The cyber attack of Trumpets of Patriots and the United Australia Party highlights two issues with privacy. The first is that political parties harvest huge amounts of personal information. Some of it relates to membership. Some is obtained through enquiries, surveys and data provided from other political sources, such as parliamentarians. Political parties operate on data. It is a critical part of messaging and lobbying. This cyber attack highlights a flaw in the Privacy Act 1988. Registered political parties are exempt under section 7C from the operations of the Privacy Act 1988. The Privacy Commissioner has no power to investigate the breach. The question then is whether either or both the United Australia Party and the Trumpets of Patriots are “registered political parties.” According to the Australian Electoral Commission the Trumpet of Patriots is a registered political party. The United Australia Party is not. It has been deregistered and despite its best efforts in Babet v Commonwealth of Australia; Palmer v Commonwealth of Australia [2025] HCA 21 could not be re registered. Interestingly the Trumpets of Patriots notified the Privacy Commissioner of the data breach.
That does not mean Trumpets of Patriots is immune from suit even if it is exempt under the Privacy Act.
The Cambridge Analytica scandal has a very long tail. Shareholders of Meta brought an action against Mark Zuckerberg and other Facebook directors over privacy violations. It is reported in the Times with Mark Zuckerberg settles $8bn lawsuit over Facebook privacy claims and the BBC with Meta investors settle $8bn lawsuit with Zuckerberg over Facebook privacy. The core of the case was a claim against Facebook directors for their failures which resulted in fines and legal costs associated with the Cambridge Analytica scandal. The problem for the defendants was that Facebook entered into an agreement in 2012 regarding compliance with privacy obligations. The other difficulty for the defendants was the scale of the data harvesting and the deceptive practices to do it.
In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious. To call for a change to the law while appealing a decision involving the extant law is not illegal. But it is quite arrogant. Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act.
It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application. It is also covered by 9 News and Reuters. If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.
Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”. Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.
The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.
HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.
There is quite a bit of supposition in that assessment. It is not possible to know whether the injunction performed that role. There has been no reported contempt of court proceedings for breaching the injunction. It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced. How to monitor on line rubber necking is another issue. If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult. That said injunctive relief is now part of the response in large scale data breaches.
It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition. There is reference to exemptions. That is an important issue when seeking such orders. It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court. Clearly not an intended consequence.
That data breaches cause damage is trite. The damage may be economic or psychological. It can also be life threatening as the Times story Revealed: Leak that risked lives of 100,000 Afghans — and £7bn cover-up makes clear. As does the BBC report Thousands of Afghans were moved to UK in secret scheme after data breach. A data breach by a British official at the Ministry of Defence in February 2022 resulted in the personal details of 19,000 people who applied to move to the UK after the Taliban took over were leaked. That prompted a resettlement scheme which has resulted in 4,500 Afghans moving to UK so far. So far, so bad.
What is very interesting to legal practitioners is that the Government sought and obtained a super injunction which involved a gag order relating to the data breach and its contents. It was the first time the Government sought a super injunction and it was the longest ever granted.That was lifted yesterday in Ministry of Defence v Global Media and Entertainment Ltd & ors [2025] EWHC 1806.
In reviewing and ultimately lifting the gag order teh court made the following points regarding the grant and Read the rest of this entry »
Implementing proper password protection is one of the foundation blocks of proper cyber security. It has been since the internet was established. But it remains a real problem with many organisations. Bleeping Computer with ‘123456′ password exposed chats for 64 million McDonald’s job chatbot applications reports on a spectacular fail with both log ins and passwords, both being 123456.
The Chief Justice of the Victorian Supreme Court has published a notice to the profession regarding the conduct of applications to set aside statutory demand. The Notice sets down a very specific timetable which must be followed. There will be consequences for failing to comply. The second feature of the Notice is a requirement to keep affidavits concise and exhibits “..limited to those documents which are critical to the grounds relied upon by the plaintiff and the real issues in dispute.”
Some points that practitioners must consider:
the court will fix a date for final hearing in the timetabling orders;
first, the Notice to the Profession must be served on the defendant (Paragraph 4.1). That is a new development;
“as soon as practicable” after filing (Paragraph 5.2), the Court will make timetabling orders in the form of Annexure A to the Notice which requires:
seven days after filing of the Originating Process the plaintiff to file ,the plaintiff file an affidavit of service of the Originating Process, supporting affidavit, and a copy of the Notice to Profession
14 days after filing of the Originating Process] the defendant file and serve:
an affidavit of service of the statutory demand; and
any affidavit on which it intends to rely in opposition to the application; and
14 days after filing of the Originating Process] the defendant advise chambers that the defendant disputes jurisdiction
21 days after filing the Originating Process] the plaintiff must:
file and serve any affidavit on which it intends to rely upon in reply;
file and serve an outline of submissions not exceeding 6 pages and a list of authorities identifying pin-point references; and
email the Chambers of the judicial officer a bundle of authorities that the plaintiff relies upon in pdf text-searchable format, with cases arranged in alphabetical order and with an electronic bookmark for each case
28 days after filing of the Originating Processthe defendant will:
file and serve an outline of submissions not exceeding 6 pages and a list of authorities identifying pin-point references; and
email the Chambers a bundle of authorities that the defendant relies upon which are not already included in the plaintiff’s bundle.
