Peter A Clarke

Writing about privacy and the deficiencies in the the law is to feel like Cassandra.  Cassandra a Trojan priestess of Greek mythology who was given the gift of prophecy, but was also cursed by the god Apollo so that her true prophecies would not be believed.

With the Optus data breach suddenly people have discovered the problems I have been writing about for years.  As if it is a sudden discovery.  That is typified with an ABC article What does the Optus data breach reveal about corporate governance problems around cyber security?, the Australian Financial review with Customer data should not be a corporate asset: Dreyfus and the Read the rest of this entry »

The Chilean judicial system has suffered a ransomware attack requiring it to take 150 computers off line to stop the spread of a virus as reported in Chilean Court System Hit With Ransomware Attack.  The trojan program entered the system via a phishing email.  A typical entreport for ransomware software.

It provides:

The Chilean judicial system yanked 150 computers offline to stop the spread of a virus that maliciously encrypts files even as authorities stressed that court proceedings were mostly unaffected.

The event is the latest cyber disruption affecting the South American country. The nation’s consumer protection agency was hit by a ransomware attack that started on Aug. 25 (see: Chile Consumer Protection Agency Hit by Ransomware Attack) and just days ago, hundreds of thousands of emails hacked from the military’s Joint Chiefs of Staff were published online. Read the rest of this entry »

As a practitioner in the privacy area I find it fascinating to see how a sophisticated telco has pretty much done everything wrong in responding to the data breach.  Its original notification was poorly drafted and vague.  Getting a CEO to front the media is a real gamble which did not pay off.  Optus is stubbornly refusing to give any insight into what actually happened.  It is possible to provide a broad outline without compromising work being undertaken or any commercial in confidence information (which is difficult to see applying).  Optus was less than candid about what data was compromised, failing to mention that Medicare numbers were included in the personal information stolen.  Optus has been slow in advising its customers what they can do.  It has been incredibly miserly in providing assistance through the use of credit reporting.  It has grudgingly agreed to pay for the replacement of drivers licences.  If it had a data breach response plan, which is doubtful, it was probably drafted by Telstra.  It has failed to take control and get ahead of the news cycle and in the process has been attacked from all sides.  Much of that is self inflicted though there is an element of opportunism in some of the political attacks.

As an example of Optus’s dreadful communications has been its late and seemingly reluctant advice that Medicare numbers had been compromised.  It provided a statement only yesterday.  It said:

Of the 9.8 million customer records exposed, we have identified 14,900 valid Medicare ID numbers that have not expired. All of the customers who have a Medicare card that is not expired will be contacted within 24 hours. There are a further 22,000 expired Medicare card numbers exposed. Out of an abundance of caution we they will also be contacted directly over the next couple of days.

Please be assured that people cannot access your Medicare details with just your Medicare number. If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia.

Our call centres will not have further information to assist on this matter. We are in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take.

Medicare numbers being stolen causes the public incredible concern.  But the reality is Read the rest of this entry »

The Federal Trade Commissioner has been taking action against companies for misusing the personal information of children.  The UK Information Commisioner’s Office has also taken action on that front, against TikTok.  It has issued a notice of intent against TikTok for failing to protection children’s privacy.  The statement Read the rest of this entry »

Data breaches in other jurisdictions rarely have governments drawn into both the circumstances of the data breaches and steps being taken to remedy them.  Usually regulators are the limit of governmental involvement. There have been exceptions.  The Cambridge Analytica scandal involving Facebook attracted widespread condemnation from political parties across multiple jurisdictions. But the Federal and now State Government’s involvement in the Optus Data Breach both as critics and active participants is unusual.  Probably because it is such a massive data breach and it involves a major telco.  Whether this is a good practice will be seen. The initial and ultimate responsibility for cyber security and remedying a data breach is the organisation itself.  The Federal Government has a critical role in ensuring there is the appropriate level of regulation and a regulator which is willing and able to enforce the laws.

The Australian reports in Scramble to save millions of Optus customers that Australians are in the dark about the security of their personal information and that governments and banks are working to protect them  It reheats a story first run by the Guardian that Optus resisted any legislative change to the privacy laws. 

