Data breaches kept increasing in 2024, so bad in the health care sector that it prompted changes to regulation in the United State

January 6, 2025

With the end of 2024 there has been a compiling of data breaches in 2024. It makes for sombre reading. According to Proven Data the biggest data breaches in the United States were:

National Public Data breach.

  • Records compromised: 2.7-3 billion
  • Scope: Affected individuals in the United States, Canada, and the United Kingdom
  • Key details: Included social security numbers, names, addresses, and other personal information

Ticketmaster data breach

  • Records compromised: 560 million
  • Key details: Exposed personal and financial information, including names, email addresses, phone numbers, and payment details

Change Healthcare ransomware attack

  • Records compromised: Approximately 145 million
  • Scope: Potentially affecting one-third of Americans
  • Key details: Exposed personal, medical, and billing information through a ransomware attack

AT&T data breach

  • Records compromised: 73 million
  • Key details: Exposed customer data, including Social Security numbers, account numbers, and passcodes

Snowflake Cloud data breaches

  • Total records: Over 165 customer environments were compromised
  • Notable victims:
    • Ticketmaster: Up to 560 million customer records exposed
    • Santander Bank: 30 million customer records compromised
    • AT&T: Call and text records spanning multiple months
    • Advance Auto Parts: Over 2.3 million individuals were affected, with sensitive job application data exposed

In December alone the significant data breaches were:

1. SRP Federal Credit Union Breach

On December 19, SRP Federal Credit Union disclosed Read the rest of this entry »

Yes Virginia, there is a Santa Claus. A Christmas greetings

December 24, 2024

It is that time of year. Christmas. I wish you all a happy and holy Christmas and that in 2025 all your hopes and dreams come true. As per my tradition I republish one of the great journalistic pieces on Christmas, Yes Virginia there is a Santa Claus. It struck me when I first read it as an 18 year old and I still marvel at the beautiful prose. It is what all good writing should be; clear, spare and lively. This piece also has a touch of literary fairy dust. To write like this is a noble aim.

Here it is:

Dear Editor,
I am 8 years old. Some of my little friends say that there is no Santa Claus. Papa says “If you see it in the Sun, it is so.” Please tell me the truth, is there a Santa Claus?

Virginia,
Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds.

All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, Virginia, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy.

Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove?

Nobody sees Santa Claus, but that is no sign that there is no Santa Claus The most real things in the world are those that neither children nor men can see.

Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.

Is it all real? Ah, Virginia, in all this world there is nothing else as real and abiding.

No Santa Claus? Thank God he lives and he lives forever. A thousand years from now, maybe 10 times 10,000 years from now, he will continue to make glad the hearts of children.

Written by Francis P. Church in 1897

Health services continue to be a prime target for hackers. In the US another hospital hit by a hack with 1.4 patients’ information leaked

December 18, 2024

Health organisations, surgeries, clinics, hospitals and health insurers, are the number one target for cyber attacks. They collect vast amounts of personal information and linked financial information. They are commonly poorly protected for a range of reasons; ageing and combined incompatible operating systems, poor privacy training, multiple entrepots, poor protocols leading to inadequately controlled authorisations and generally a poor culture by those in the industry. So it is not suprising to read in Another major US hospital hacked, data on 1.4 million patients leaked that there has been yet another big cyber attack. And the Nebraska Attorney General is suing Change Healthcare and two companies in AG sues Change Healthcare, two other companies after data breach hits at least 575,000 Nebraskans.

The 1.4 million hack story Read the rest of this entry »

UK Information Commissioner’s Office prosecutes an employee for illegally accessing personal information

Employees accessing personal information for purposes other than which that information was collected is a chronic problem. Sometimes the interest is family or friends personal information, breaching confidentiality, police unlawfully accessing personal information and sometimes it is hacking by organisations. There are endless ways personal information can and often are illegally accessed. The key is proper training and proper computer systems.

The Information Commissioner’s actions in prosecuting an insurance worker in Manchester for unlawfully accessing personal information in relation to accident claims. 

The ICO’s media release Read the rest of this entry »

Meta settles civil penalty proceeding with Office of Information Commissioner arising out the Cambridge Analytica scandal for $50 million and an enforceable undertaking

December 17, 2024

In the dying days of 2024, when the focus is on presents, holidays and plum pudding (for some at least) Meta has settled the civil penalty proceeding in the Federal Court. Meta will also enter into an enforceable undertaking.   The $50 million will not be distributed immediately. Eligibility will depend on whether a person ws in Australia between November 2013 and mid December 2015 and installed This is Your Digital Life App or was a friend of someone who had that app installed.

This is a very welcome development.  The civil penalty proceedings power in the Privacy Act has until recently been underutilised.

