Peter A Clarke

De identifying data is a critical part of managing data, avoiding reputational damage if there is a data breach and complying with privacy legislation.  It is fundamental yet poorly understood, let alone implemented.  The National Institute of Standards and Technology has released the third draft of its De-Identifying Government Data Sets .   As with many NIST reports it is lengthy not to mention highly technical.  But it is worth reading.  The NIST provides the best technical guides in the privacy and cyber security sphere.

This is an excellent guide because it sets out clearly what deidentificatio involves, why it is important, what the risks are and how organisations and agencies should approach de identification. The United Kingdom’s Information Commissioner has prepared excellence guidance on Anonymisation, pseudonymisation and privacy enhancing technologies.  Given the nature of recent data breaches in Australia de identifying older records is important.  The guidance in Australia is inadequate. 

The abstract provides:

De-identification is a process that is applied to a dataset with the goal of preventing or limiting informational risks to individuals, protected groups, and establishments while still allowing for meaningful statistical analysis. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing, or publishing government data. Previously, NISTIR 8053, De-Identification of Personal Information, provided a survey of de-identification and re-identification techniques. This document provides specific guidance to government agencies that wish to use de-identification. Before using de-identification, agencies should evaluate their goals for using de-identification and the potential risks that de-identification might create. Agencies should decide upon a de-identification release model, such as publishing de-identified data, publishing synthetic data based on identified data, or providing a query interface that incorporates de-identification. Agencies can create a Disclosure Review Board to oversee the process of de-identification. They can also adopt a de-identification standard with measurable performance levels and perform re-identification studies to gauge the risk associated with de-identification. Several specific techniques for de-identification are available, including de-identification by removing identifiers and transforming quasi-identifiers and the use of formal privacy models. People performing de-identification generally use special-purpose software tools to perform the data manipulation and calculate the likely risk of re-identification. However, not all tools that merely mask personal information provide sufficient functionality for performing de-identification. This document also includes an extensive list of references, a glossary, and a list of specific de-identification tools, which is only included to convey the range of tools currently available and is not intended to imply a recommendation or endorsement by NIST. Read the rest of this entry »

On 10 November the Australian Information Commissioner released the six monthly Notifiable Data Breaches Report for the period January to June 2022.  The Report covers a period before the Optus and Medibank Data breaches which will make the next six monthly report quite dramatic with the personal records of at least 15 million Australian’s affected.  In a country of 26,217,341 that is extraordinary.

The Report is far more expansive and detailed than the usual reports.  It also seeks to instruct as to what is expected and why.  No doubt the increased topicality of privacy and the impact of the Optus and Medibank data breaches have influenced the Commissioner and made it prudent to be more expansive than was previously the case.

The highlights of the Report are:

• there were 396 notifications, a reduction of 14% over the previous 6 months;
• health had the most notifications.  No surprises there.
• 63% of data breaches was caused by malicious or criminal attacks.
• ransomware was the most common form of cyber attack, at 31% of the total.
• 71% of entities notified the Commissioner within 30 days of becoming aware of the breach
• 13% of cases did not become aware of the incident for over a year
• 4 entities took more than 12 months from when they became aware of the breach to notify the Commissioner.  That is a matter of significant concern.  It will be interesting to see if the Commissioner does anything about such a flagrant breach of section 26WH of the Privacy Act 1988.
• contact information was involved in the breaches on 331 occasions while identity information occurred in 217 cases.

While the Report and statistics contained within it are quite instructive it should taken with caution.  It should not be regarded as a complete, or even completely accurate, picture of what data breaches have taken place and the number of records affected.  The current Data Breach Notification Scheme as the Attorney General noted, is hopelessly ineffective.

The media release provides:

The significant impact of recent data breaches on millions of Australians and the findings of the latest Notifiable data breaches report released today stress the need for organisations to have robust information handling practices and an up-to-date data breach response plan.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the widespread attention on data breaches and statistics for January to June 2022 show areas that require organisations’ immediate action.

“Recent data breaches have brought attention to the importance of organisations securing the personal information they are entrusted with and the high level of community concern about the protection of their information and whether it needs to be collected and retained in the first place,” Commissioner Falk said.

“I urge all organisations to review their personal information handling practices and areas of ongoing risk identified in our report. Only collect necessary personal information and delete it when it is no longer required.

