Peter A Clarke

Rolling out a data breach response is something of a art form in the United States where mandatory data breach notification laws  have been part of the regulatory landscape in most states of the Union.  Certain types of data breaches, notably involving health information, attract mandatory notifications.  Letters to customers and plans to remediate damage are carefully drafted.  Australia has no such long term history of being required to respond to data breaches and even under the Breach Notification Regime in Australia notices to clients/consumers/members is not mandatory.  It might not even be mandatory to notify the Information Commissioner.  The organisation has to make that determination based on the list of factors in Part IIIC of the Privacy Act,

So far Optus is demonstrating how a data breach should not be handled.  It dawdled in sending notices, the notice itself was poorly drafted and provided no assistance beyond suggesting customers keep a look out and check various sites.

The media is reporting on annoyance and frustration by customers with the Sydney Morning Herald reporting Frustrated Optus customers get the run around, 2GB’s Optus struggles to explain their data breach in trainwreck interview and Optus customers frustrated after compensation requests denied, phone number change not possible.  All of this suggests that Optus either had no or an inadequate data breach notification plan and if it did it didn’t test it with simulations.  Data breach plans or incident plans are very important in competently dealing with a data breach.  Having a team which can put into place a response is critical.

The examples Read the rest of this entry »

Over the many years I have written about privacy and cyber security (as well as commercial and defamation law) I have never cease to be amazed how organisations blithely accept the risk of a data breach through poor privacy and cyber security practices given the jaw dropping costs of remediation after such a breach. Bringing in a range of experts to assess the damage, locate the cause of the breach, work with the regulators and then deal with litigation by those regulators or disgruntled customers can run up a cost of hundreds of thousands of dollars and often millions.

IBM’s Cost of a Data Breach Report for 2022 highlights the poor state of readiness of many companies with Read the rest of this entry »

When hackers steal data they commonly do it for a reason.  The days of student hackers breaching cyber defences for the fun of it are long gone.  They have been more a product of Hollywood than reality, with some notable long ago exceptions.  Similarly white hat hackers don’t find vulnerabilities and then steal data.  They typically find the vulnerability and then notify the company.  The Optus breach is more in line with either criminals aiming to turn the product of their theft into money or state based hackers whose aims and motivations are more complicated; disruption, obtaining intelligence data on individuals, data to be used for identity theft and for use in conjunction with other data.  State based actors take a much longer view than criminals. There is some evidence that the data, or at least some of it, is being offered for sale on the dark net.

The data breach story has now moved into its second phase, where interested parties use it to push their agendas.  The Telcos are making its clear that their compliance obligations in retaining meta data are contributing to privacy breaches.  Doubtful.  They may contribute to compliance costs and definitely make the consequences of a data breach more significant. So much more to steal (if not properly protected that is).  But they do not weaken cyber security defences in and of themselves.  There is a real issue about excessive legal requirements to obtain and retain personal information.  And the meta data retention laws require telcos to retain masses of data for longer than they would need them not to mention these laws are a continuing pernicious blight on liberal democracy, giving agencies a right to access meta data without a warrant.  There is also the general preference for companies to collect and store more personal information than they need and for as long as they can as the Age notes in an opinion piece No, Optus doesn’t need to keep your sensitive information for so long.   But none of that is not a cyber security issue, as in protecting personal information from criminal actors. While there may be some regulatory overload on telcos any sympathy must be tempered by the fact that cyber security is a separate issue. The protection of  data (even that retained reluctantly) is possible with proper cyber security systems, proper protocols and adequate training.  None of which is in abundant supply.  Companies give too little emphasis on privacy and spend the bare minimum, often less. Unlike the United States and the United Kingdom, data breaches in Australia do not bring a serious regulatory response by way of civil proceedings, fines or enforceable undertakings. If the worst case scenario from a data breach is a tepid and muted regulatory response and some reputational damage what is the incentive for a company to seriously get its house in order.

According to the ABC the Government is going to legislate to require financial institutions of data breaches.  The Australian runs a similar story as well.  This is dealing with symptoms not problems and makes a complicated but ineffective privacy regime even more cumbersome.

The ABC story provides:

The Home Affairs Minister is soon expected to announce several new security measures following the massive Optus data breach that saw hackers steal the personal details of up to 9.8 million Australians.

On Saturday, Clare O’Neil and several of her federal ministerial colleagues met with the Australian Signals Directorate and the Cyber Security Centre to discuss the fallout from the devastating cyber-hack.

Under the changes to be announced in coming days, banks and other institutions would be informed much faster when a data breach occurs at a company like Optus, so personal data can’t be used to access accounts.

The ABC has been told the first step to occur will be directing Optus to hand over customer data to the banks so financial institutions can upgrade security and monitor customers who’ve had their personal details stolen. Read the rest of this entry »

Every data breach is different.  There are different types of attacks, through third party vendors, stolen access credentials, zero day vulnerabilities or a failure to patch cyber defences.  What has been released to the public is that there was a weakness in the firewall, a vague description that could mean almost anything.  What is not made clear is what defences behind the firewall were in place and were they working.  Did Optus have programs running which detected unusual activity within the system?  What about defences protecting the data itself.  Was there any detection of exfiltration?  A surge of activity involving a large volume of data should be detected if there are programs in place and proper procedures.

