Peter A Clarke

The sub editors are earning their keep coming up with ever more dramatic headlines for cyber attack stories.  It is as if data breaches were a new phenomenon.  They aren’t.  I have been writing about data breaches and privacy and cyber security for over a decade.  What has changed things is the Optus Data Breach that affected almost half the population in one way or another.

The Home Affairs Minister Clare O’Neil has echoed earlier statements by ministers that the Medibank cyber attack is a huge wake up call.  The problem is that this wake up call has been made by civil society groups and commentators for years.  It was ignored by both sides of politics.  This sudden interest in cyber security and privacy by a government reminds me of a conversation I had with Professor George Williams during a break at a legal conference years ago.  I was bemoaning the ineffective privacy protections in legislation and the lack of options at common law and equity.  He said that reform will come with a major privacy incident which gets the governments attention or convinces the courts of an unacceptable gap in legal protections.  How prescient were those comments.  The Optus and Medibank data breaches seems to have achieved the former.  Or at least the promise of the former.  Hopefully the courts will recognise the protections at common law and equity are wholly inadequate.

Now MInisters are inserting themselves into every significant data breach.  That has all the makings of poor policy.  It is relatively unusual for governments and their ministers to insert themselves into the middle of a cyber attack.  There have been exceptions, usually for extraordinary events, but on the whole it is a matter for the regulator, the affected organisation, the various experts brought in to fix the mess and sometimes the insurer.  Later the courts Read the rest of this entry »

Medibank Private’s woes continue as the ABC reports in Health insurer Medibank Private halts trading after receiving message from company claiming to be behind cyber attack when it was contacted by a group wanting to negotiate the return of stolen data.  Nothing has been verified, or at least publicly identified, but Medibank Private notified the ASX to put a halt to the trade in its shares. The Australian Financial Review, in Medibank ransom demand targets politicians, actors, LGBT activists,  claims that the hackers were demanding ransom to prevent the release of health and credit card information. The Sydney Morning Herald, in Medibank hackers threaten to release stolen health data in ransom demand, claims to have seen the ransom note.

Dealing with hackers who plant ransomware or those who simply exfiltrate data and then ransom in back to the organisation who is usually very keen to avoid more humiliation and cost has become a niche industry.  Just as hackers have developed sophisticated processes for payment and negotiation there are people who have an expertise in negotiating with those hackers and sometimes outwitting them. There is an excellent article in the 31 May 2021 of the New Yorker titled How to Negotiate with Ransomware Hackers which gives a little bit of an insight into this murky world. The Australian also ran a similar, but lesser, story ‘They demanded $1m in 72 hours’: your money or your data.   The official government advice is not to pay ransoms.  The reality is much more nuanced.  Payments are made.  And hackers often to abide by their side of an agreement.  But not always.  And then there are the middling results where the hackers provide ransom keys but upon unlocking the ransomed data some or much of the data is corrupted.  Sometimes the hackers only return some of the data, sometimes intentionally and sometimes by accident.  Being a crook does not mean they are good administrators. 

The answer is always to maintain proper cyber security.  That doesn’t just mean having up to date programs.  It means making sure the human element is covered.  Staff need to be trained and there needs to be systems to avoid lax security occurring.

The ABC article provides:

Health insurer Medibank Private has confirmed they have received messages from a group wishing to negotiate with the company regarding their alleged removal of customer data.

The update comes less than a week after the company was hit by a cyber attack. 

Medibank says they are working urgently to establish if the claim is true, but are treating the matter seriously.

As a result of this, the health insurer has halted trading on the share market until further notice.

Medibank CEO David Koczkar has apologised to customers and said he understood the latest update was distressing. 

“We have always said that we will prioritise responding to this matter as transparently as possible,” Mr Koczkar said.  Read the rest of this entry »

The Internet of Things is a key part of any cyber security and privacy.   The National Institute of Standards and Technology (“NIST”) has released a very important report on IoT baselines, titled Profile of the IoT Core Baseline for Consumer IoT Products.

