Hack attack on Westpac PayID exposes data of 100,000

June 4, 2019

Financial institutions and health care facilities are by far and away the most attractive and attacked sites for hackers.  Accessing personal information to permit access and transfer of funds from financial institutions are an obvious attraction.  Health facilities as a matter of course collect names, addresses, dates of birth, insurance information, government identifiers and often times credit card information.  That accumulation of data in one place, which depressingly is what health facilities usually do, permits a hacker to sell that information on the dark web or embark on identify theft himself (most hackers, based on evidence to date, being male).

Westpac has suffered a data breach as reported in Almost 100,000 Australians’ private details exposed in attack on Westpac’s PayID.  The aim and partial success was to access personal information to later use to commit acts of fraud.

There are three interesting aspects to the story.  The first is that details of the attack became public only because someone close to or in Westpac, NPP or both posted details as an item of interest on Whirlpool.  The Second is that the attack highlightgs the vulnerability of apps and other services designed for quick and easy use of banking facilities.  There is often a trade off, at least in the developers mindset, of ease of use and protection from hacking.  Apps are often weak links in data security.  The third issue is Read the rest of this entry »

LandMark White suffers another data breach..if it wasn’t for bad luck it would have no luck at all.

May 31, 2019

LandMark White, LMW, a property valuation firm suffered a data breach in January 2019, which was notified to the stock exchange on 5 February 2019.  The data breach involved 137,500 valuation records being stolen by hackers.  Some of those documents were posted on a dark web forum.  As a result of the breach it lost its best customers in CBA and ANZ.  Banks have long complained about weak privacy protections by many organisations and have been very concerned about the Federal Government’s push to create a Consumer Data right with such a poor privacy and security structures in place.

LMW’s shares were suspended, not resuming trading until 7 May. By then the cost to the company was estimated to be about $7 million and the Chief Executive and 2 directors left as a result.  In May LMW returned to the valuation panels of the banks.

Good news.   Until now.

LMW has now suffered what was a probably insider attack which resulted in Read the rest of this entry »

Data breach hits Canva

May 30, 2019

View image on Twitter

Just because a company is a tech favourite and has a cool image doesn’t mean it can’t have a data breach that afflicts daggier businesses.  Data thieves tend not to respect trends, looks and reputations.  Their respect only runs to the effectiveness of privacy protections and data security.  And in that respect Canva has come up short.  Worse, Canva’s response to the data breach is a lesson in what not to do. Canva and its advisors don’t know or ignore what best practice is when dealing with a data breach, both legally as well as from a business and client management perspective. 

For starters it is a dreadful look for the data breach to be disclosed by the hackers.  Zdnet reported the story in Australian tech unicorn Canva suffers security breach last Monday with the notorious hacker, GnosticPlayers, claiming to accessed personal information held by Canva up until 17 May 2019 earlier that day.    Significant detail was provided to Zdnet and that resulted in a detailed story which provides:

Canva, a Sydney-based startup that’s behind the eponymous graphic design service, was hacked earlier today, ZDNet has learned.

Data for roughly 139 million users has been taken during the breach, according to the hacker, who tipped off ZDNet.

Responsible for the breach is a hacker going online as GnosticPlayers. The hacker is infamous. Since February this year, he/she/they has put up for sale on the dark web the data of 932 million users, which he stole from 44 companies from all over the world.

Hack took place this morning

Today, the hacker contacted ZDNet about his latest hack, involving Australian tech unicorn Canva, which he said he breached just hours before, earlier this morning.

“I download everything up to May 17,” the hacker said. “They detected my breach and closed their database server.”

Stolen data included details such as customer usernames, real names, email addresses, and city & country information, where available.

For 61 million users, password hashes were also present in the database. The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around.

For other users, the stolen information included Google tokens, which users had used to sign up for the site without setting a password.

Of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.

ZDNet requested a sample of the hacked data, so we could verify the hacker’s claims. We received a sample with the data of 18,816 accounts, including the account details for some of the site’s staff and admins.