The Commissioner’s media release provides:

The Australian Information Commissioner today agreed to a $50 million payment program as part of an enforceable undertaking (EU) received from Meta Platforms, Inc. (Meta) to settle civil penalty proceedings. The payment scheme will be open to eligible Australian Facebook users impacted by the Cambridge Analytica matter.

The Commissioner alleged that the personal information of some Australian Facebook users was disclosed to the This is Your Digital Life app in breach of the Privacy Act 1988 (Cth). The information was exposed to the risk of disclosure to Cambridge Analytica and other third parties, and risked being used for political profiling purposes.

The agreement announced today follows a court-ordered mediation, which has been ongoing since February 2024, as part of the Federal Court civil penalty proceedings the Commissioner commenced in March 2020.

“Today’s settlement represents the largest ever payment dedicated to addressing concerns about the privacy of individuals in Australia,” Australian Information Commissioner Elizabeth Tydd said.

“It represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter, gives potentially affected Australians an opportunity to seek redress through Meta’s payment program, and brings to an end a lengthy court process.”

As part of the resolution, the Commissioner has withdrawn the civil penalty proceedings in the Federal Court.

The EU requires Meta to set up a payment scheme, which will be run by an independent third-party administrator. Meta will appoint the third party to administer the payment scheme, who will be announced early next year. The scheme will be open to individuals who:

    • held a Facebook Account between 2 November 2013 and 17 December 2015;
    • were present in Australia for more than 30 days during that period; and
    • either installed the This is Your Digital Life app or were Facebook friends with an individual who installed the app.

The payment scheme will be structured into two tiers of payments. The first will permit individuals to apply for a base payment if they believe they experienced generalised concern or embarrassment because of the matter. The second category will provide for specific payment, likely to be higher than the base payment, to those who can demonstrate they have suffered loss or damage. The third-party administrator will also establish a timely internal review avenue for individuals in relation to the payment scheme. The Office of the Australian Information Commissioner anticipates individuals may be able to start applying to the payment program in the second quarter of 2025.

Any residual funds not exhausted in the payment scheme will be paid into the Commonwealth’s Consolidated Revenue Fund. Meta also paid a contribution to the Commissioner’s legal costs.

“The payment scheme is a significant amount that demonstrates that all entities operating in Australia must be transparent and accountable in the way they handle personal information, in accordance with their obligations under Australian privacy law, and give users reasonable choice and control about how their personal information is used,” Commissioner Tydd said.

“This also applies to global corporations that operate here. Australians need assurance that whenever they provide their personal information to an organisation, they are protected by the Privacy Act wherever that information goes.”

“We remain committed to applying our powers under the Privacy Act to achieve proportionate outcomes to ensure that Australians’ privacy is protected, particularly with respect to technologies that have a high privacy impact. This groundbreaking outcome reflects the significant concerns of the Australian community,” Privacy Commissioner Carly Kind said.

Since then Australian Information Commissioner Angelene Falk commenced the civil penalty proceedings against Meta in March 2020, the penalties for serious or repeated interferences with privacy (which can only be imposed following the commencement of civil penalty proceedings in the Federal Court), have increased from $1.7 million for each serious and/or repeated interference with privacy, to whichever is the greater of $50 million, three times the value of any benefit obtained through the misuse of information, or 30% of a company’s adjusted turnover in the relevant period.

Read the enforceable undertaking.

Details of payment scheme

    • Funds of $50 million will be available.
    • Individuals who were present in Australia for more than 30 days between 2 November 2013 and 17 December 2015, and either installed the This is Your Digital Life app, or who were Facebook friends of an individual who installed the This is Your Digital Life app, can apply for a base payment based on generalised concern or embarrassment, or an alternative amount if they can demonstrate specific loss or damage.
    • The third-party administrator will take reasonable steps to publicise the payment scheme.
    • Meta is required to make reasonable best efforts to notify those who are potentially impacted.
    • The payment scheme will be administered by a third-party administrator to be appointed by Meta. Payment is required to be made in a timely manner.
    • Details for accessing the payment scheme will be made public by the administrator in the second quarter of 2025.

The Enforceable Undertaking Read the rest of this entry »

About 160,000 members join the Optus data breach class action

December 11, 2024

The Australian reports in Class action against Optus after 2022 data breach registers 160,000 members that about 160,000 members have joined in the class action against Optus resulting from the 2022 data breach. This report is based on submissions made at a case management hearing before Justice Beach today. 

The class action is brought in proceeding PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS (number VID256/2023).

The article provides:

About 160,000 people whose passport and Medicare numbers were leaked online after Optus was hacked in 2022 have registered to partake in a class action against the telco.

