Six massive data breaches in 2024 resulted in 1.7 billion data breach notices. A 312% increase over 2023. Most of the data breaches were avoidable

February 2, 2025

The number of data breaches year on year continue to rise. More concerningly the numbers of victims affected grow exponentially. Data Breach Today in 312% Surge in Breach Notices That Could Have Been Prevented reports on a enormous spike in data breach notices being sent out on the back of 6 massive data breaches. Concurrently Bleeping Computer reports in US healthcare provider data breach impacts 1 million patients that Community Health Centre in Connecticut suffered a data breach in Mid October 2024 which was only discovered on 2 January 2025. It also reports in Backdoor found in two healthcare patient monitors, linked to IP in China that the US Cybersecurity and Infrastructure Security Agency (CISA) has warned that certain patient monitoring devices manufactured by Contec include a back door which sends patient data to a remote IP address. Contec is a China based company. These stories highlight the continuing need for companies to adopt a comprehensive and holistic approach to privacy protection.

The Data Breach Today story provides:

Six mega cybersecurity incidents led to a record 1.7 billion data breach notices going out to victims in 2024 – a dramatic 312% increase over the previous year. Among the mega-breaches, the Change Healthcare ransomware attack – the third-largest breach – continues to grow. The insurance company last week nearly doubled its estimated breach count to 190 million people. Read the rest of this entry »

Australian Privacy Commissioner gets a nice media makeover, er is the subject of deep insightful report the way it is currently done, over lunch

C’est chic to do an in depth piece by over an extravagantly priced breakfast or lunch. Not only does the reader get to know something about the subject but we get an insight of what the movers and shakers are eating and where they congregate to consume. The Australian Financial Review has recently published a profile of Carly Kind, the recently appointed Privacy Commissioner. This is something of a first for Privacy Commissioners. The most recent Information Commissioners (who covered privacy), Timothy Pilgrim (a pleasant but through and through public servant) and Angeline Falk (a long serving deputy in the Office of the Australian Information Commissioner), were not media averse as such. But their media forays were relatively few and brief. Usually confined to an interview on the ABC or quotes for other media. Their speeches at conferences were safe and predictable and certainly not designed to shake up the woeful privacy culture in the Australian marketplace. Even by the grey standards of Australian regulators they were distinctly in the background. Which was a shame. Privacy issues did not get ventilated as much as they should have. That is perhaps understandable given the generally ineffective regulation and enforcement of the Privacy Act. To be fair the last few years has seen a marked improvement in enforcement but has come off a low base and has not had a significant impact on the market yet.  And to be fair Pilgrim and Falk were marked improvements on their predecessors.

Carly Kind has had a good start as Privacy Commissioner.  A distinct up tick in enforcement action and more assertive commentary.  That she has a pedigree largely outside the Australian Public Service is a huge advantage.  She may be less hidebound by conservative self restraining litigation guidelines.  We can only hope given she has been handed even more enforcement powers in the most recent amendments to the Privacy Act late last year. In this article she was candid in criticising poor public policy which has led to privacy invasive practices.  As I have been writing about for years.  She needs to bring high profile actions which puts high profile privacy breaching companies into the media spotlight.  This is a common approach of ASIC and the ACCC.  That is the only way of changing the culture in the market place.

The article gives some restrained hope that the coming years will see more effective and high profile regulation of privacy breaches.  It is well overdue.

The article provides:

My lunch with the Australian Privacy Commissioner, Carly Kind, begins with a confession.

“I tried to stalk you on social media on my Uber on the way,” I say as she sits down at Manly’s Noon café, bike helmet in hand.

Looking up other people’s social media is something everyone does but no one should ever admit to, particularly not to the woman charged with protecting the nation’s privacy by upholding the Privacy Act of 1988.

Kind is taken aback and for a moment, I think I’ve blown it before we’ve even ordered a coffee, let alone lunch.

“Did you find anything interesting?” she responds after what feels like an age.

No. She is on Instagram and on Facebook. But both attempts to glean any information of value were foiled despite me being a Millennial journalist well versed in the art of lurking.

Privacy Commissioner Carly Kind admits she’s less idealistic about the role of regulation in protecting online privacy and worries one day big tech will decide not to obey the law.  

Her Instagram is set to private. Her Facebook isn’t locked but the only photo I can click on is of the back of her head. I did manage to deduce she has 737 Facebook friends, but there are no workplaces, relationships, or really any other information to show.

When I lament my efforts were dashed, she’s nonchalant, “I really don’t use Facebook these days, but I can’t get rid of it because of Marketplace.”

I feel seen immediately.