We used this information to contact Canva users, who verified the validity of the data we received. We also contacted the site’s administrators, informing them of the breach and requesting an official statement.

“Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses,” a Canva spokesperson told ZDNet via email.

“We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised. As a safeguard, we are encouraging our community to change their passwords as a precaution,” the company said.

“We will continue to communicate with our community as we learn more about the situation.”

One of the internet’s biggest sites

Canva is one of Australia’s biggest tech companies. Founded in 2012, the Canva website has become a favorite among regular users and large companies who often use it to build quick websites, design logos, or put together eye-catching marketing materials.

Since its launch, the site has shot up the Alexa website traffic rank, and has recently entered the Top 200, currently ranked at #170.

Three days ago, the company announced it raised $70 million in a Series-D funding round, and is now valued at a whopping $2.5 billion. Canva also recently acquired two of the world’s biggest free stock content sites — Pexels and Pixabay. Details of Pexels and Pixabay users were not included in the data stolen by the hacker.

With today’s hack, GnosticPlayers has now stolen over one billion user credentials, a goal the hacker told ZDNet in previous interviews he was aiming for. If anyone’s still keeping count, that’s 1,071 billion credentials from 45 companies.

Previous coverage of GnosticPlayers’ hacks:

Round 1 + Round 2 [620 million + 127 million user records]
Round 3 [93 million user records]
Round 4 [26.5 million user records]
Round 5 [65.5 million user records]

Playing “Catch up” always puts a business behind in the news cycle. 

It gets worse when the statements say next to nothing.  By comparison to the Zdnet article, which would have been in Canva’s possession, Canva’s own statements are models of obfuscation and waffle which the only solid findings being:

  • the breach happened on 24 May, 2019
  • there was access to “a number of Canva usernames and email addresses.” 
  • passwords were obtained but only in their “cryptographically secure form” so are unreadable to external parties
  • there was no access to payment details
  • there have been “no indications that any user designs have been accessed.” 

As a result of this breach users need to change their password.  

The string of announcements provides:

Updated May 28, 08:14 AEST –

Our teams have been working around the clock to investigate the attack and communicate with our customers. We are continuing to investigate and are being thorough and methodical with our examinations in order to understand all aspects of the incident and provide the best advice to our customers. We have also engaged forensic experts to investigate the incident.

Updated May 25, 08:53 AEST –

At Canva, we are committed to protecting the data and privacy of all our users and believe in open, transparent communication that puts our communities’ needs first.

On May 24, we became aware of a security incident. As soon as we were notified, we immediately took steps to identify and remedy the cause, and have reported the situation to authorities (including the FBI).

We’re aware that a number of our community’s usernames and email addresses have been accessed. The hackers also obtained passwords in their cryptographically secure form (for technical people – all passwords were salted and hashed with bcrypt). This means that our user passwords remain unreadable by external parties.

However, in line with best practices, we recommend that you change your Canva password.

We apologize for the inconvenience. If you have any questions that you would like to discuss please contact us at contact@canva.com. We will communicate any further updates here.

Frequently Asked Questions

What information of mine was involved?

The security incident enabled access to a number of Canva usernames and email addresses. Passwords in their cryptographically secure form were also obtained (for technical people: all passwords were salted and hashed with bcrypt); this means that all Canva user passwords remain unreadable by external parties.

Does this mean my Facebook and/or Google login details have been compromised?

If you use Facebook or Google to log into Canva, rest assured those credentials are also encrypted and unreadable by external parties, so you do not have to change your password on Facebook or Google.

Were my designs accessed?

There have been no indications that any user designs have been accessed.

Have my credit card details been compromised?

At Canva, all our online payments are confidential and secure which provide encrypted connections for all debit card and credit card transactions. We do not keep any credit card information on Canva.

When did the breach happen?

We discovered an in-progress attack on our systems on Friday, May 24, 2019 (PST).

What should I do?