Appearing for class action behemoth Slater & Gordon, barrister William Edwards, KC, told the Federal Court on Wednesday the estimated number of members to join the action, which alleges Optus failed to protect the personal information of 9.8 million of its current and former customers whose personal data was leaked online after a cyber attack.

The court was told Optus and Slater & Gordon were still trying to settle the case by mediation, with a hearing possible if that failed.

In court, the parties argued over how much security Slater & Gordon should give Optus since it insisted on a secretive regime to keep documents exchanged in the case away from the public. Read the rest of this entry »

Federal Trade Commission Report on product support for smart devices raises key issues for data security

December 10, 2024

A fairly to update programs and install patches provided by the suppliers is a common way hackers can access websites and smart devices. In those cases the breach is caused by the negligence of the owner of the website or smart device who fails to update. But what if the supplier fails to provide support after a time? With time the program or smart device will become more and more vulnerable to cyber attacks not to mention potentially losing functionality. It is a ubiquitous problem. The Federal Trade Commission has considered it with its report released under a cover of a media release titled Smart Products Surveyed Fail to Provide Consumers with Information on How Long Companies will Provide Software Updates.

The FTC media release provides:

A new paper from Federal Trade Commission staff finds that nearly 89% of products surveyed failed to disclose on their websites how long the products would receive software updates, which help ensure the devices are protected against security threats and operate properly.

FTC staff from the agency’s East Central Regional Office looked for information about 184 different “smart” products—ranging from hearing aids to security cameras to door locks—about how long companies would provide updates for those products. If the manufacturer stops providing software updates, these products may lose their “smart” functionality, become insecure or stop working, according to the FTC Staff Perspective.

“Consumers stand to lose a lot of money if their smart products stop delivering the features they want,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Our study shows that nearly 89% of manufacturers of products we examined failed to post this information prominently or make it readily available. When shopping for smart devices, consumers should ask questions and consider how long their product will last.”

Staff reviewed the manufacturer’s product webpages, where consumers might look for detailed information about a connected device, and found 161 of the products surveyed failed to provide information about the support duration or end date. Staff also conducted basic internet searches to determine if consumers could track down support duration and end dates for the smart devices surveyed. Those searches did not uncover support information for two-thirds (124) of the devices surveyed.

The staff paper noted that manufacturers’ failure to inform prospective purchasers about the duration of software updates for products sold with written warranties may violate the Magnuson Moss Warranty Act, which requires that written warranties on consumer products costing more than $15 be made available to prospective buyers prior to sale and requires other disclosures. Failing to provide software update information to consumers could also violate the FTC Act if manufacturers make express or implied representations about how long the product is useable, according to the staff perspective.

This report comes after a Read the rest of this entry »

New Zealand Privacy Commissioner releases report showing that data breaches are on the increase, like in Australia

December 9, 2024

New Zealand has a Privacy Commissioner and a Privacy Act. The regulator has quite limited powers and the legislation is inadequate compared to other common law and European countries. The Commissioner has released the annual report (found here).

The Commissioner reported that the office:

  • received a total of 1,003 privacy complaints, up 15% from the previous year, with 279 of those complaints received for investigation.
  • there were 2,751 in-house privacy inquiries.
  • there were 864 privacy breach notifications, of which 414 were serious privacy breaches.
Read the rest of this entry »

Amendments to the Privacy Act commenced on 30 November 2024. No date proclaimed for commencement of Schedule 2, the statutory tort, so it will commence on 29 May 2025

December 3, 2024

Most of the amendments to the Privacy Act 1988 through the Privacy and Other Legislation Amendment Bill 2024 commenced on 30 November 2024. There has been no date proclaimed for Schedule 2 as yet.  In the normal course it would be very surprising if the Government was to, at some stage in the future, actually specify a commencement date if it did not do so immediately. 

Attorney gives insight into Privacy at Law Council of Australia Gala Dinner

At a Law Council Dinner on Sunday 1 December 2024 the Attorney General waxed lyrical about matters pertaining to his portfolio. In the the course of his speechifying discussed the statutory tort and the anti doxxing provisions.  His defence of the journalist exception is wrong headed.  He claims it is necessary to protect freedom of the press.  That is nonsense.  There is no such exemption in any jurisdiction where there is a tort of privacy and somehow the press thrives in those places.  It was a political not policy decision. It is a terrible mistake.  That said having a tort even if in a weakened form is better than no tort.

His speech provides:

Acknowledgements

Thank you to the Law Council of Australia for hosting yet another wonderful dinner, a dinner I’m delighted to be attending for my third consecutive year since returning as Attorney-General in 2022.

I acknowledge the traditional owners of the land on which we meet, the Ngunnawal people, and pay my respects to their Elders, past and present. I extend that respect to all Aboriginal and Torres Strait Islander people here today. 

