Peter A Clarke

The UK Information Commissioner has reprimanded the South Tees Hospitals NHS Foundation Trust for a serious data breach. The breach involved providing sensitive information to an unauthorised family member. The nature of the information is not specified but it involved sending a letter relating to an upcoming appointment which found its way into the hands of another person. 

The ICO’s release provides:

Read the rest of this entry »

It has been a busy year for data breaches in Australia in January 2024 (so far). Eagers Automotive stopped trading in late December 2023 with the notification of a cyber attack being advised in early January. The LockBit 3.0 ransomware group claimed responsibility. A Melbourne travel agency, Inspiring Vacations, had its data base non password protected. It had 112,605 records relating to customers. This usually involves poor configuration.

Iconic, an online retailer, had inadequate basic security measures to verify customer details which put its 2.1 million customers at risk of defrauded. And some were according to Iconic. The hackers embarked on credential stuffing, using stolen usernames and passwords from one organisation to infiltrate and access client accounts on separate websites. This form of attack exploits common online behavior of individuals reusing the same email and password combinations across multiple digital platforms. Iconic’s response was truly abysmal, initially denying it had suffered a data breach. Later Iconic promised to issue refunds to hacked customers. While Iconic’s volte face was fairly rapid it was a major mistake to deny what was obviously taking place. Print Music company Hal Leonard was hit by a ransomware attack by the Qilin ransomware gang. It gave Hal Leonard a week to pay a ransom. Hal Leonard has made no comment. Qilin has shared 37.6 gigabytes of Hal Leonard’s data. On 23 January Nissan Oceana notified customers of a cyber attack. it is a very bare bones notification, not even identifying when the attack was detected.

The Nissan statement Read the rest of this entry »

On 5 February 2024 Google was going to trial in a class action which alleged that it tracked users’ browsing activities when in private mode. The claim was for $5 billion dollars. Obtaining such an award was always unlikely. Even a substantial financial award would pale into the huge reputational damage associated with disclosing Google’s practices. Not surprisingly the case has settled, as reported by Forbes and the BBC.

Google fought this case hard, with multiple attempts to strike out the proceeding. The modus operandi is common to technology companies, fight and fight and fight until the hearing date nears and then try to settle.

The Forbes article provides:

Alphabet Inc.’s Google subsidiary has tentatively settled accusations of misappropriating user data, averting a potentially revealing court trial. The lawsuit originally sought $5 billion in damages, but terms of the settlement terms were not disclosed. The news was first reported by Reuters.

According to court documents, the search giant agreed to resolve claims that despite promises of privacy, it tracked the internet activity of users browsing in what they believed was an undercover mode. Consumers contended that they were shadowed by Google even while using the supposedly concealed ‘Incognito’ mode on Chrome, raising alarms over the sanctity of online privacy. The company tried to get the court to throw out the case multiple times, but failed.

The agreement, announced before a pending trial date on February 5, 2024, halts the progression of a class-action suit that sought damage payments of at least $5 billion. Terms of the settlement, brokered through a private mediation process, are not yet public, but will be revealed upon submission for court approval by the end of February 2024.

While the plaintiffs’ attorneys and Google refrained from commenting on the settlement, the crux of the legal challenge put Google’s transparency under scrutiny.

The case hinged on the assumption that Google’s analytics and ad-targeting mechanisms continued to siphon personal data regardless of user privacy settings, converting virtually anonymous browsers into valuable data points. Read the rest of this entry »

Today’s Age has comprehensively covered the data breach of the Court Services system with Victims exposed in court hack ‘unlikely’ to be able to sue: legal expert. Bleeping Computer, a US based tech magazine, has reported on the breach with Victoria court recordings exposed in reported ransomware attack , a brief piece by cyberdaily with Victorian court systems allegedly breached by Qilin ransomware gang and Security with Victoria court records exposed following cyberattack.

As the Age article states, there would be challenges in bringing proceedings arising from this data breach.  But they may not be insurmountable.  It is most likely that the ransomware infected the system via an email and that someone in Court Services opened it.  Alternatively somehow the attackers obtained log in and password details allowing access.  Finally it may have been through a third party service provider.  Each of those means of ingress should be the subject of proper processes and training.  In my experience, they rarely are.  Often an audit of a system after a cyber attack reveals many, many flaws.