As a precaution, we recommend changing your Canva password. If you use the same email and password on other sites you should change the passwords on those sites too. The cryptographic techniques we’ve used (bcrypt hash + individual salt) makes brute forcing hard, but passwords that are common or easy to guess are simpler to crack.

Here are some recommendations for a strong password:

    • Avoid passwords containing your real name or username.
    • Use passwords with minimum length of 8 characters.
    • Include a minimum of three of the following character types: uppercase, lowercase, numbers, non-alphanumeric symbols (for example , ! @ # $ % ^ & * < > -).
    • Use a password manager to generate and securely store passwords
note: To learn more about changing your Canva password, click here.

Who do I contact for more information?

For more information, please visit https://status.canva.com or email us on contact@canva.com

What steps is Canva taking to resolve the data breach?

As soon as we became aware, Canva immediately took steps to determine the nature and scope of the problem, and alerted law enforcement.

We are working with a forensics team that specializes in these types of attacks and the FBI to diagnose exactly what happened and are putting processes in place to help prevent another attack. We are committed to protecting the data and privacy of all of our users and will be implementing every possible safeguard to ensure this doesn’t happen again.

It is a highly massaged series of statements, designed to provide maximum reassurance with vague wording, reassurances, technical terminology and little else. 

The detail provided by Zdnet and the lack of detail by Canva, even after the Zdnet story is published highlights the poor response plan and dreadful advice being provided to Canva. It is possible to be forthcoming on the nature and extent of a breach without revealing personal data and compromising the existing system.  Canva’s response invites the question, “What is really going on?”  And if something is not going on then Canva is doing itself deep reputational damage. 

The email to its clients seems to have followed this pea and shell game announcement, under which over worded statement is the real explanation.  This deplorable approach was highlighted in the article “Marketing fluff”: What startups can learn from Canva’s data-breach response which provides:

It’s been a wild week for Aussie unicorn Canva, with the bumper news of two acquisitions and a huge $3.6 billion valuation being dampened somewhat by a breach that’s seen the data of 139 million users stolen.

Canva has said it detected the data breach on Friday, May 24, and users were informed the next day. However, it’s not the breach itself that has affected users riled up, it’s mostly the manner of communication.

The initial email telling customers about the breach has been criticised for leading with positive news, as well as new t-shirt printing capabilities in the US.

It’s not until the second paragraph the email reveals “we have today become aware of a security incident”.

The wording of the email has been criticised by Twitter users as “marketing fluff” distracting recipients from important security information.

In a later email, the messaging was changed to lead with the details of the breach.

It appears some users received the first version of the memo, while others received the updated version. Others again have reported not receiving an email notification at all.

In a statement shared with StartupSmart, Canva said the second version of the email was sent in response to some of the feedback.

“We listen to our customers’ feedback very carefully. We had some early feedback, and iterated on the email immediately,” the statement said.

“We have also been communicating to users within the platform, on social media, and via our customer support channels.”

The statement confirmed passwords were obtained in their encrypted form, meaning they’re currently unusable to external parties.

News of the breach first broke when the hacker themselves tipped off tech news site ZDNet, saying they had taken the data of about 139 million Canva users.

The hacker breached Canva’s systems and downloaded “everything up to May 17”, before Canva detected the breach and shut down the server, they reportedly told ZDNet.

Stolen data includes customer names and usernames, as well as email addresses and city and country information.

ZDNet verified the claims, it said, by requesting a sample of the data. The publication received data for more than 17,000 accounts, including account details for Canva staff and admins.

Canva then verified the validity of this data, the ZDNet story said.

The breach comes just days after two huge Canva announcements. Last week, the Aussie unicorn announced it is acquiring stock photography websites Pexels and Pixabay.

A few days later, Canva announced it had closed a $101 million funding round valuing the company at $3.6 billion.

At the time, co-founder Melanie Perkins told StartupSmart the new funding will be used to grow awareness of Canva on a global level, with schools and Fortune 500 companies being potential growth areas.

“We’re raising this round to get into every workplace across the globe,” Perkins said.