The article Read the rest of this entry »

At the end of this debacle it is likely that there will be changes of personnel at Optus.  And that would not just be the Chief Executive feeling some pressure to find greener pastures.  The head of IT, the in house media unit, the privacy officer, the head of the in house legal team and probably anyone who had any role in installing and operating cyber security should all be put under some scrutiny.  All of them would have some role in preventing the data breach and then remediating the damage.  The latter has just been dreadful.  But calling for the head of the Chief Executive at the moment is counterproductive and is a reversion to form in this field, short term hits which distracts from the boring hard graft of fixing the problem.  It takes months and sometimes longer to resolve the problem, technical, reputational and legal.  And lots and lots of money.  Losing a chief executive or any other high level manager for that matter gives politicians something to crow about, some customers some satisfaction and the media plenty of ink to spill upon.  But it is most likely counterproductive for the company and the victims of the hack.

Both the Government and the Opposition have increasingly wielded the knife in the public discourse.  The Opposition Cyber Security Spokesman has been frenetically releasing posts attacking the Government’s response and  telling it to make cyber security a priority. The data breach is primarily Optus’s problem to fix.  Clearly Government resources are being put to use in fixing that problem however it is bad policy for the government to step into Optus’s shoes or even have that option. In the Age’s Optus boss digs in over cyberattack as government fury grows it is clear that responding to the data breach is not confined to the lost personal information.  The Government has moved from being a party that can assist to a more adversarial role, at least Read the rest of this entry »

Optus continues to be the target of criticism, if not direct political attack, from Federal Government ministers, the Attorney General Mark Dreyfus and Defence Minister Richard Marles states that the data breach should never have occurred as reported in the Australian’s ‘Data breach should never have happened’: Dreyfus, which provides:

Attorney-General Mark Dreyfus has doubled down on the government’s criticism of Optus in allowing the massive breach of customer data.

“Australians expect that when they hand over their personal data, every effort will be made to keep it safe from harm,” he said.

“We know that millions of Australians have been impacted by the Optus data breach, and it is a data breach that should never have happened.

“It involves the release of Australian citizens’ names, date of birth, phone numbers, email addresses, residential addresses and, for some customers, passport numbers and driver’s license numbers being apparently for sale on the dark web.”

Mr Dreyfus said the government was concerned by reports that personal information from the Optus data breach also included Medicare numbers.

“Medicare numbers were never notified as forming part of the breach,” he said.

“I can say that Optus has a clear obligation to notify affected customers, affected individuals, which of course includes both past customers of Optus and present customers of Optus.

“Optus has a clear obligation to notify both the affected individuals and the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. Consumers have also got a right to know exactly what individual personal information has been compromised in Optus’s communications to them.”

Acting Prime Minister Richard Marles said the breach was “a wake-up call for corporate Australia”.

“I know now that cyber security is right there in the top echelon of issues … and we need to be doing everything we can to make sure protections are in place,” he said.

Yesterday the Home Affairs Minister, Clare O’Neil was making her displeasure with Optus known in her interview with Rafael Epstein in Read the rest of this entry »

The Optus Hacker has upended the script.  Traditionally a hacker steals data or locks up the data of a hapless organisation and demands payment for return/non publication of the data or the key to the locked data. And that is how it was playing out until today.  After the release of personal information relating to 10,000 individuals with a demand that if a ransom of $1.5million is not paid then a further release of information would be forthcoming the hacker changed his (and it almost is a man) mind and deleted links to the released personal information and apologised for attempting to sell the data. In addition to the personal data of customers the hacker had email addresses from the defence and prime minister’s office.

The Guardian cover this extraordinary twist in Read the rest of this entry »

The question of whether the hackers who stole personal information of almost 10 million current and former Optus customers were criminals motivated by money or state based operatives has been resolved.  It was criminals.  The hackers have released personal information of 10,000 individuals and have promised to release details of 10,000 more people each day for the next four days until the hackers demands have been met.  It is reported in the Australian at Details of 10,000 Optus customers released.  It Read the rest of this entry »

Optus’s woes continues.  This time the Minister for Home Affairs has taken issue with Optus over its cyber security and response to the data breach in a none too subtle answer to a Dorothy Dixer in the House of Representatives today.  It is hardly surprising.  Optus has handled a particularly difficult situatio particularly badly.  For an organisation of its size and no doubt understanding of what happens in other parts of the world its response to the data breach has been ponderous, vague, defensive, apparently aggressive when dealing with frustrated consumers and lacking transparency.  If there was a data breach response plan it was thrown out the window late last week and replaced with not much at all.

The Hansard of Ms O’Neil’s answer Read the rest of this entry »