technology and human rights.

    Ms Kind will commence on 26 February 2024. Ms Angelene Falk, the Australian Information Commissioner, will continue as Privacy Commissioner until that time.

    When the Government amends the Privacy Act, probably some time next year, the Privacy Commissioner is likely to have stronger powers. In addition to the enhanced powers given to her this year.  The test will be whether they are used and how effective such regulation is.

     

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Former NHS secretary found guilty of illegally accessing medical records

    November 20, 2023

    The UK Information Commissioner has released a media release regarding the successful prosecution of a secretary of the National Health Service for illegally accessing medial records of 150 people without authorisation. This ties in with my recent post of a pharmacist being terminated for accessing personal information. It is a fraught issue in the health industry.There is a chronic problem.  One of the many in the health industry when when it comes to privacy. 

    The ICO’s media release provides:

    A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.

    Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.

    In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee.
    An investigation revealed that Ms Alborghetti had accessed this individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so. Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    The Australian Information Commissioner has commenced civil penalty proceedings against Australian Clinical Labs Limited in the Federal Court

    After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Federal Court, Legal, Privacy | Post a comment »

    Federal Trade Commission takes action against Global Tel*Link Corp for failing to secure Data and notifying consumers

    The US Federal Trade Commission (“FTC”) is the most active Federal regulator in the United States of privacy and data breaches. It has its fair share of critics but is frenetic compared to Australian regulators. It has announced that it has taken action against Global Tel*Link Corp, a prison communications provider. It alleges that Global failed to secure sensitive personal information of hundreds of thousands of users by posting unencrypted personal information of 650,000 users in the cloud in August 2020 without firewall protection, encryption and monitoring software. It was only when a security researcher alerted the Global that it became aware of the problem. In the meantime hackers accessed billiions of bytes of this exposed data and put it on the dark web and was so advised in September 2020. Global waited 9 months to notify affected customers and in any event only notified 45,000. It has been reported in arstechnica with Prison phone company leaked 600K users’ data and didn’t notify them, FTC says.

    The FTC Read the rest of this entry »

    Posted in Federal Trade Commission, Privacy | Post a comment »

    ASIC chair calls for Australian organisations to prioratise cyber security

    November 13, 2023

    The Australian Securities and Investments Commission (ASIC) has had a reasonably long interest in corporates maintaining proper cyber security.  Last year it successfully prosecuted a claim in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022) for RI Advice Group failing to maintain proper cyber security. The chair of ASIC today released Spotlight on cyber: Findings and insights from the cyber pulse survey 2023.  The warnings about weaknesses in cyber defences is not surprising to those who work in the privacy and cyber security space.  Some organisations take the problem seriously, many don’t.  It is yet another clarion call for proper regulation and then proper enforcement.

    The statement provides:

    The Australian Securities and Investments Commission (ASIC) has called for organisations to prioritise their cybersecurity after a recent survey shows 58 percent of Australian businesses have limited or no capability to protect confidential information adequately.

    The inaugural Cyber Pulse Survey commissioned by ASIC, also highlighted that 44 percent of participants do not manage third-party or supply chain risk and 33 percent of participants do not have a cyber incident response plan.

    ASIC noted the results of the voluntary self-assessment survey have exposed deficiencies in cybersecurity risk management of critical cyber capabilities, indicating that organisations are reactive rather than proactive when it comes to managing their cybersecurity.

    Joe Longo, chair at ASIC said for all organisations, cybersecurity and cyber resilience must be a top priority.

    ASIC expects this to include oversight of cybersecurity risk throughout the organisation’s supply chain – it was alarming that 44 percent of participants are not managing third-party or supply chain risks. Third-party relationships provide threat actors with easy access to an organisation’s systems and networks,” he said.

    Participating organisations indicated well-developed capabilities in identity and access management, governance and risk management, and information asset management, with large organisations consistently self-reporting more mature cyber capabilities.

    Due to competing demands for limited human and financial resources, the survey showed that small organisations lagged behind in third-party risk management, data security, consequence management, and adoption of industry standards than larger entities.

    “There is a need to go beyond security alone and build up resilience – meaning the ability to respond to and recover from an incident. It’s not enough to have plans in place. They must be tested regularly – alongside ongoing reassessment of cybersecurity risks,” Longo said.

    “An effective cybersecurity strategy, and governance and risk framework, should help identify, manage, and mitigate cyber risks to a level that is within the risk tolerance of senior leadership and boards.”

    Air marshal Darren Goldie, national cybersecurity coordinator said cybersecurity must be a priority for everyone, including individuals and businesses large and small.

    “Support is available – the national office of cybersecurity works closely with industry, to promote awareness and best practice, and support decision-making in response to cyber incidents,” he ended.

    The Executive Summary of the Report Read the rest of this entry »

    Posted in Privacy | Post a comment »

    « Previous Entries
    Next Entries »
    Verified by MonsterInsights