Peter A Clarke

Today the Australian Securities and Investments Commission (“ASIC”) commenced proceedings against RI Advice Group Pty Ltd (“RI”).   It has been filed in the Federal Court Victorian Registry.  

RI holds an Australian Financial services licence and at all relevant times was a wholly owned subsidiary of the Australia and New Zealand Banking Group Limited (the ANZ).

According to the Concise Statement :

• on 3 January or 3 March 2017 RI became aware of a ransomware attack on the computer systems of one of RI’s authorised representatives in 2016 which made files inaccessible [5];
• on 30 May 2017 RI became aware another authorised representative’s files were hacked which affected 226 client groups [6]. 

ASIC alleges that in relation to each of those incidents RI should have but failed to:

 (a) properly review the effectiveness of cybersecurity controls relevant to these incidents across its AR network, including account lockout policies for failed log-ins, password complexity, multi-factor authentication, port security, log monitoring of cybersecurity events, cyber training and awareness, email filtering, application whitelisting, privilege management and incident response controls; and (b) ensure that those controls were remediated across its AR network where necessary in a timely manner, in order to adequately manage risk with respect to cybersecurity and cyber resilience.

• between 30 December 2017 and 15 April 2018 an unknown malicious agent obtained and retained remote access to an authorised representative’s remote access to its file server and spent 155 hours accessing sensitive client information.  That resulted in 27 clients reporting unauthorised use of their personal information with that there were 3 attempts to redirect mail and multiple bank accounts being opened upon without consent.  There was a notification to the Australian Information Commissioner.  An investigation revealed that 8,104 individuals were exposed to the breach.

ASIC alleges that the risk management systems and resourcing relating to cybersecurity and cyber resilience were inadequate Read the rest of this entry »

One of the many flaws in the Privacy Act 1988 is that political parties are exempt from its coverage. That was not an omission or unintended consequence of the drafting. There was a specific carve out for political parties in section 7C of the Privacy Act.  The provision, titled Political acts and practices are exempt, is comprehensive in exempting political organisations and their sub contractors (sub section 3) and their volunteers (sub section 4).  These provisions were passed with bipartisan support.  It was and remains a major public policy failing.

The lifeblood of political parties is data.  Data allows political parties to refine messages and target voters.  That data comes from constituents contacting their local members, polling, gleaning information from social media and other forms of information collection. Gone are the days when political parties relied on rough quantative surveys and the gut feel of hardened political operatives.  Political parties know focus on blocks and streets, not suburbs and electorates when they are not targeting individual voters.  Most of that data is personal information.

The other store of data that political parties store are membership lists.  Membership lists are nuggets of gold for apparatchiks in their constant quest to work numbers, whether in pre selection fights or competing for positions within the many committees within all political parties. And internal competition can be fierce, much fiercer than between political parties.  Factions spend an enormous amount of time signing up members to electorate branches while rival factions monitor those activities and attempt to derail them whenever possible, as well as signing up their members.   The desire to thwart one’s opponents easily descends into regrettable acts of skullduggery. And that seems to be at the core of the data breach of the Victorian Division of the Liberal Party as reported in Warring Victorian Liberals spring a data leak.

By any measure a data breach involving the access and distribution of the personal details of Liberal Party members without their consent is a very serious matter.  Many members of political parties are quite open about their membership, some are very vocal about it.  But many are not for a range of legitimate reasons, be it causing difficulties in their jobs (such as working in the public service) or personal, not wanting family members to know they are active.  And because of the corrosive nature of inter party fighting it attracts unwanted attention as seems to have occurred with members being called and quizzed on their membership and who paid their membership fees.  Worse, the story reports that details of the list have been provided to journalists.

The response is typically familiar when political parties suffer embarrassing data leaks, call in the police.  It looks and sounds strong and means very little.  The police come in, look around, take a few statements, realise quickly they are part of a pantomine (though they probably knew that before putting on granite faces and walking in with clipboards tucked under an arm) and send their carefully typed report up the chain of command until it gets a nose bleed.  Weeks pass then months go buy and on a Friday afternoon close to Christmas a press release announces the investigation is closed.  And that is probably the right result.  Because the problem is not about criminal activity, it is about poor governance and poor understanding of what is required to properly collect, store and use personal information.  And for better or worse, generally worse, the appropriate party to investigate is the Australian Information Commissioner should investigate, which can’t be done because political parties have been exempted from coverage.  Some of the most data intensive organisations in Australia collecting some of the most sensitive personal information are exempt.  It is a failure of public policy on a staggering scale.

The article Read the rest of this entry »

Stories about Google knowing more about its users than the users themselves are so ubiquitous, like Google, that they rarely make their way onto the back page of a paper let alone the front page.  What is more concerning and noteworthy is recent run of stories of social media platforms, like Facebook, and data collecting companies, like Google, collecting and using data contrary to the supposed settings.  The Australian reports on the latest example of this egregious behaviour with Google knows your every move even with ‘location history’ off.  In short Google is tracking a phone’s movements even when settings to protect privacy are activated.  The way this was determined was through a test where software was installed to detect (described as tap) data being sent to Google.  This data stream was identified.  The nub of the problem is that the consent to use data went beyond that which was agreed, with that data being sold by brokers to police forces, governments and spy agencies.  The data collected includes Read the rest of this entry »