“Organisations should also ensure they have a robust data breach response plan, so in the event of a data breach, they can rapidly notify affected individuals to minimise the risk of harm,” she said.

The Office of the Australian Information Commissioner (OAIC) was notified of 396 data breaches from January to June 2022, a 14% decrease compared to July to December 2021. Read the rest of this entry »

There are two particular frustrations working in the cybersecurity sphere and writing on it; reading about “developments” that have been known about for years and the kabuki, theater, that governments and agencies engage in, such as claiming to hunt down hackers, which detracts from the more relevant but mundane action, getting organisations and governments to develop and maintain proper data security. The vast majority of data breaches can be linked to some form of human error or another.

Both are present in the response to the Medibank data breach.

The Government announced that it had uncovered the name of the cybhackers. That group has been identified as REvil, a group that operates in the Russian Federation with full but deniable knowledge of its government.  This is hardly a banner moment in Australian cyber security and law enforcement. Ransomware gangs are often identified and usually within short order.  They have their own techniques and have distinctive malware.  Much like many criminal gangs their modus operandi is distinctive.  REvil is so well known that it has its own wikipedia page.  Like many criminal hacker gangs operating in the Russian Federation it operates in a grey area; unofficially tolerated and occasionally used by state authorities in exchange for being left alone.  Cyber criminals also operate out of China and the Stans.

The Government has put together a task force to hack the hackers.  The Australian Federal Police and the Australian Signals Directorate are combining to identify the hackers and their associates and bring them to justice.  While that is an appropriate response a dose of realism needs to be injected into the story lest hopes are raised too high.  Cyber hackers are usually phycially beyond reach of Australian authorities and unlikely to be subject to successful extradition applications.  The Australian Federal Police is engaging with its Russian counterparts about the cyber crimninals. That is unlikely to go anywhere.  Engaging in cyber warfare with hackers is difficult.  Hackers change tactics.  For example Ransomware gangs are increasingly using their own or stolen computer code and moving away from a leasing model that made their activities easier to monitor.  Until recently hackers leased their malicious software and computing infrastructure to others in what is known as ransomware-as-a-service. That was used by gangs such as such as Conti, which shuttered Irish health systems, and REvil. Senator Paterson has called for hackers to be sanctioned.  It is another form of political theater.  Magnitsky sanctions are meaningless when dealing with hackers. If proceeds of crimecan be located, and they are in a country which has apolitical police force and independent judiciary, such as Canada, the USA and most European states, they can be seized without the need for Magnitsky sanctions.

The payment of  a ransom is not illegal.  The government is considering making such payments illegal.  Discouraging the payment of ransom is one thing.  Criminalising it is another.  Sometimes it is the only practical solution in the time available so criminalising the conduct puts a business into a terrible bind.  It is a crime that may be difficult to detect but also used by hackers to further extort those who have paid ransoms.

That is not to say that successful action can’t be taken. A Russian national linked to the LockBit ransomware gang was arrested in Ontario in October. What needs to be remembered is that ransomware is an international problem as Bleeping Computer makes clear in The Week in Ransomware – November 11th 2022 – LockBit feeling the heat.  It relevantly provides:

The big news is the arrest of a Russian LockBit member in Canada, who is said to be responsible for making ransom demands between €5 to €70 million.

Over the past few weeks, a threat actor has been trolling victims by distributing the Azov Ransomware and blaming its creation on cybersecurity researchers and journalists. Read the rest of this entry »

Hackers have reportedly put Medibank abortion data on the dark web.  Medibank confirmed as much with its media release today.  It is a common enough tactic for hackers to threaten to release and then release data online. Once the demand for  $10 million or $15 million was rejected it was hardly a surprise that some form of retaliation was not going to occur. Hackers are criminals.  Russian hackers are notorious for having even less scruples than the average hacker. REvil has a particularly savage reputation. Retaliation is a rationale response even if the Minister for Home Affairs calls the hackers scumbags.

The melancholy truth is that notwithstanding the Australian Federal Police and the Asustralian Signals Directorate being involved in the hunt for the hackers the chances of catching any individuals hackers in the short term is small.  They are based in a jurisdictions, such as Russia where they are tolerated if not supported.