Read the rest of this entry »

The UK Information Commissioner’s Office releases a code of practice for online services involving children

The most active form of regulation in privacy across the world now relates to protecting children and limiting the data taken from them and used by businesses. The UK Parliament passed the Online Safety Act 2023. The Act imposes new duties on social media companies and search services, making them more responsible for their users’ safety on their platforms. Those new duties include implementing systems and processes to reduce risks that their services are used for illegal activity, and to take down illegal content when it does appear.  Regarding children, platforms are required to prevent children from accessing harmful and age-inappropriate content and provide parents and children with clear and accessible ways to report problems online when they do arise. The main regulator Ofcom has set out an age check guidance regarding accessing online pornography.  The Information Commissioner has had a code of practice for some time regarding the developing an age appropriate design for online platforms. The core of the code are 15 standards.

The 15 standards are:

1. Best interests of the child

2. Data protection impact assessments

3. Age appropriate application

4. Transparency

5. Detrimental Read the rest of this entry »

Brazilian regulators ban iris scan company from paying citizens for biometric data

January 31, 2025

The collection of vast amounts of data fuels any number of programs from basic analytics to facial recognition and AI. Not surprisingly then that Tools for Humanity, a company co founded by Sam Altman the CEO of OpenAI is collecting iris data. For money. This has quite legitimately attracted the ire of the Brazliian National Data Protection Authority which has reportedly moved to ban the practice.

The article provides:

Brazil bans iris scan company co-founded by Sam Altman from paying citizens for biometric data

Brazilian data privacy regulators say they are prohibiting Tools for Humanity (TFH), a biometric identity company co-founded by OpenAI CEO Sam Altman, from paying citizens for iris scans. Read the rest of this entry »

Federal Trade Commission finalises changes to the Childrens Privacy Rule so as to limit companies ability to monetise children’s data

The United States has quite an effective child privacy protection law, the Children’s Online Privacy Act. It also has a very sophisticated data broking and analytic industry. And some businesses have no problem in collecting data on children to assist in marketing products and services. The Federal Trade Commission has announced changes to Children’s Online Privacy Protection Rule which sets new requirements about the collection, use and disclosure of childrens’ personal information, requires parents to opt in to the third party advertising and places limits on data retention.

The United States and the European Union are far ahead of Australia when it comes to dedicated privacy protection. The E Safety Commissioner provides some regulatory assistance but it is not focused enough on privacy. In the amendments to the Privacy Act 1988, the Privacy and Other Legislation Amendment Bill 2024, passed late November last year the Commissioner will develop a a Children’s Online Privacy Code to better protect children from a range of online harms. That Code will take effect in 2 years.

The media release from the FTC provides:

The Federal Trade Commission finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized. Read the rest of this entry »

An unsuprising criticism about the upcoming statutory tort of privacy which is generally wrong

January 20, 2025

Chris Merritt is a good journalist and has ably edited the Legal Affairs section of the Australian. But he has bug bears which defy logic and fact. One of them is a statutory tort of privacy. The Australian has always had a set against the tort, primarily because of fears that it would interfere with the practice of journalism. Given the exemption which precludes a claim from being brought against journalists this is no longer a thing for the Australian. That of course does not stop Merritt from having a major rant against the statutory tort in last week’s Business to pay the price for new privacy tort. It is quite surprising that the Australian has been so slow to start its complaint about the statutory tort.  In the past it campaigned a long time before any tort was even proposed.  Here the complaint is made after the fact.

Now Merritt’s complaint is that businesses will be bankrupted for being vicariously liable for the breaches of privacy

The focus of the article is on the possible impact on businesses.  The reliance is on the submissions by the Business Council of Australia and the Australian Industry Group to the Senate Committee reviewing the Bill.  The BCA and the AIG have always been hostile to any form of actionable right to privacy.  Their submissions to this heavily circumscribed statutory right have followed that line.  They were not particularly analytical submissions and had a heavy dose of Henny Penny “the sky is falling” hypotheticals.  One hypothetical is how this tort will impact insurance premiums in the future.  Merritt draws a very long bow in drawing a comparison of the impact of the tort with the insurance disruption following the collapse of HIH.  That a similar result is in the offing.  Given the general damages award is capped this is quite a stretch.  It is quite an illogical analysis because given the tort requires an intentional or reckless act it is not proper to compare those claims, in the future, with claims of a sort and awards of the quantum associated with personal injury and medical negligence. The statutory tort provisions makes no comment on vicarious liability so the principle applies.  But so what?  The situations where that happens will be quite limited.  But if a person uses company resources to interfere with someone’s privacy then a company may be called to account if it is done in the course of company business and not inconsistent with its activities.

It is a quite a poor article but does highlight the continuing, largely ideological, fighting retreat by some areas of the media to a statutory tort.

The article provides:

Right now, companies are failing at a record rate. So can anyone think of a worse time to create a new way of suing business?