While the data breach probably does not involve a large number of individuals it is particularly significant because it involves court recordings which should be properly protected.  Especially where files involve sensitive information, of which some of the recorded evidence would be.  It is early days but the potential for continuing havoc is real.  Hackers have been known to Read the rest of this entry »

It is not surprising that the cyber attack on the Victorian Court system has brought in comments from the Attorney General and intense media focus. The Chief Executive of Court Services Victoria released a statement yesterday (after my post of yesterday) where she stated.

On Thursday 21 December 2023, Court Services Victoria (CSV) was alerted to a cyber security incident impacting Victoria’s courts and tribunals.  

The cyber incident led to unauthorised access leading to the disruption of the audio visual in-court technology network, impacting video recordings, audio recordings and transcription services.

CSV took immediate action to isolate and disable the affected network and to put in place arrangements to ensure continued operations across the courts.  As a result, hearings in January will be proceeding. 

Recordings of some hearings in courts between 1 November and 21 December 2023 may have been accessed. It is possible some hearings before 1 November are also affected.  The potential access is confined to recordings stored on the network. Further details for each court are found below.

No other court systems or records, including employee or financial data, were accessed. 

Maintaining security for court users is our highest priority.  Our current efforts are focused on ensuring our systems are safe and making sure we notify people in hearings where recordings may have been accessed. 

We understand this will be unsettling for those who have been part of a hearing.  We recognise and apologise for the distress that this may cause people.  CSV has established a Contact Centre with dedicated staff which is available to those seeking further information or assistance. This includes support from IDCARE, Australia’s national identity and cyber support community service. The Centre can be contacted from today via telephone or email:   

• • Call: 03 9087 6116
  • Email: CSVData@courts.vic.gov.au

We are working closely with the cyber security experts in the Victorian Department of Government Services. All relevant authorities have been notified of the incident and are assisting with the investigation and response. 

All courts have put in place arrangements so that they can continue to safely and securely hear matters while CSV re-establishes the affected network.  We appreciate the cooperation of court users during this period. 

The work on the restoration of systems includes works to strengthen security across the broader court and tribunal-wide technology environment.

With limited exceptions, court and tribunal hearings are held in public and are not confidential.  The unauthorised use of recordings of hearings is not permitted. 

The table below sets out which recordings of hearings may have been accessed. 

Frequently asked questions

What is the cyber incident that’s happened?

Court Services Victoria (CSV) became aware on Thursday 21 December of a cyber incident that impacted in-court audio and video (AV) systems.

During the incident, there was unauthorised access to CSV’s audio visual in-court technology network.

Recordings of some hearings in courts and tribunals between 1 November and 21 December 2023 may have been accessed. It is possible some hearings before 1 November are also affected. Read the rest of this entry »

The ABC reports today that, in Russian hackers believed to be behind cyber attack on Victoria’s court system, the Victorian Court system was subject to a ransomware attack on 21 December 2023. The Guardian reports on it here. While someone from Court Services made comment, with the usual (1) detected the breach, (2) secured it, (4) working on it & (5) will notify people where appropriate & the tried and true (6) security is our highest priority, there has been no statement on its homepage. At least not yet.  Based on the story it is an extortion attempt by a Russian hacking group.

As the story notes there must have been a deficiency in the security system or privacy training.  Ransomware programs don’t just appear on systems.  They are commonly delivered through email or acquired authorisations.  If it was because someone opened an attachment or clicked on a hyperlink on an unfamiliar email that bespeaks poor privacy training. 

This is not the first attack on the Court system. In 2020 a former registrar hacked the system to create a false intervention order. The registrar was jailed for fraud.

Courts Victoria falls under the regulation of Read the rest of this entry »

The Federal Trade Commission is proposing changes to the COPPA Rule, the principle regulation relating to the protection of child privacy on line.  COPPA stands for Children’s Online Privacy Protection Act.The purpose is to restrict third parties monetising children’s data.

The release Read the rest of this entry »

A very common form of data breach by government agencies is for an officer, usually mid ranked or lower, to attach a list of names to an email, advertently or inadvertently, and then send the email to the wrong recipient or sending the wrong attachment to the intended recipient.  Another variation I see quite commonly is someone sending an email to a large number of recipients as part of a “Reply All” when the intention was to respond to only one person.  Many of the “Alls” should not have seen the document.   