The focus has to be on mitigation and remediation.  If past Read the rest of this entry »

Hackers posting data on line when the ransom demand for their return fails is nothing unusual.  And Medibank has refused to pay the ransom demanded of it.  That is consistent with Government advice.  Forbes reported that 92% of those who pay a ransom do not get their data back.  Last year Kaspersky reported that 56% of ransomware victims pay the ransom but only a quarter get their full data returned. Where does the truth lie.  Somewhere that is unlikely to be found. The figures are necessarily spongy given there is a marked reluctance by organisations and businesses to admit to paying ransoms. Surveys of consumers and companies are at best educated guesses.

With Medibank refusing to pay the ransom the Russian hackers have posted some of the data on line.  This is hardly unusual.  It is an evolving story but the Australian has a good summary with Medibank hacker starts posting stolen data.  It is a story that is getting wide coverage across Australia, with the Sydney Morning Herald, the Guardian, ABC and the Australian Financial Review, just to name a few outlets. It has also received wide overseas coverage such as by the BBC.

But this data breach and the unfolding torment is part of a worldwide phenomenon.  On 31 October Bleeping Computer reported that hackers were selling access to 576 corporate networks for $4 million. Other cyber attacks in the last week included Boeing Subsidiary Jeppesen’s Services Hit By Cyberattack, a cyber attack caused trains to stop in Denmark, a Ransomware attack on Osaka General’s network stalled critical surgeries & daily operations and  Europe’s Biggest Copper Producer Hit by Cyber-Attack to name but a few. These incidents highlight the chronic and worldwide nature of the problem.  In most of these cases hackers gained access because of poor data security practices. 

The hackers in the Medibank data breach are following the digital extortion business model where the hackers escalate the attack in order to force payment from victims. The Ransomware extortion model commonly begins as a classic ransomware attack, demanding payment for encrypted files while similtaneously the hackers exfiltrate data from the victim. If victims fail to pay within the allotted time, or opt to recover encrypted data through backups, criminals threaten to release confidential data publicly. Some attackers even auction confidential data to the highest bidder on the dark web..

The extortive blended attacks can circumvent backup strategies because they essentially extort the victim into payment even if backups are in place.
Ransomware is one of cybercrime’s strongest business models.  It is far more popular and effective than trojans, phishing, distributed denial-of-service (DDoS) and cryptojacking.
When a computer becomes infected with ransomware, the malware often generates network traffic by sending encrypted system information to a command-and-control server.. Normally, ransomware contains the public key needed for encryption and uses it locally without fetching from a remote server.

Typical actions taken by most ransomware variants include:

•  terminating a list of hardcoded processes and services that may interfere with file encryption such as databases, security
  applications and backup services. Some variants also search for and attempt to uninstall known antivirus programs or other
  security applications
• preventing and disable system restore features that may be enabled by the operating system.

Unlike other malware, most ransomware infections don’t require administrative privileges. The malware relies Read the rest of this entry »

This morning Medibank released a detailed statement of more details of the personal information taken through the data breach and what it will and will not be doing.  As with Optus Medibank is slowly beginning to follow the appropriate procedure long adopted by large companies in the United States.  Unfortunately both Medibank and Optus were slow to advise customers of the data breach, wretchedly slow to provide details, reluctant to offer assistance, did not publicly advertise the external help they were engaging and had dreadful media interviews.  Time is of the essence in responding on all levels to a data breach.  Having a proper and well rehearsed data breach response plan is critically important.  

In short Medibank has determined that;

• the hackers accessed personal information of 9.7 current and former customers broken down into the following categories:
  • 5.1 million Medibank customers,
  • 2.8 million ahm customers and
  • around 1.8 million international customers
• the personal information was:
  • the name,
  • date of birth,
  • address,
  • phone number and e
  • mail address.
  • Medicare numbers (but not expiry dates) for ahm customers
  • passport numbers (but not expiry dates) and visa details for international student customers
• the hackers accessed health claims data for around:
  • 160,000 Medibank customers,
  • around 300,000 ahm customers and
  • around 20,000 international customers.
• the health claim data included:
  • service provider name and location,
  • where customers received certain medical services, and
  • codes associated with diagnosis and procedures administered.
  • contact details of  around 2,900 next of kin of these patients
• the hackers accessed health provider details, including names, provider numbers and addresses
• the hackers did not access credit card and banking details
  • Medibank will not pay a ransom.

The media statement is designed for the market and government, not customers.  It is long, probably overlong, detailed and covers a large number of issues.  A lot of what is being proposed should have already been done. 