Unfortunately, that’s exactly what federal parliament did on November 29 when it approved a new statutory tort for serious invasions of privacy.

Despite warnings from peak industry groups, parliament did nothing to stop innocent employers being held vicariously liable for invasions of privacy committed by employees who break corporate rules.

Everyone should be accountable for their misdeeds – but not the wrongs committed by others. ?Yet that is a key feature of the new privacy tort sitting on the federal statute book, just waiting for enterprising lawyers to give it a run when it comes into force in June.

In October, the Business Council of Australia warned about the potential unfairness of holding employers vicariously liable for the wrongful actions of their employees – particularly if companies have taken all reasonable steps to prevent staff from invading anyone’s privacy. Read the rest of this entry »

Data breaches kept increasing in 2024, so bad in the health care sector that it prompted changes to regulation in the United State

January 6, 2025

With the end of 2024 there has been a compiling of data breaches in 2024. It makes for sombre reading. According to Proven Data the biggest data breaches in the United States were:

National Public Data breach.

  • Records compromised: 2.7-3 billion
  • Scope: Affected individuals in the United States, Canada, and the United Kingdom
  • Key details: Included social security numbers, names, addresses, and other personal information

Ticketmaster data breach

  • Records compromised: 560 million
  • Key details: Exposed personal and financial information, including names, email addresses, phone numbers, and payment details

Change Healthcare ransomware attack

  • Records compromised: Approximately 145 million
  • Scope: Potentially affecting one-third of Americans
  • Key details: Exposed personal, medical, and billing information through a ransomware attack

AT&T data breach

  • Records compromised: 73 million
  • Key details: Exposed customer data, including Social Security numbers, account numbers, and passcodes

Snowflake Cloud data breaches

  • Total records: Over 165 customer environments were compromised
  • Notable victims:
    • Ticketmaster: Up to 560 million customer records exposed
    • Santander Bank: 30 million customer records compromised
    • AT&T: Call and text records spanning multiple months
    • Advance Auto Parts: Over 2.3 million individuals were affected, with sensitive job application data exposed

In December alone the significant data breaches were:

1. SRP Federal Credit Union Breach

On December 19, SRP Federal Credit Union disclosed Read the rest of this entry »

Yes Virginia, there is a Santa Claus. A Christmas greetings

December 24, 2024

It is that time of year. Christmas. I wish you all a happy and holy Christmas and that in 2025 all your hopes and dreams come true. As per my tradition I republish one of the great journalistic pieces on Christmas, Yes Virginia there is a Santa Claus. It struck me when I first read it as an 18 year old and I still marvel at the beautiful prose. It is what all good writing should be; clear, spare and lively. This piece also has a touch of literary fairy dust. To write like this is a noble aim.

Here it is:

Dear Editor,
I am 8 years old. Some of my little friends say that there is no Santa Claus. Papa says “If you see it in the Sun, it is so.” Please tell me the truth, is there a Santa Claus?

Virginia,
Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds.

All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, Virginia, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy.

Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove?

Nobody sees Santa Claus, but that is no sign that there is no Santa Claus The most real things in the world are those that neither children nor men can see.

Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.

Is it all real? Ah, Virginia, in all this world there is nothing else as real and abiding.

No Santa Claus? Thank God he lives and he lives forever. A thousand years from now, maybe 10 times 10,000 years from now, he will continue to make glad the hearts of children.

Written by Francis P. Church in 1897

Health services continue to be a prime target for hackers. In the US another hospital hit by a hack with 1.4 patients’ information leaked

December 18, 2024

Health organisations, surgeries, clinics, hospitals and health insurers, are the number one target for cyber attacks. They collect vast amounts of personal information and linked financial information. They are commonly poorly protected for a range of reasons; ageing and combined incompatible operating systems, poor privacy training, multiple entrepots, poor protocols leading to inadequately controlled authorisations and generally a poor culture by those in the industry. So it is not suprising to read in Another major US hospital hacked, data on 1.4 million patients leaked that there has been yet another big cyber attack. And the Nebraska Attorney General is suing Change Healthcare and two companies in AG sues Change Healthcare, two other companies after data breach hits at least 575,000 Nebraskans.

The 1.4 million hack story Read the rest of this entry »

UK Information Commissioner’s Office prosecutes an employee for illegally accessing personal information

Employees accessing personal information for purposes other than which that information was collected is a chronic problem. Sometimes the interest is family or friends personal information, breaching confidentiality, police unlawfully accessing personal information and sometimes it is hacking by organisations. There are endless ways personal information can and often are illegally accessed. The key is proper training and proper computer systems.

The Information Commissioner’s actions in prosecuting an insurance worker in Manchester for unlawfully accessing personal information in relation to accident claims. 

The ICO’s media release Read the rest of this entry »

Verified by MonsterInsights