Peter A Clarke

It is common that Australian companies and organisations refer to liaising with the Australian Cyber SecuSecurity Centre amongst other authorities and agencies after a data breach. It is so common that it is now boilerplate. All of that relates to damage mitigation. What is less common is organisations using the guides prepared by the ACSC to improve cyber security so as to prevent data breaches. The ACSC publishes quite good guides, as does the Information Commissioner even if they tend to the general. Other resources include standards prepared by the NIST and the ISO series. The NIST guides while highly technical are the most useful. The UK Information Commissioner publishes guidelines which cover general issues as well as guides relating to UK legislation. Guidelines are already important but will take on greater significance as privacy related litigation grows. The question of whether a defendant acted reasonably and proportionately is likely to be determined on the facts having regard to appropriate standards and best practice. On 13 August 2025 the ACSC released Foundations for OT cybersecurity: Asset inventory guidance for owners and operators.  For practitioners whose clients manage critical infrastructure it is an important document.  It is generally useful in setting out the methodology when ordering and prioratising assets which may be the subject of internet access.   

The Executive Summary provides:

When building a modern defensible architecture, it is essential for operational technology (OT) owners and operators across all critical infrastructure sectors to create an OT asset inventory supplemented by an OT taxonomy. Using these tools helps owners and operators identify which assets in their environment should be secured and protected, and structure their defenses accordingly to reduce the risk a cybersecurity incident poses to the organization’s mission and service continuity. Read the rest of this entry »

Hackers have attacked the hallowed halls of Scotch College, one of the elite private schools in Melbourne by hacking its IT system.  Educational institutions are regular targets for cyber attacks.  Universities are often hacked. They have lots of challenges, numerous entreports, constantly changing authorisations which can be stolen and used for a cyber attack, legacy systems which have inbuilt weaknesses and a huge amount of data that make attacks worthwhile.  At the school level often IT systems are basic and not well maintained.  In my experience school administrations do not give sufficient attention to privacy training, making phishing and spear phishing quite easy.  Scotch College would have a wealth of information that Read the rest of this entry »

Universities are prime targets for data breaches. They offer so many opportunities for entrance, often through stolen or easily discerned authorisations. They also have legacy issues with ill fitting computer systems cobbled together with mergers and patch ups. The latest victim is the University of Western Australia whose data breach has been reported by the ABC in University of Western Australia suffers major data breach, staff and students locked out.  The method of attack was through unauthorised access to password information.  The UWA’s response was to lock out and reset passwords of students, staff and visitors.  At this stage the UWA admits to no data being stolen or ransomware being installed.  

The data breach has also been reported by News.com.au, iTnews and cyber daily.

The statement from UWA is cryptic to say the least. It provides:

The ABC article Read the rest of this entry »

Given the scope and sensitivity of the personal information lost in the Genea data breach it is hardly surprising that a number of firms, 3 at last count, are considering class actions. This looming herd/charge of class actions is covered by Nine with ‘Reopened those wounds’: IVF patients to sue clinic over data breach and the Sydney Morning Herald with ‘Emotionally devastating’: Victims of IVF data breach seeking class action. It is always difficult to predict what will or won’t be pleaded in class actions but the issues that are clearly relevant revolve around obligation to keep confidential material safe and secure and what steps were taken to keep the personal information secure. There may be issues relating to misrepresentations and perhaps breach of contract.  

The SMH article provide:

Read the rest of this entry »

It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

The statement from the Information Commissioner provides:

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. Read the rest of this entry »

Google has suffered a data breach by the notorious Shinyhunters, which it classified as UNC6040. It is reported by Bleeping Computer with Google confirms data breach exposed potential Google Ads customers’ info and Google suffers data breach in ongoing Salesforce data theft attacks. What is interesting is that the hackers targeted employees in voice phishing, known as vishing. An attack via social engineering. Much like the now infamous Qantas data breach. 

The Google suffers data breach article provides:

Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group.