submissions must identify why or why not there is a genuine dispute/offsetting claim/some other matter with reference to the affidavit material;
in advance of any non compliance with the timetable/exercise of liberty the parties have to confer regarding the amendments and email the Court to “explain the reason that a variation is sought and provide consent or competing draft minutes of order addressing a revised timetable which maintain the final hearing date and ensures that the last document is filed no later than 72 hours before the final hearing;”
evidence or submissions filed out of time will not be considered at the final hearing without a summons for leave supported by an affidavit explaining non-compliance (Paragraph 8.3).
in the event of non-compliance the Court may, of its own motion, make a self-executing or ‘unless’ order disposing of the proceeding;
the Court will aim to schedule the final hearing to be held within 6 weeks of filing, listed for half a day (Paragraph 8.1); and
within 3 days of the hearing the practitioners briefed to appear at the final hearing are to confer with a view to resolving the dispute or narrowing the issues. The plaintiff must email the Court on behalf of the parties a “joint statement” of the remaining issues in dispute.
High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.
This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.
The recommendations for best practices for key management organisations, part 2 provides:
NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Part 2 (this document) 1) identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys; 2) identifies the security planning requirements and documentation necessary for effective institutional key management; 3) describes Key Management Specification requirements; 4) describes cryptographic Key Management Policy documentation that is needed by organizations that use cryptography; and 5) describes Key Management Practice Statement requirements. Appendices provide examples of some key management infrastructures and supplemental documentation and planning materials.
The recommendations for Key Management part 3; Application-Specific Key Management Guidance provides:
IST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
The New South Wales Audit Office has published its report, titled Cyber Security insights 2025, on state agencies cyber health and preparedness against a cyber attack. it is a mixed report, which is a concern given the fact that the state collects and holds a vast amount of information of people of New South Wales and encourages, if not requires, people to do business with the state on line. The Report is quite critical about aspects of preparedness.
A cybercrime expert has warned of a “worrying pattern” after government agencies were found to have implemented less than a third of basic cybersecurity protections in New South Wales.
State government agencies only met 31 per cent of mandatory requirements to protect public data, according to a report released by the Audit Office of NSW last week.
In total, 27 of these agencies reported 152 “significant, high, and extreme” cybersecurity threats in 2024.
According to the report, 28 of the threats had remedies “that were either largely or completely ineffective”.
Additionally, 60 risks lacked specified timelines to reduce them to an acceptable level.
Professor of cybercrime at the University of NSW Richard Buckland said the report’s findings showed entities were increasingly at risk.
He said that if effective, a cyber attack could “paralyse a section of society or the government”.
“This has been a pattern, a worrying pattern,” he said.
The report found a blind spot was the use of external contractors for some cybersecurity measures, for which the NSW government has no way of measuring if they were up-to-scratch.
Professor Buckland said he understood the desire to outsource but warned it came with its own risks.
“We saw the big Microsoft blackout last year; that was really a third party used by multiple people, CrowdStrike, going wrong, so it is a big risk,”
he said.
“It’s harder to monitor, to control, so external people helping you is a double-edged sword, especially if you don’t have external capability to jump in when something goes wrong.”
It comes after Qantas reported a major cyber attack in which it said a “significant” portion of its six million customers’ data was stolen and that a “potential cyber criminal” had made contact with the airline.
Responding to the attack cost the state government more than $30 million, the audit office reported.
Professor Buckland said the report pointed out the “same problem” every year and government agencies were “just not adequately defended”.
“They [the audit office] must be tearing their hair out wondering what they can do to bring about change.”
The report also found local councils were lagging in their defence against nefarious online actors, with only 69 per cent training staff in cyber awareness.
It said one council suffered a ransomware attack that targeted local government records, employee financial data and systems responsible for monitoring water quality.
Councils in NSW are not mandated to implement Cyber Security NSW’s policies, but the agency recommends they adopt safeguards.
“In a way they’re [local councils] less capable, have less staff and less budget to deal with this, so I feel very sorry for them,”
Professor Buckland said.
“We’ve seen worldwide a big rise in targeted attacks against municipalities — the equivalent of councils in America — against libraries, schools, smaller and less well-funded data-rich organisations.”
Reacting to the report, Premier Chris Minns on Monday said the government had to find $90 million to “plug gaps” in cybersecurity funding.
“It is a concern. I’m going to be honest, I would like to see us meet all the criteria immediately that the auditor-general identified,” he said.
“That’s not possible though; most of the funding for cybersecurity in NSW had been cut or put on a funding cliff by the previous government.”
He warned it will cost a lot more to make all government agencies safe.
“Some of these organised crime gangs, usually located offshore, are pretty sophisticated, and we obviously have to be on our guard,” the premier said.