The Abstract provides:

This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for small businesses to consider in the purchase of IoT products. The consumer profile was developed as part of NIST’s response to Executive Order 14028 and was initially published in Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. This document also discusses the foundations to developing the recommended consumer profile and related considerations. NIST reviewed a landscape of relevant source documents to inform the consumer profile and engaged with stakeholders across a year-long effort to develop the recommendations.

At 30 pages it is a relatively brief NIST publication.  That does not mean it is not technical and dense.

Some interesting points Read the rest of this entry »

Sometimes it feels like the the last decade of writing and reporting on privacy never existed.  Articles are being written and statements made portentously with a breathless quality about a cyber threat here or a privacy harm there as if it was never said before.  The Australian’s Universities are at particular risk of cyber attack is a classic example of this reheating of well known facts and previous commentary of a phenomana that has been well known and understood for many years but written as if it is some sort of revelation. 

Universities are and have always been a focus for espionage and theft of information, sometimes by state actors and sometimes by criminals who can see a financial pay day in stealing commercial information.  During the Cold War, the analog era, universities were engaged to do sensitive defence related research.  There was a constant competition between those screening staff and protecting information and those intent on  trying to corrupt or turn staff and otherwise purloin information.  In the digital era this issue has taken on new dimensions with much more information, including personal information on a massive scale, and many more ways of accessing it.  Universities are notorious for having inadequate cyber protection often because of multiple systems being cobbled together after mergers or rationalisations.  The authorisation policies are lax and the training is poor.

I have posted on data breaches at the University of Western Australia, Deakin University, University of Tasmania, Australian Catholic University, Australian National University and  the University of Greenwich.

The article says Read the rest of this entry »

The Attorney General is critical of the operation of the Privacy Act according to ‘A very outdated piece of legislation’: Optus hack highlights Privacy Act loophole.  This is hardly news.  What is good news is that reform of the Privacy Act is a priority.  How quickly that happens is less certain.  The the interminable Attorney General Department’s review will be wrapped up by years end and sometime Read the rest of this entry »

Real estate agents and other property related companies collect masses of personal information.  A significant amount of that data is not required for preparing a lease.  Real estate agents enthusiastic collectors of  data but less impressive in the storage of data.  This is amply demonstrated in the Guardian’s article A real estate agent data breach would be devastating for renters. They collect too much personal information.  The sobering fact is that unless a real estate agent had an annual turnover of $ 3 million or more it would not be covered by the Privacy Act.

One cue, the Australian reports poor data management has lead to personal information being made publicly available on line in Lax security: RealtyAssist loan details online.  This comes as no suprise to anyone practising privacy law.  That it is being reported so widely is more a function of the heightened interest in data breach stories since the Optus Data Breach.  The article Read the rest of this entry »

Anonymisation is an important process in protecting privacy and securing data.  The UK information Commissioner’s Office has recently released a draft guidance on anonymisation and pseudonymisation.  Anonymisation and pseudonymisation are both quite contentious issues because it is often ineffective.   Some researchers believe that it cannot work as there is no way to fully protect real identities in datasets.  The development and increasing access to quantum computers pose challenges to anonymisation other data sets can be analysed and compared to the anonymised data to reveal tell tale identifiers.  At this stage it does have utility and the regulators acknowledge it as a means to protect privacy.  

Nature has published a fascinating article, Anonymizing facial images to improve patient privacy, on anonymising facial images in the health industry context through the use of a digital mask.   

The article Read the rest of this entry »

When writing on privacy and cyber security isseus I often feel like Cassandra, highlighting problems that are ignored.  Until now.  The ABC’s story Most Australian executives wary of announcing cyber attacks and online strategies amid increased demand for transparency is hardly news. Businesses not wanting to disclose data breaches.  Quelle surprise!