Fluffing around the problem

Speaking to StartupSmart today, Felicia Coco, co-founder and director of startup-focused PR firm LaunchLink, said something that can often happen with startups is “they’re not prepared for these things to come up”.

When you’re working with people’s personal information, there are always certain risks you have to consider, she says.

“As you grow as a startup and you gain more awareness and you are on the radar of more people, the chances of something like this happening do grow.”

Startups should always have “a plan of attack in case something like this does happen”, she adds.

At its core, this is a trust issue, Coco says. While the data has been compromised, users want to know exactly what is going on, and they want the company involved to be straight with them.

“Because you’re talking to such a wide audience, there is a temptation to minimise it or soften the blow,” she explains.

But, having worked with companies managing data breaches herself, when they haven’t gone well it’s been “because we fluffed around the problem”, Coco says.

“You have to get straight to the core of the issue, let people know what’s happening in as much detail as you can, and then you want to follow up and keep them updated,” she says.

“Give a really clear breakdown of what the situation is,” she advises, even if you don’t know the full details yourself.

“It’s really good to issue a heads up to the key stakeholders,” she adds.

And that includes anyone with a vested interest in the business, including users, the media and the wider public.

Finally, Coco suggests announcements about data breaches, or other significant bad news, “really need to come from the top”.

Startups should address the situation in a formal way, and give an official and clear statement.

“And it needs to come from the CEO,” she says.

Users want a rundown of what has happened, and how they’re going to move forward, and that’s how they can start working towards rebuilding that trust.

“They need to have clear steps about how they’re going to address the specific situation and how they’re going to work towards ensuring that this doesn’t happen again,” Coco says.

For Canva, specifically, no account has actually been breached yet, Coco points out.

“They’re a fantastic company,” she says.

“They will absolutely bounce back from this.”

However, their response to the weekend’s data breach potentially stands as a warning sign to other companies that may not have the same traction or as high a profile, and may not have the ability to bounce back.

“We have to really get tight with these strategies,” Coco says.

Right Click Capital partner Benjamin Chong also stresses the importance of being open and upfront with users in the case of any crisis.

Mistakes happen, he says, and “most users will respond well to companies who are forward about it”.

This is largely about giving those users the ability to act on the information as soon as possible, by changing their passwords on the affected site and anywhere else they may use the same one.

“You want to give your users as much opportunity to do what they need to do to protect themselves,” Chong says.

Do this well, and “you can use this as an opportunity”, he adds.

For Chong, the Canva breach serves as “a reminder for everyone” to ensure they employ good cyber security practices.

Also, startups should learn the value of having a plan.

“Have a disaster-recovery plan and a comms plan, so that it’s ready to go if you need to share things,” he advises.

Even if there’s only a very small chance of something happening, if you have pre-planned responses using best-practices from experts, “then if you do get caught, you’re able to respond quickly and clearly”.

For any startup, the more you grow, so to do your chances of being breached.

“You’re likely to have more users, and therefore, if an attacker is able to breach your system, they’re able to get more access to more user data,” Chong says.

“I would suggest all startups wanting to grow put in place the necessary safeguards.”

The breach has been widely reported, in the tech press such as Computer World with Australian ‘unicorn’ Canva hacked and in the mainstream media, such as the Australian with Massive data breach hits Canva.

The Australian article provides:

Australian tech darling Canva has been hit with a massive data breach with the graphic design outfit telling its 139 million users to change their passwords.

According to Canva, its systems were attacked last Friday with the hackers stealing usernames, their email addresses and password

It added that the passwords had been stolen in their encrypted form, making it harder for the hackers to sell them piecemeal on the web.