I thank the President of the Law Council, Greg McIntyre SC, for inviting me to speak tonight. I congratulate and welcome the incoming President, Ms Juliana Warner.

I also acknowledge

    • Her Excellency the Honourable Sam Mostyn AC, Governor-General of the Commonwealth of Australia, and His Excellency Simeon Beckett SC;
    • My parliamentary colleagues;
    • Current and former members of the judiciary; and
    • Members of the legal profession.

Legal assistance services

On 6 September this year First Ministers reached a landmark agreement for a new five year National Access to Justice Partnership.

And I am very pleased to say that yesterday, 28 November, the final signature from an Attorney-General was obtained, and it has been published today.

This agreement provides $3.9 billion in support for legal assistance services over five years – the largest Commonwealth funding contribution to the legal assistance sector ever.

It is a vast improvement on the previous agreement, which expires on 30 June next year.

Every single part of the legal assistance sector will get more funding.

The agreement contains nearly $800 million in additional funding, including $500 million to support frontline legal assistance services delivered by Community Legal Centres, Women’s Legal Services, Aboriginal and Torres Strait Islander Legal Services, Legal Aid Commissions and Family Violence Prevention and Legal Services.

Critically, funding will be ongoing. This means an end to a rolling five-year funding cliff. Instead of fighting for its very existence, the sector will be able to plan for the future. It will be able to more easily attract and retain employees because there is job security. This change may be an underreported element of the new agreement but its significance cannot be underestimated.

The new agreement also addresses long-standing pay parity issues in the sector. For the first time, the Commonwealth is acting to lift rates of pay for the community legal assistance sector, bringing them closer to Legal Aid Commissions – again increasing the ability of services to attract and retain good lawyers.

Unlike the previous agreement, with its inadequate fixed rate of indexation, funding will be increased in line with the Wage Cost Index – meaning Commonwealth funding will not go backwards in real terms over the life of the agreement.

The previous agreement did not provide funding security for individual parts of the sector. States and territories could, if they wished, move money from one part to another, reducing the effective value of the Commonwealth contribution. The new agreement requires jurisdictions to maintain their investment for each part of the sector over the life of the agreement.

This both maintains the value of the Commonwealth contribution and provides funding certainty to each part of the legal assistance sector.

As some in this room may remember, the new agreement was announced at a meeting of First Ministers focused on gender-based violence, and appropriately so.

Access to justice is vital for women and children trying to escape gender-based violence. It can be the difference between leaving and staying in a violent situation. It can be the difference between life and death.

I’m proud that the largest relative funding increase for legal assistance in the new agreement was for Family Violence Prevention and Legal Services – a 112 per cent increase in Commonwealth funding compared to the preceding five years.

We know that First Nations women experience disproportionate rates of family violence.

Nationally, First Nations women are seven times more likely to be homicide victims than non-Indigenous women, and of those women, 75 per cent are killed by a current or former partner.

First Nations women are 33 times more likely to be hospitalised due to family and domestic violence than non-Indigenous women.

As my colleague Senator Malarndirri McCarthy, the Minister for Indigenous Australians, has said, this is a national shame.

Doubling the funding for legal assistance services which help First Nations women escape domestic violence will not solve this problem on its own, but it is an important step forward.

Let me be clear – I know there will always be unmet need in the sector.

But I believe the new National Access to Justice Partnership is a momentous step forward.

That’s why I have been disappointed to see some misrepresentation of what the new Agreement delivers.

I expect demands from the legal profession for government to do more for the legal assistance sector.

But misrepresenting facts helps no one, least of all those in the sector.

Further, it makes little sense to make demands of the Commonwealth only.

Legal assistance is a shared responsibility, and demands on government should not focus on the national government alone.

For those in the audience who work in the community legal sector, I would like to say thank you.

You are among the most talented, committed and hardworking lawyers in the country. The Australian Government values your work. I value your work.

Privacy

You may have noticed we passed a few bills last night and early this morning.

I will go to just two of those tonight.

The first enacts tranche one of our privacy reform agenda.

The legislation does a great deal. It:

    • Creates a new statutory tort for serious invasions of privacy;
    • Creates a new criminal offence for the malicious release of personal data online, known as doxxing; and
    • Establishes provisions to enable the development of a new Children’s Online Privacy Code.

A privacy tort is not a new idea. In fact, that is something of an understatement.

In his 1969 Boyer Lectures Sir Zelman Cowen endorsed legislation to create an actionable right to seek redress for breaches of privacy.

The bill provides for a new statutory cause of action for individuals who have suffered a serious invasion of their privacy, and applies it to both physical privacy and information privacy. Read the rest of this entry »

Verified by MonsterInsights