The media Read the rest of this entry »

Threat reports are a regular feature in publications on data security and privacy.  Just recently Crowdstrike released its 2022 Global Threat Report, Akamai with its Global Sate of the Internet Reports – DDoS Attack Reports and Sonic Wall’s 2022 SonicWall Cyber Threat Report are just 3 reports of trends, surveys and findings.  Most are quite useful.

The Australian Cyber Security Centre (ACSC) has been releasing threat reports for some time, usually without much fanfare and little mainstream media coverage.  I review the reports when they come out and did a post on the 2017 and 2021 reports for example.

With the Optus and Medibank data breaches the 2022 ACSC threat report for July 2021 to June 2022 has received wide and loud media coverage.  For some in the media this report is a bolt out of the blue which uncovers previously unknown problems and foretells catastrophy.  It doesn’t on both counts.  The Report is consistent with other reports and regular advices from US, UK and European regulators, insurers, cyber experts.  The threat of cyber attack by criminals or state actors is significant and growing.  That is something I have been writing about for years.  It is part of my practice to assist in dealing with that.  It has been around for over a decade as a significant and evolving problem.  It is only now being seen as a key governmental priority.  A welcome if belated change.

Unlike previous years the relevant minister, Clare O’Neil, has issued a detailed media release about the report.  It provides:

Australians are encouraged to help protect the nation’s cybersecurity future, as the Australian Cyber and Security Centre (ACSC) – a key part of the Australian Signals Directorate (ASD) – launches its third annual Cyber Threat Report.

The Cyber Threat Report is a key tool of the ASD in helping all Australians better understand every day cyber threats, and improve their cyber defences.

Amid an increasingly deteriorating geo-strategic environment, it is now more important than ever that individuals, industry, business and government come together to reinforce our online resilience.

Key findings from the 2021-22 Cyber Threat Report include:

• • The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year.
  • On average one cybercrime report was received every seven minutes, compared to every eight minutes last financial year.
  • There has been a 25 per cent increase in the number of publicly reported software vulnerabilities.
  • Financial losses due to Business Email Compromise increased to over $98 million, with an average cost of $69,000 per report.
  • The average cost per cybercrime report has risen to around $40,000 for small business, over $88,000 for medium business, and over $62,000 for large business.

The Albanese Government is committed to protecting the security of Australians, and welcomes the Cyber Threat Report as a key tool to help inform how we can do so into the future.

A key part of this is the Government’s 10 year investment in the ASD, known as REDSPICE, which will further harden Australia’s cyber defences in 2022-23 and beyond.

Throughout its 75 year history, the ASD has defended Australia from global threats and advanced our national interests. It remains at the frontline of defending our nation and keeping Australians safe and secure.

Quotes attributable to Deputy Prime Minister and Minister for Defence, the Hon Richard Marles MP:

“Over the last financial year Australia has witnessed a heightened level of malicious cyber activity, reflecting the evolving strategic competition across the globe.

“This has been clearly demonstrated in the brutal invasion of Ukraine – where Russia has sought to cause damage not just in traditional warfare, but through the use of destructive malware as well.

“Threat actors across the world continue to find innovative ways to deploy online attacks, as a result too many Australians have felt the impacts of cybercrime.

That is why the Government is committed to reinforcing Australia’s cyber security as a national priority.”

Quotes attributable to Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP:

“Recent examples of malicious cyber activity have demonstrated to Australians how important it is for organisations and individuals to prioritise their cyber security.

Australia’s unique geostrategic position and information-rich environment mean we all need to work together to build our cyber defences and to ensure all Australians have the tools they need to protect against the impacts of cyber attacks.

The Albanese government is focusing our best and brightest cyber security experts both on responding to today’s cyber threats and developing the capabilities and skills we need for a secure and resilient digital future.”

The findings are catnip for statistic obsessed reports with:

• an increase in financial losses due  to over $98 million
• an average loss of $64,000 per report.
• A rise in the average cost per cybercrime report to over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business
• an average increase in the cost of cybof 14 per cent.
• a 25 per cent increase in the number of publicly reported software vulnerabilities
• Over 76,000 cybercrime reports, an increase of 13 per cent from the previous financial year.
• A cybercrime report every 7 minutes on average, compared to every 8 minutes last financial year.
• Over 25,000 calls to the Cyber Security Hotline, an average of 69 per day and an increase of 15 per cent from the previous financial year.
• 150,000 to 200,000 Small Office/Home Office routers in Australian homes and small businesses vulnerable to compromise.
• Fraud, online shopping and online banking
  were the top reported cybercrime types, accounting for 54 per cent of all reports.

