BUPA fined 175,000 pounds for data protection failures

October 3, 2018

As Bupa has discovered, data breaches caused by employee misbehaviour can be as devastating for an organisation as a cyber attack.  A rogue Bupa employee accessed and sold onto the dark web personal information of Bupa’s customers.  When it was discovered by a third party the Information Commissioner investigated and found systemic failures and non compliance with data security.  That is a common outcome.  The breach is generally bad however the investigation usually turns up more than just one problem with an organisation’s data security.  As was the case with Bupa.  There were systemic failures on Read the rest of this entry »

Data breach of UK Conservative party app highlights the problems with app design

October 2, 2018

Apps are notorious for their poor security. App developers spend most of their time designing and writing code for an app which will attract a quick and widespread pick up.  The focus is working out what tool will be popular and useful then working frantically to release it to the market.  Data security is generally generic and an afterthought.  There is little money in security.  Until things go wrong.

Apps in politics and with civil society actions are becoming part of the woodwork.  Communicating and mobilising via an app is considerably cheaper than a phone tree and more accessible for younger activists than email.  And political parties are keen to appear connected to younger voters and members.  Which is what the conservatives attempted with its app for a recent conference starting last Sunday

Of course the problems with data security apply.  As the UK conservative party found when its conference app failed, revealing MPs phone numbers and other personal information as reported by the BBC and the Guardian.   The design failure was quite stark, by pressing the attendees button and typing in the MP’s email address, which is hardly secret.  Once done the app revealed the MPs personal information.  A big mistake.  The chairman of the conference is under pressure to resign. Read the rest of this entry »

UK Information Commissioner’s office fines Equifax half a million pounds for security breach in 2017

October 1, 2018

First the breach, then the disastrous publicity and just when things seem to be getting better the enforcement action.  That is the way of it with UK and US privacy breaches.  Equifax’s travails have followed this path.

In 2017 Equifax suffered a data breach through a cyber attack.  The impact was, even by modern standards, massive with personal information of 146 million people being compromised.  That involved 200,000 credit card numbers and expiration dates and government issued documentation such as drivers’ licences and passports. A total of 15 million UK citizen’s personal information was compromised, giving the Commissioner jurisdiction.

The cost of the breach has been enormous, running to $275 million as at March this year.

The Equifax data breach is a “how not to” store information, set up proper data security and respond to the data breach.  As the UK Information Commissioner found Read the rest of this entry »

Drones used to stalk victims, in ongoing issue of drones and privacy

The ABC in Perpetrators using drones to stalk victims in new age of technology fuelled harassment  again highlights what has long been known about the potential of drones for being an effective privacy invasive tool. It also goes on to set out the range of ways new technology is being used to interfere with privacy and harrass.  All the while the law lags.

In the United States there have been specific state laws to Read the rest of this entry »

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 introduced into the House of Representatives today

September 20, 2018

The Attorney General has introduced The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 today.  It is a monolith of a Bill, extending beyond 300 pages.  The Explanatory Memorandum is of similar length.  What it is about has been the subject of significant debate between the rarified world of privacy, digital and techie activists and experts and law enforcement and the Federal Government.  Its aim is to permit law enforcement to access encrypted communications.

The Minister’s second reading speech provides:

That this bill be read a second time.
New communications technology, including encryption, is eroding the capacity of Australia’s law enforcement and security agencies to investigate serious criminal conduct and protect Australians.

Read the rest of this entry »

British airways suffers massive data breach affecting personal information of 380,000 customers

September 11, 2018

Notwithstanding poor data security and inept regulation data breaches have a very significant impact on both reputation and bottom line, oftentimes one being tied in with the other.  British Airways suffered a data breach, by means of a cyber attack by criminal hackers, sometime between 21 August and 5 September 2018 which compromised personal and financial information, being credit card details, of more than 380,000 customers.   Unfortunately British Airways has been hacked before with its Executive Club being hacked in 2015.

Properly advised and motivated it is possible to contain the damage from a data breach, even one as large as that of British Airways.  The key is Read the rest of this entry »

Office of E Safety Commissioner announces the commencement of the nhancing On Line Safety (Non consensual sharing of intimate images) Act 2018.

September 6, 2018

I previously posted on the passage of the Enhancing On Line Safety (Non consensual sharing of intimate images) Act 2018.  The E Commissioner issued a media release today highlighting the powers the office now has to take enforcement action to force removal of image based abuse material.

The Act was assented to on 31 August 2018.  It commenced on 1 September 2018.

There is much to be said for a regulator to have powers to take require non consensual intimate images be taken down from sites.  It won’t Read the rest of this entry »

Victorian Government data dump and privacy breaches

There is controversy surrounding the Victorian Government’s tabling of 80,000 documents relating to the actions of the now Opposition Leader, Matthew Guy, when he was Planning Minister.  The underlying motive for the release seems to be more about politics than law which is of little interest to this blog.  What is interesting is that in tabling these documents there is a likelihood that it disclosed personal information relating to individuals, including health information. The nature of the personal information included the name of a lawyer, her mental health, her financial and familial details .  Initially published on line they have now been removed. That of course does not mean that personal information was not downloaded, copied or reproduced elsewhere during the time in which it was on line. And it appears that the rash action has resulted in significant scrambling by the Government in terms of apologies and the like.  That of course only goes so far, as in nowhere, in terms of liability. It claimed that the privacy breach was inadvertent.  That will cut very little mustard if put under forensic scrutiny in a court.  The tabling of a document in Parliament is as advertent as one can get.

That may be a breach Read the rest of this entry »

Australian Competition and Consumer Commission highlights scammers accessing computers and bank accounts

September 4, 2018

Phishing and spear phishing have been mainstay tools in the armaments of hackers and cyber criminals.  With proper privacy and data protection training they should not be particularly effective.  However they are because many organisations and agencies pay scant regard to training staff properly which is paradoxical given they generally spend a fortune on physical security and usually have reasonable to very good cyber security programs.  None of that helps if a hacker obtains a password and log in details.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money) by often impersonating a  trustworthy entity such as a fellow staff member or through a well disguised electronic communication.  Phishing often involves the use of psychological techniques to build trust and confidence.  Spear phishing is the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.  

The Australian Competition and Consumer Commission last week released a media report highlighting the new development used by phishers to get access to computer and bank accounts.  The twist is that the scams involve impersonation of police or business people who are supposedly trying to stop a scam.  In 2018 alone that Read the rest of this entry »

Implementation of GDPR results in increased data protection complaints in the UK.

September 2, 2018

There is something of a myth propogated by those who would prefer less not more privacy protections, that there is no need for improved privacy protections and the community is not clamouring for more protections.  It is an entirely paternalistic approach to public policy that rarely squares with the evidence.  When surveyed there is a concern about lack of privacy protections and use/sharing of personal information.  For example the Pew Research Center in 2014 found that 91% of Americans agreed or strongly agreed that people have lost control over how personal information is collected.  Last year Pew found Read the rest of this entry »