In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked.

In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen.

“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations,” reads Google’s update. Read the rest of this entry »

The National Institute of Science and Technology’s guidelines and other publications are used as best practice standards for industry. It’s publications and standards are referenced by privacy regulators. For good reason. It has just released the Cybersecurity and Privacy of Genomic Data.

The Project Overview Read the rest of this entry »

The city of Hamilton in the United States was hit by a ransomware attack in February 2025. The cost of the ransomware attack is $18.3 million. The attack disabled nearly 80% of the city’s network. So far, not so unusual. Where this story falls into the category of salutory lesson is that Hamilton’s insurance declined cover. The reason for that was that Hamilton failed to implement multi factor authentication for on line services at the time of the attack. Data breach reports that ransomware is a growing problem with On the Rise: Ransomware Victims, Breaches, Infostealers.

Cyber insurance has become an important part of the protections organisations use to deal with the consequences of a data breach.  Insurance policies almost always have terms requiring implementation of processes, provision of hardware and other things related to providing protection against threat.  Hamilton didn’t have a basic level of Read the rest of this entry »

De identification of personal information is critically important where data is being used for research. It has also been the subject of great scrutiny by regulators. The Victorian Information Commissioner produced a paper on the limits of de identification after it found that Public Transport Victoria breached myki users privacy by releasing data which exposed myki users’ travel history which the PTV claimed to have de identified. Academics from Melbourne University proved it wrong as they were able to identify the travel history of themselves and others. Apart from being a breach of the Privacy and Data Protection Act Victoria it was embarrassing given the negative publicity. The Federal Office of the Information Commissioner released general advice about de identification. On 19 September 2024 Crikey published Australia’s biggest medical imaging lab is training AI on its scan data. Patients have no idea.  The nub of the article is that I-MED “handed over” scans of thousands of patients to a start up company, Harrison.ai, which will use that data to train artificial intelligence.  It posed the question of how the data could e legally used and disclosed to Harrison.ai.  It made a number of valid points about the generally cavalier manner health organisations treat personal information.  The Privacy Commissioner responded with an investigation.  The Privacy Commissioner has closed an investigation regarding the transfer of data and issued a report. 

The key elements of the report are:

• paragraph 4.2 which sets out the usual two steps of de identification being the removal of personal identifiers and removing or altering other information which may allow a person to be identified;
• paragraph 5.1 the process adopted by I- MED which involved
  • segregating the patient data from the underlying dataset,
  • scanning the records with text recognition software,
  • using two hashing techniques (for unique identifiers such as patient ID numbers, and names, addresses and phone numbers),
  • time-shifting dates (to a random date within a specified number of years),
  • aggregating certain fields into large cohorts to avoid identification of outliers, and
  • redacting any text that appears within or within 10% from the boundary of an image scan.
• paragraph 6.1 the appropriate de identification practices identified by NIST being:
  • utilising of the 5-Safes Principles,
  • ensuring separation of the Annalise.ai and I-MED environments,
  • utilising a ‘Data Use Agreement Model’,
  • imposing prescriptive de-identification standards,
  • removing or transforming all direct identifiers, and
  • utilising top and bottom coding and aggregation of outliers.
• paragraph 6.2 while some personal information was provided to Annalise.ai and therefore shared in error due to failures in the de identification process it was remedied.

it is interesting to note that there were data breaches but not notified to the Privacy Commissioner until after she commenced her preliminary investigation.  That is Read the rest of this entry »

As is commonly the case data breaches have serious consequences. So it is with Tea. It suffered a very significant data breach involving very sensitive information. Thousands of images, posts and comments have been stolen. The BBC reports in Dating safety app Tea suspends messaging after hack that Tea has turned off messaging on the app. Given the nature of the app that is significant.  It suggests a lack of certainty that the threat has been removed.  The story also suggests that Tea is well behind on identifying the extent of the hack.  When a company says Read the rest of this entry »