Read the rest of this entry »

A spate of leaks (read data breaches) from Governments

May 29, 2019

Leaks from government are as old as government itself.  Leaks serve a myriad of purposes; forshadowing a decision, undermining opponents or their plans, acting as a stalking horse to gauge public opinion and being a straw man that can be be used to kill off a measure that is uncomfortably close to being announced, just to mention a few.  Leaking of plans, discussions, decisions made or not made and strategies is rarely seen as edifying, and often treated as something a little icky but it is universally seen as a legitimate tool in the black bag of political tricks. It is also often times quite effective, killing off proposals and sometimes political careers. Leaking personal information is something else however. Which is why yesterday’s story about the leak of motorists details being linked to a New South Wales Minister’s office is so serious.  The leak was of a spreadsheet containing the personal information of hundreds of motorists which found its way into the hands of a journalist. The genesis of the breach is Read the rest of this entry »

Victorian Information Commissioner release guidelines on dealing with data breaches

May 26, 2019

The Victorian Information Commissioner has released guidelines on managing the privacy impacts of privacy breaches.  While it relates to entities covered under the Privacy and Data Protection Act 2014, primarily government agencies and contractors engaged by them it does provide another useful point of reference to those wanting to develop a comprehensive understanding of what is the best way of dealing with a data breach.

It is a starting point only.  The structure and operation of a business will dictate Read the rest of this entry »

Mandatory notifiable data breaches in Australia 12 months on

May 20, 2019

Mandatory data breach notification has been law for over 12 months now.  The legislation is complex, convoluted and vague in parts but it does set out an obligation for organisations and agencies to notify the Information Commissioner of data breaches. As expected that has produced a volume of reported instances of data breaches in excess of those reported when reporting was voluntary there.  Based on overseas experience, where the obligations are more specific and the legislation less vague, the number of actual data breaches is far larger than those reported to the Information Commissioner. 

The Commissioner has released the Notifiable Data Breaches Scheme 12?month Insights Report.   

The Commissioner’s media statement Read the rest of this entry »

Information Commissioner finds that she has no jurisdiction regarding complaints of interference with privacy against Tim Wilson and ‘stoptheretirementtax.com’ website

April 10, 2019

The Information Commissioner announced, on 8 April 2019, that she does not the power to investigate a complaint about a breach of the Privacy Act by Tim Wilson or Wilson Asset Management (International) Pty Ltd in relation to the collection and use of personal information through the ‘stoptheretirementtax.com’ website.’  The website and the collection of data caused some controversy.  In Tim Wilson’s ‘retirement tax’ website doesn’t have a privacy policy. So how is he using the data? Andre Oboler in a traditional academic “on – the – one – hand – and – on – the – other” analysis raised the complications of determining whether a Parliamentarian operating a web site falls within the political exemption provisions of the Privacy Act of is covered by parliamentary privilege, by virtue of his work as a chair of the standing committee on Economics, either of which would deny the Commissioner jurisdiction. The other coverage, such as Liberal MP Tim Wilson faces ‘breach of privacy’ claims and Labor pushes to refer Tim Wilson to privileges committee is more red blooded political reporting.

Mr Oboler was prescient Read the rest of this entry »

Attorney General seeks to have Privacy Commissioner investigate the actions of Vegan protesters

April 9, 2019

Yesterday’s vegan protests in Melbourne and throughout various agricultural sites in Australia has infuriated the Federal Government.  With  an election about to be called and a big rural constituency in mind, a tendency to beat the law and order drum becomes an necessity.   To that end the Attorney General, Christian Porter announced last Friday that that it was going to bring the Aussie Farms website under the regulation of the Privacy Act 1988 on 6 April 2019, last Saturday. 

The media statement provides:

The Coalition Government will bring the Aussie Farms website under the Privacy Act, exposing it to potential penalties of up to $2.1 million if it breaches the Act.

Attorney-General, Christian Porter, said the activities of Aussie Farms Incorporated created an unacceptable risk to hardworking farming communities and producers.

“The company publishes information about Australian farmers and agricultural producers including their names and addresses, exposing them to potential trespass, biosecurity hazards, and reputational damage,” the Attorney-General said.

“Listing this activist group as an organisation under the Privacy Act, now means that the company will have to abide by the provisions of the Act.”