Before Christmas the UK Information Commissioner fined the Ministry of Defence for releasing via email the names of 265 Afghans seeking relocation to the UK in the wake of the Taliban takeover. Here the email was sent to a distribution list of Afghan nationals releasing personal information of 245 people. The ICO statement provides:

• • Details of 265 people compromised in email data breaches weeks after Taliban took control of Afghanistan in 2021
  • Egregious breach “let down those to whom our country owes so much” – UK Information Commissioner
  • Email error could have resulted in a threat to life

The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.

On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The original email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government in Afghanistan. The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life.

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients. Such procedure provides a double check whereby an email instigated by one member of staff is cross checked by another. Read the rest of this entry »

In September the Irish Data Protection Commission fined Tik Tok 345 million euros for breaching the GDPR regarding personal information of children using Tik Tok. In April the UK Information Commissioners’ Office fined Tik Tok 12.7 million pounds for misusing children’s data. In 25 March 2022 the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. In October 2021 Tik Tok reached a 92 million privacy settlement for breaching Illinois’s Biometric Privacy Act.

The genesis of this inquiry is the discovery that Tik Tok has been using tracking tools to harvest data without consent. Now the Australian Information Commissioner is inquiring into Tik Tok’s alleged practice of siphoning personal data of non users without consent.

Senator Patterson, the opposition spokesman, has been very active in scrutinising Tik Tok, not just on the privacy issues but Tik Tok’s potential national security threat given it is a company which is subject to control of the Chinese Government. It has been the subject of criticism of the information it spreads which is anti Western to say the least.

The Attorney General has been drawn to give a comment last week on this inquiry and he said:

JOURNALIST: On another matter, has TikTok breached Australia’s privacy laws by harvesting data from websites without seeking their consent?

ATTORNEY-GENERAL: The Australian Government is very concerned to protect the privacy of Australians and the privacy of Australian children. We are very pleased that the Privacy Commissioner, who is the Australian official charged under the Privacy Act with investigating privacy breaches, has commenced an investigation. I’d make the point that we’ve shown how seriously we take breaches of Australian privacy by last year legislating to increase the penalties, massively increase the penalties for breaches of privacy by corporations. And we’ve also, at the same time, legislated to give additional powers to the Privacy Commissioner. I expect that the Privacy Commissioner will be using those additional powers in this investigation. Read the rest of this entry »

Tik Tok has a truly dismal record when it comes to privacy. 

In September the Irish Data Protection Commission fined Tik Tok 345 million euros for breaching the GDPR regarding personal information of children using Tik Tok. In April the UK Information Commissioners’ Office fined Tik Tok 12.7 million pounds for misusing children’s data. In 25 March 2022 the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. In October 2021 Tik Tok reached a 92 million privacy settlement for breaching Illinois’s Biometric Privacy Act.

The genesis of this inquiry is the discovery that Tik Tok has been using tracking tools to harvest data without consent. Now the Australian Information Commissioner is inquiring into Tik Tok’s alleged practice of siphoning personal data of non users without consent.

Senator Patterson, the opposition spokesman, has been very active in scrutinising Tik Tok, not just on the privacy issues but Tik Tok’s potential national security threat given it is a company which is subject to control of the Chinese Government. It has been the subject of criticism of the information it spreads which is anti Western to say the least.

The Attorney General has been drawn to give a comment last week on this inquiry and he said:

JOURNALIST: On another matter, has TikTok breached Australia’s privacy laws by harvesting data from websites without seeking their consent?

ATTORNEY-GENERAL: The Australian Government is very concerned to protect the privacy of Australians and the privacy of Australian children. We are very pleased that the Privacy Commissioner, who is the Australian official charged under the Privacy Act with investigating privacy breaches, has commenced an investigation. I’d make the point that we’ve shown how seriously we take breaches of Australian privacy by last year legislating to increase the penalties, massively increase the penalties for breaches of privacy by corporations. And we’ve also, at the same time, legislated to give additional powers to the Privacy Commissioner. I expect that the Privacy Commissioner will be using those additional powers in this investigation. Read the rest of this entry »

St Vincent’s Health Network suffered a data breach on 19 December 2023. When first reported the details of what personal information was stolen was not known. According to the Australian as of 25 December 2023 St Vincent’s was still unable to determine what if any medical records were stolen, in St Vincent’s unable to confirm if medical records stolen. On 29 December 2023 St Vincent’s Health Australia released a statement. It provides:

Since its statement last Friday regarding the attack by cyber criminals, St Vincent’s has been working tirelessly with federal and state governments, law enforcement, and our cyber experts.