I have been writing on the poor culture of non compliance and secrecy relating to data breaches for years.  Non compliance and an attitude of impunity does not develop and exist in a vacuum. It develops when there is an ineffective,  complicated and confusing legislative regime and very timid regulation.  The practical net result has been a marked aversion to reporting data breaches, covering them up and generally doing as little as possible to comply with the Privacy Act.  And why not when governments have, until recently, shown little interest in privacy enforcement and the penalty for non compliance is almost non existent in practical terms.  In that sense the ABC article is something of a “been there, done that” to it. But it is worth highlighting the situation in the national press.  Hopefully it will act as the “before shot” which will be compared to the “after shot” when the new legislation comes into effect and proper regulation commences.

While it will take some time for the culture to change and there will be a lot of back sliding there is clearly a changed atmosphere.  The optus data breach has highlighted what poor cyber security can mean for ordinary people; stress, annoyance and the cost in time and money to avoid identity theft.

The comparison between enforcement in Australia and other developed economies is stark.  For example in the United States the  owner of the retailer Shein has been fined $1.9 million for covering up a data breach.  The breach occurred in 2018 when log in details of 39 million accounts werre stolen.  Most of the customers were not advised of the breach and Zoetop lied about the extent of the breach. Given the vagueness of the data breach notification provisions in the Privacy Act a company here wouldn’t need to cover up a breach.  It would simply say that after considering the factors there was no serious harm resulting from the breach. In any event the Commissioner thus far has proven to be a reluctant enforcer.

As a sign that things may be slowly changing for the better I received a notice from Vinomofo about a cyber attack on its site.  Interestingly it has been at least 3 years since I bought anything through Vinomofo.  Why am I still in its system?

The notice stated:

Hi Peter, 

I am writing to provide you with some important information about a recent cyber security incident at Vinomofo. 

Vinomofo experienced a cyber security incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website. Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) published its long awaited and very welcome guidance on the use of privacy enhancing technologies (“PETs”).  Properly used PETs are an invaluable part of proper data protection.  The media release provides:

The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice. 

PETs are technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information. They are already used by financial organisations when investigating money laundering, for example, and by the healthcare sector to provide better health outcomes and services to the public. 

The draft PETs guidance explains the benefits and different types of PETs currently available, as well as how they can help organisations comply with data protection law. It is part of the ICO’s draft guidance on anonymisation and pseudonymisation, and the ICO is seeking feedback to help refine and improve the final guidance. 

By enabling organisations to share and collaboratively analyse sensitive data in a privacy-preserving manner, PETs open up unprecedented opportunities to harness the power of data through innovative and trustworthy applications. The UK and US governments have launched a set of prize challenges to unleash the potential of PETs to tackle combat global societal challenges, supported by the ICO.

John Edwards, UK Information Commissioner, said:  

“Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organisational domains. 

“Today’s draft guidance is part of my office’s strategy for the next three years, where we will be supporting the responsible use and sharing of personal information to drive innovation and economic growth. PETs have the potential to do that, so we look forward to hearing from industry and other stakeholders on how our guidance can help them achieve this.”  

The PETs draft guidance has been published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Bonn, Germany on 7-8 September, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement for the support of responsible and innovative use of PETs.

As part of this, the ICO will call for the development of industry-led governance, such as codes of conduct and certification schemes, to help organisations use PETs responsibly and to help PETs developers and providers to build the technology with data protection and privacy at the forefront. 

Mr Edwards said:

“It’s not just regulators that need to take action – we need the industry to step up, too. We want organisations to come to us with codes of conduct and certification schemes, for example, to show their commitment to building services or products that are designed in a privacy-friendly way and that protect people’s data.”

At 40 pages the guidance is very comprehensive.

Some key issues that should be considered are:

• the definition of a PET is:

Read the rest of this entry »

The Australian mandatory data breach notification regime while 4 years old has not attracted the overt public profile as other regimes overseas and has not resulted in high profile notifications until the Optus Data Breach.  In some American states notifications must be made to authorities who publish broad details of the data breach and how many residents of the state have been affected.  As such there is a better understanding of the frequency of data breaches and Read the rest of this entry »