The breakdown of the breaches, in broad terms are:

• exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers
• dates of birth, email addresses and phone numbers of another 7 million customers.

Optus’s response to the data breach has been something of a curate’s egg; good in parts.

Optus has adopted a personal approach in response to the breach.  A personal mea culpa by the Optus Chief Kelly Bayer as reported by the Australian in Optus chief Kelly Bayer Rosmarin apologises for massive hack that could date to 2017.  It provides:

Fronting the media on Friday Bayer Rosmarin was on the verge of tears when asked how she feels about the data breach occurring under her leadership.

It is understood personal details dating back to 2017, and with possible links to Europe, may have been accessed in the hacking attack.

“[I feel] terrible,” Ms Bayer Rosmarin told reporters.

“It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers. Read the rest of this entry »

Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data.  Optus released a media release about it yesterday.  The compromised data included names, dates of birth, drivers licences and passport numbers.  The sort of information which would allow a hacker to attempt identity theft.  Very saleable data on the dark web.

A curious aspect of this incident is that some of that data related to former customers.  It will be interesting to see how far back that data goes.  Why it is necessary to hold onto former customers of many years back?  That may be a breach of the Australian Privacy Principles.

With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected.  The breach did not include payment details and account passwords.

Optus has notified the Information Commissioner.  One issue to resolve is what notification will be provided to affected Optus customers.  Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states.  Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support.  That is good business.

In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan.  In my experience Australian organisations put less than optimal effort into preparing for a data breach.  Similarly the response to a data breach is too often marked by improvisation than following a plan.

Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information.  It Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has released NIST has released NIST Internal Report (IR) 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight.  It is a particularly useful and practical report.  In short compass it describes ways to combine risk information across an enterprise.  In this way there is integration of risk information issues which permits proper decision making and monitoring.

The report creates an enterprise risk profile (ERP) that supports the comparison and management of cyber risks.

The Abstract provides:

This document is the third in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding the enterprise application of cybersecurity risk information; the previous documents, NISTIRs 8286A and 8286B, provided details regarding stakeholder risk direction and methods for assessing and managing cybersecurity risk in light of enterprise objectives. NISTIR 8286C describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and enterprise risk profile (ERP) that, in turn, support the achievement of enterprise objectives.

This guide is of particular use for privacy practitioners.  It discusses Read the rest of this entry »

The United States National Security Agency (“NSA”) has released its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Cybersecurity Advisory . It notifies National Security Systems operators of the requirement to have   quantum-resistant  algorithms, being networks which contain classified information or are otherwise critical to military or intelligence activities. A cryptanalytically relevant quantum computer would have the potential to break public-key systems so that it is necessary to plan, prepare, and budget for a transition to QR algorithms if cryptanalytically relevant quantum computers become a reality.

The media release Read the rest of this entry »

Educational institutions are prime targets for cyber attackers.  They hold large volumes of personal information of students and staff and often alumni.  They are also notoriously poor at maintaining proper data security.  A key response to the coronavirus epidemic by schools was to move to remote learning.  That meant greater opportunities for cyber attacks.   Attacks on educational institutions this month, so far, include Franklin College in the United States being attacked and personal information of 6,000 students possibly being taken. The Savannah College of Art and Design suffered an attack with personal information being accessed.  Someone stole personal information of students who studied there from 1989 to 1999.  Why an institution would have that information on its server is a mystery and a failure of proper data management.  The stolen data included the names and Social Security numbers of students.

But those breaches were dwarfed by a data breach of the the Los Angeles Unified School District, which enrols 600,000 students.  It is the second largest school district in the United States. It has suffered a data breach Data Breach Today reports in Los Angeles School District Hit by Ransomware Attack . It seems that at least 23 sets of credentials were compromised before the attack and offered on the dark web.  At least one of those credentials unlocked the account for the school districts virtual public network.  Tellingly, last March the FBI Read the rest of this entry »

At a time when children’s privacy is top of privacy regulators’ agenda around the world the school administrators in Moorebank have installed fingerprint scanners at their toilets.  The rationale, to stop vandalism.  A ridiculously out of proportion response to an eternally chronic problem.  It brings to mind the saying that the problem with teachers are that they have never left school. Because if this initiative was not so concerning it would be just regarded as juvenile.

According to the State Education Department it is not compulsory to register their fingerprints however the alternative is to get an access card from the office every time a student wants to use the bathroom.  What sort of choice is that!  Making the alternative difficult and potentially embarrassing effectively restricts the choice.  It makes it a non choice.  In real terms there is no alternative but to consent for most students. The consultation process, Read the rest of this entry »

The US Federal Trade Commission warned as far back as July that it would focus on illegal sharing of highly sensitive health data.  That was preceded with a warning in September 2021 to Health Apps and Connected Device Companies that they had to comply with health breach notification rules.  In June 2021 the FTC settled with Flo Health, a fertility tracking app which inappropriately shared sensitive health data with Facebook and Google. On 11 August 2022 the FTC announced it was embarking on commercial surveillance rule making.

In that context it is not surprising that the FTC has commenced proceedings against Kochava for selling data which tracks people when they are involved in sensitive activities, such as attending health clinics and places of worship.

The media release provides:

The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

Idaho-based Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices. The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use. Read the rest of this entry »