Peter A Clarke

The latest data breach notification report, covering the period July – December 2022, covers a period where both Optus and Medibank were the subject of cyber attacks resulting in millions of documents being compromised, almost 10 million for Optus and 9.7 million records for Medibank. In this period there were other significant data breaches which skewed the records. But these figures are still a significant under reporting of the actual number of data breaches that occurred in Australia in this period.  These figures in no way correlate to overseas experience in similar environments. significant under reporting. For example in January 2023 alone there were estimated to be 277,618,767 records compromised in 104 publicly disclosed security incidents.

Some interesting facts from the Report include:

• there were 497 notifications, a 26% increase;
• health again leads the number of notifications with 71 out of hte 497 notifications;
• malicious or criminal attacks were responsible for 70% of the breaches;
• there were 5 breaches affecting 1 – 10 million individuals;
• there was one breach involving more than 10 million;
• in terms of cyber attacks the leading type of attack was ransomware, at 29%
• in January – June 2022 there were 24 data breaches affecting more than 5,000 Australians.  In the July – December half year there were 40 breaches affecting more than 5,000; 
• while 77% of breaches were identified within 30 days 6% took between 4 – 12 months and 5% took more than a year;
• the top cause of human error breaches was personal information sent to a wrong recipient, at 42%.

The report provides:

Executive summary

The NDB scheme was established in February 2018 to drive better security standards and accountability for protecting personal information and improve consumer protection. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 that experiences an eligible data breach must notify affected individuals and the OAIC. Read the rest of this entry »

In Greek mythology Cassandra was a Trojan priestess who was fated by Apollo to utter true prophecies which were never believed. When writing on privacy and data security matters on this page over the past 15 years I feel like Cassandra. Raising concerns about poor privacy legislation, ineffective regulation, a lack of proper data security, no training and no risk management have raised not even a shrug. But last year all of a sudden journalists and politicians have talked and written about privacy and data security as it appeared with the Christmas Amazon delivery. That has produced some truly trite pieces, such as the Australian’s Hack attack on all business ‘inevitable’, says Michael Sentonas. The article could have been written almost a decade ago with almost no changes. But journalists weren’t interested and companies would prefer to deal with the cyber attacks quietly, the Privacy Commissioner was out to lunh and governments had no interest in improving regulation. It is just that now that with 3 massive data breaches the issue cannot be avoided and this revelatory piece finds its way into a National paper.

It provides:

The Australian Cyber Security Centre revealed cyber criminals were pouncing “within minutes’’ of vulnerabilities being discovered, and company boards needed to understood their “crucial role’’ in ensuring companies invested appropriately to make their networks resilient to attacks. Read the rest of this entry »

The Latitude Financial data breach has taken the familiar path marked out by previous organisations who have suffered a data breach and who had poor understanding of their obligations and were hopelessly unprepared for dealing with the possibility of a breach . Latitude’s slow and inept response has mirrored many of the failings of Optus and Medibank in their responses to data breaches. After the initial vague publicity about the data breach Latitude provided on 27 March 2023 an increased estimate of the numbers of customers whose personal information was impacted, of approximately 7.9 million individuals. The same day the Information Commissioner issued a statement which doesn’t say much beyond that it is making enquiries and working with other government agencies. This seems to be the new approach when a big data breach occurs, remind people that the Commissioner exists and is doing stuff. The question is what exactly is that stuff.

There is a real skill to drafting statements about data breaches.  In the United States where data breach notifications have been a feature of regulation for a significant number of years the advice to the market and consumers are crafted carefully.  They tend to be Read the rest of this entry »

Choice with Fertility apps and your privacy examined 12 popular fertility apps and found there has been poor privacy practices. It is a devastating report highlighting the poor state of privacy practices in Australia. The Guardian has covered the report with Fertility apps collect unnecessary personal data and could sell it to third parties – study.

The Choice article provides:

Fertility apps collect extremely sensitive and intimate data about our cycles, health, pregnancies, and sex lives. 

There is growing concern over the handling of this data, which is often kept for too long (exposing it to data breach risks) and disclosed to other companies on a supposedly ‘de-identified’ basis (when there are real risks of re-identification).