While the Report is sobering it does not indicate anything inconsistent with overseas experiences. If anything it confirms an upward trend in number of attacks, increased cost of cyber attacks and increased reports to the ACSC and other governmental agencie.  For example Read the rest of this entry »

In less than a month there has been a data breach at a real estate agent business.  I  wrote about Realty Assist’s breach on 18 October 2022.  Now Harcourts have suffered a data breach, on 14 October 2022.  The ABC report highlights a break down between Harcourts and Stafflink a software provider.  In its email to customers Harcourts claimed the data breach stemmed from its software service provider Stafflink, one of whose employees accounts was compromised.  That can and does happen.  Except that Staff Link has disputed that and publicly said so.  A very poor strategy by Harcourt to make an assertion and then find it contested.  I never cease to be amazed how poorly Australian businesses handle data breaches. The ABC story also covers the dreadful state of privacy and data management by real estate industry.  It has long been an industry addicted to collecting as much personal information as possible but being lax with it. Privacy advocates have long known about and Read the rest of this entry »

One of the misconceptions in privacy law is that once a person steps into a public place there is no reasonable expectation of privacy.  That is not, in and of itself correct under Australian, New Zealand,  UK and European law. That was made abundantly clear in the seminal 2004 House of Lords decision of Campbell v MGN Limited [2004] UK 22.  Naomi Campbell sued when she was photographed leaving a Narcotics Aonymous meeting in 2001.

Dani Laidley has reportedly sued Victoria Police over photographs allegedly taken of her in November 2020 at the Geelong Racecourse by a police officer.  She alleges those photographs were shared online.  The pleadings are not to hand so it is not possible to comment on the causes of action pleaded however the report in the Nine Papers claim there is a claim of a breach of duty.  Australia does not have a common law cause of action for harassment although the Gummow and Hayne JJ referred to ‘what may be a developing tort of harassment’ in ABC v Lenah Game Meats 2001] HCA 63; (2001) .  That was 21 years ago and the development of the law has stalled.  All the more reason for a statutory tort for interference with privacy which Read the rest of this entry »

Today the Australian Communications and Media Authority published its findings that the ABC has breached its privacy obligations in disclosing the identity of a person who used a dating app.  Beyond finding a breach and making recommendations there is no other sanction available to the ACMA.  Another example of why a stautory tort relating to the interference with privacy is long overdue.

ACMA’s  media release provides:

The Australian Communications and Media Authority (ACMA) has found the Australian Broadcasting Corporation (ABC) breached the privacy requirements in the ABC Code of Practice by broadcasting an identifiable person’s profile in a news report about dating app scams.

The Newshour segment, which was broadcast in May 2021, included footage of a screen scrolling through a dating app showing the profile of a person, including an image of a face, age and first name.

The ACMA investigation found that although the dating app profile was shown fleetingly, the image of the face was repeated twice in the news report and the person was identifiable.

ACMA Chair Nerida O’Loughlin said having personal information broadcast on television can be distressing for the individual in question.

“Media intrusion into a person’s private life without consent must be justified to be in the public interest,” Ms O’Loughlin said.

“There is a clear public interest in reporting on online scamming, however there are limits to the type of personal information that should be disclosed in a news report. In this case, there was no justifiable reason to identify the person and the ABC did not undertake adequate measures to ensure their privacy.”

The ACMA’s enforcement powers when it finds the ABC has breached its Code are limited to recommending the ABC take particular actions. In this case, the ACMA did not consider this necessary as the ABC had already removed the footage from its archive and advised that the ACMA finding will be made available to relevant ABC News staff. 

FACTS

The Australian Broadcasting Corporation (the ABC) broadcast the News Hour on 11 May 2021 at 5:00 pm.

The Report was comprised largely of the studio presenter and expert guest discussing the ramifications of the rise in online scamming appearing on dating apps. A montage sequence of people using mobile phones to view dating apps, with faces and names of subscribers to those dating apps appearing on-screen, punctuated the discussion.

In the Report, the relevant footage was Read the rest of this entry »