Minister for Agriculture, David Littleproud, said he had repeatedly asked Aussie Farms to take the website down before someone was hurt or worse, but the group behind the website flat refused.

“The farming families who grow our food deserve to be able to do so without fear of invasion on their property and harm to their children,” Minister Littleproud said.

“The Aussie Farms website is intended to be an attack map for activists and it is already working as one. The fact Aussie Farms refused to take the website down when invasions began happening on farms displayed on their map shows they intend for it to be used as an attack map for activists.

“Aussie Farms will now be required to comply with the Privacy Act, which includes laws against the misuse of personal information. I note the maximum penalty for an offence under the Privacy Act is $420,000 for individuals and up to $2.1 million for a body corporate.”

Minister Littleproud also called on state governments to beef up trespass laws to provide real penalties for trespass, and to make publicly state that they expect the police will uphold these laws.


  • The Australian Information and Privacy Commissioner previously found that Aussie Farms Incorporated was exempt from the Privacy Act because its annual turnover was less than $3 million.
  • This move means Aussie Farms Incorporated is prescribed as an ‘organisation’ under the Privacy Act, which requires Aussie Farms to act in accordance with the Privacy Act, regardless of its annual turnover
  • Prescribing Aussie Farms Incorporated allows the Information and Privacy Commissioner to investigate, either in response to a complaint or on her own initiative, if Aussie Farms Incorporated breaches the Privacy Act. The prescription comes into force as of tomorrow (Saturday, 6th April)

And the regulation was made, the day before the media release,  with the Privacy Amendment (Protection of Australian Farms) Regulations 2019  which Read the rest of this entry »

Facebook data breach affects 110,000 Australians personal information

April 1, 2019

Facebook has a tendency to advocate vague improvements to its privacy policies and call for improved and stronger regulation after some or other egregious privacy breach or oppressive monopolistic act is uncovered.  In the last year Facebook has been battered by the Cambridge Analytica scandal, clear evidence of its platform being used by foreign players to influence elections and a seemingly regular stream of less dramatic but no less worrying privacy breaches.  Facebook’s standard response to such problems has been a combination of virtue signalling and getting on board the reform wagon so as to moderate its outcomes. In early March Zuckerberg described the move to private messaging as being his “pivot to privacy” in communications.  After the briefest of analyses it was ridiculed and seen to be more about presentation than product according to the Wire’s Facebook’s Pivot to Privacy Is Missing Something Crucial and Forbes’ Facebook’s Fake Pivot To Privacy and Slate’s Facebook’s Awkward Pivot to Privacy.

Mark Zuckerberg’s reported very recent call for “more active” role for government regulation in internet privacy and election laws has a similar feel about a polished response to criticism. Except that the complaints are long lasting and the potential of real action by governments is real. The last edition of the Economist highlighted the steps being taken by the Europeans, a huge market, against Facebook and Google, amongst others, for their privacy unfriendly practices.   And those steps are not confined to Europe.  American legislators are, for the fourth time, considering more comprehensive privacy laws or trust busting action.

So while there is reason to be sceptical about Facebook’s motives the pressure on Facebook and Google is such that there may be actual improvement.

And there should be given the impact of the privacy breaches in Australia with Read the rest of this entry »

Frank v Gaos 586 US (2019) the US Supreme Court remands settlement in privacy case to lower court, issue of damage again causes concern

March 25, 2019

The issue of measuring damages and establishing the threshold loss  in the United States jurisprudence has retarded the development of the tort of privacy.  It is a common basis for applications to strike out claims.  In Australia, with breach of confidence actions, the threshold is emotional distress rather than psychiatric injury since the Victorian Court of Appeal decision of Giller v Procopets.  The awards in that and subsequent actions have been disappointing parsimonious relative to the intrusion but with time, if the United Kingdom jurisprudence is any guide, the courts should develop an appreciation of the loss associated with these types of breaches.

In Frank v Gaos the nub of the claim related to Google’s disclosure of search histories to third parties without consent, a practice that could violate privacy laws.  The court described Read the rest of this entry »