The apps’ privacy policies, messages and settings are often confusing and potentially misleading. An app might claim “we never sell your data”, but the fine print might say the whole database can be sold to another company as a business asset.  Read the rest of this entry »

Latitude’s woes continue with a high likelihood of more personal information being compromised over and above the reported 330,000 records. Latitude released a “Cybercrime Update” yesterday sometime. That is a very slow response to a data breach where customers were contacted last Thursday. By Australian standards the statement is middling. Compared to statements released in the United States it is very average both in terms of speed of statement (though there is a strand of late responders there as well as here) and the quality of communication.

What the poorly written statement advises is that:

• the attack remains active.  That is a model of vagueness, not making it clear that exfiltration of continues or whether they have not isolated and removed the malware, if malware has been deployed.  Given the access was through a person’s access credentials it is quite curious that it would not have been neutralised unless the hacker deployed some form of virus .
• Latitude does not know the extent of the compromise;
• the attack may have impacted non customer orginating platforms;
• Latitude kept historical customer information.  That is a huge problem, and one that affects Optus and Medibank.  Data that Latitude kept relating to individuals who no longer use Latitude.  That is very concerning.

It is quite concerning that a cyber attacker could have such easy access to a range of documents.  It will be interesting to see what access controls were in place within the system.  Issues of encryption and salting of data seem to be relevant considerations. 

If there is no class action with this data breach I would be amazed.  Just on the scraps of information provided to date it appears that Latitude was non compliance with Australian Privacy Principles relating to data security and retention of documents,

The statement Read the rest of this entry »

The timing of an announcement of a data breach at Latitude Financial couldn’t be more apposite. Submissions on the Government’s Report on reform to the Privacy Act, released in January, are due by 31 March 2023. The attack was effected through an employee login credentials from a major vendor used by Latitude. That is a depressingly familiar scenario. It also bespeaks inadequate controls. Approximately 103,000 identification documents, 97% of which were copies of drivers’ licences, and 225,000 customer records were compromised. The records were held by service providers. The breach has been reported in the Australian Financial Review, the NASDAQ, the Sydney Morning Herald among others (and it will grow in number).

Latitude has made a statement because it has been quoted in the media but it has not done what Optus and Medibank did with their data breaches and put out a statement on its website about what happened, what was done and what is being done.  That is a rookie error. 

The Australian’s Customer details stolen as Latitude suffers major cyber attack provides a good summary of what is known to date. The Information Commissioner has not made mention of any report or investigation. Given its recent decisions to investigate other major data breaches it is a reasonable expectation that Latitude Financial will be hosting officers from the Commissioner’s office in the near future.

The Australian article provides:

The loans, credit cards and insurance company said the activity was believed to have originated from a major vendor used by Latitude.

It said although it took immediate action, the attacker was able to obtain Latitude employee login credentials before the incident was isolated. “The attacker appears to have used the employee login credentials to steal personal information that was held by two other service providers,” it said. Read the rest of this entry »

The principles are consistent if the technology is in aconstant state of flux; do not share personal information through a program unless you know the privacy protections are strong and properly administered. In most cases that means don’t share! The Times story Do not share sensitive information with chatbots, cyber-experts warn makes that point very clearly. The privacy concerns are reinforced in the article AI uptake inhibited by security and data quality concerns: CSIRO.

It provides:

GCHQ’s cyber-experts have warned people not to share sensitive information with ChatGPT and similar artificial intelligence systems.

Private or confidential information included in questions to the chatbot could be viewed by others and leave users at risk of being hacked, the National Cyber Security Centre (NCSC) said.

Such so-called large language models (LLMs) could also be a boon for cyber-attackers, who could use them to impersonate people in emails, the centre warned in its blog.

The post is subtitled “Do loose prompts sink ships?” Two NCSC experts, David C and Paul J, write that the models are “undoubtedly impressive” but add: “They’re not magic, they’re not artificial general intelligence.” Read the rest of this entry »

With the Report of Proposed Reforms to the Privacy Act recently released it is apposite that the Federal Trade Commission has recently announced that it is taking action against BetterHelp for sharing its consumers health information, including about mental health problems, with Facebook and other platforms for advertising.  The odious practice was well entrenched and longstanding, commencing in 2013 and not concluding until the media reported on it in 2020. The nature of the data misuse is all the more appalling given BetterHelp repeatedly promised to keep the data private. Instead it monetised the data to target them and others for the service it provides.  BetterHelp has reached a settlement with the FTC. 

Arising from this action

• the FTC’ makes it clear that an email or an IP address by themselves can disclose private information about consumers based on the entity sharing the data.
• the FTC regards a failure to obtain “affirmative express consent” for disclosure of health information to social media companies for advertising purposes to be an unfair practice.

• Companies should:

  • consider carefully whether any of their web pages or apps collect information that could be considered sensitive
  • review their privacy policies and ensure they can be understood
  • train employees regarding privacy
  • develop policies and restrictions on how personal data must be protected

The terms imposed by the FTC are onerous and particularly swingeing compared to the relatively relaxed enforceable undertakings imposed in Australia. 

The media was, as usual, scathing with Fortune’s Counseling service BetterHelp to return $7.8M to customers in FTC settlement after it shared private health data with Facebook and Snapchat and Yahoo’ s Teladoc’s (TDOC) BetterHelp Faces FTC Hurdle, to Pay $7.8M.

The media release provides:

The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.

This is the first Commission action returning funds to consumers whose health data was compromised. In addition, the FTC’s proposed order will ban BetterHelp from sharing consumers’ personal information with certain third parties for re-targeting—the targeting of advertisements to consumers who previously had visited BetterHelp’s website or used its app, including those who had not signed up for the company’s counseling service. The proposed order also will limit the ways in which BetterHelp can share consumer data going forward. Read the rest of this entry »

The Marriot Hotel entered into an enforceable undertaking with the Australian Privacy Commissioner for a data breach arising out of breaches between 2015 – 2018. I have posted on those breaches and the regulatory action taken by the UK Information Commissioner here, here, here and here. Worldwide the breaches affected the personal information of 339 million individuals. In Australia the records of 2.2 million were compromised. The Marriot Breach highlighted poor data security practices, with the breach occurring over a 3 year period, and the challenges of legacy IT issues. All too often IT systems are cobbled together and not properly maintained.

The enforceable undertaking is operable for 5 years.  Compared to agreements in the United States between the Federal Trade Commission and organisations for similar transgressions, that is a short time frame.  It is not uncommon for the FTC to enter into 20 year agreements.  This enforceable undertaking is more robust than the previous few enforceable undertakings the Commissioner has entered into however it is not as stringent as those imposed in the United States. In the United States such agreements usually incorporate a very significant fine.  Given the legislation in Australia that was not possible.

Some of the relevant matters of note from the enforceable undertaking Read the rest of this entry »

The High Court today revoked Facebook’s special leave application. The transcript is not available yet and reasons have not been published but the key argument for this volte face was a change to the Federal Court Rules on overseas service.

The Information Commissioner released a media release providing:

The Office of the Australian Information Commissioner (OAIC) today welcomed the Full Court of the High Court of Australia’s decision to revoke Facebook Inc’s special leave to appeal to the High Court.

The High Court granted the Commissioner’s application to revoke special leave due to a change in the Federal Court Rules in relation to overseas service.

This clears the way for proceedings to return to the Federal Court. The substantive proceeding seeking civil penalties against Facebook Ireland and Facebook Inc over the Cambridge Analytica matter will now progress.

“Today’s decision is an important step in ensuring that global digital platforms can be held to account when handling the personal information of Australians,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“Entities operating in Australia are accountable for breaches of Australian privacy law, and must ensure that their operations in Australia comply with that law,” Commissioner Falk said.

Background

On 9 March 2020, the Commissioner lodged proceedings against US-based Facebook Inc and Facebook Ireland (collectively, Facebook) in the Federal Court, alleging the social media platform had committed serious and/or repeated interferences with privacy in contravention of Australian privacy law.

The Commissioner alleges that from 12 March 2014 to 1 May 2015: Read the rest of this entry »