Today we again briefed our close to 30,000 team members on the latest information regarding this investigation and monitoring work.

The staff at St Vincent’s provide some of the best care in the world to our patients and residents. Our key priority in responding to this cyber criminal attack has been to preserve and protect the critical work of our staff on behalf of millions of Australians every year.

On Tuesday, 19 December, St Vincent’s began responding to a cyber security incident.

On that day, St Vincent’s immediately took steps to contain the incident, engaged external security experts CyberCX, and notified all relevant state and federal governments and their necessary agencies.

No cyber criminal activity has been detected on St Vincent’s networks since Wednesday, 20 December.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on the morning of Friday, 22 December.

St Vincent’s continues to investigate this cyber crime. Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity.

Should we discover that any sensitive data has been stolen by cyber criminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.

To date, the activities of the cyber criminals have not impacted the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks. We are managing some important network disruptions as part of our remediation works.

We thank the Australian Government, our state government partners, and our commercial and clinical partners, for their support.

We have also updated federal and state government authorities, including the Australiann Cyber Security Centre and the Office of the Australian Information Commissioner, as well as our key partners, and stakeholders.

The Australian Federal Police are engaged with the matter and St Vincent’s is fully supporting their criminal investigation.

We have established a dedicated support line 1300 124 507, as well as a dedicated email address stvincentscybersafety@svha.org.au, for anyone wishing to seek further information about this matter.

Media contact: Dexter Gillman 0439 393 196

Q&As

When did St Vincent’s first become aware that they were experiencing an incident?

On Tuesday, 19 December 2023, St Vincent’s Health Australia (SVHA) began responding to a cyber security incident.

SVHA immediately took steps to contain the incident, engaged external cyber security experts, and notified all relevant state and federal governments and the necessary agencies.

The investigation into this incident is ongoing.

Why did it take until Friday 22 December 2023 to tell the public?

St Vincent’s took immediate steps to contain the incident upon its discovery. We also engaged external security experts, notified all relevant state and federal governments and their necessary agencies.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on Friday morning.

What steps did St Vincent’s take to understand the incident?

Our teams have worked tirelessly through the night, and into today to:

•    Implement enhanced monitoring of St Vincent’s networks and systems;

•    Deploy investigatory tools; and

•    Review system logs and telemetry.

At this time, no new activity by the threat actor has been detected inside St Vincent’s networks since early morning Wednesday, 20 December. Containment activities are still ongoing.

Do you know who might be behind this incident?

Not at this time.

Do you know if any information that may be sensitive (corporate or personal) may have been accessed?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

Do you have any evidence data has been removed from your network?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

When will SVHA be able to say what type of data was stolen?

This is a complex and highly technical investigation, and we do expect it will take some time before we know exactly what data was taken from our systems.

How will you notify patients or staff if their data has been stolen?

Should we discover that any sensitive information has been stolen by cyber criminals, we will do all that we can to contact the impacted persons to inform them of this, give them information about the steps that they can take to protect themselves and support them through that process.

Are hospital operations impacted?

At this time, our ability to deliver the frontline services that our patients, residents, governments and the broader community rely on us for, has not been impacted. We are managing some network disruptions as part of our remediation works.

What support is available?

We have established a dedicated support line 1300 124 507 and email address stvincentscybersafety@svha.org.au for anyone with additional questions about this matter.

St Vincent’s statement when issued was quite good as far as it went.  In fact, very good by Australian standards.  It was the basis for the Australian report in St Vincent’s Health still trying to work out if personal medical records stolen in cyber attack. 

While the statement provided a good overview it continues with the unfortunate usual Australian practice of not providing, even in the most general terms, the cause of the breach.  That is can give rise to criticism.  Just ask the executive s of Medibank and Optus which was a bleeding wound that took months to be only partially staunched.  While providing too much detail is not necessary and can be  poor practice in highlighting weaknesses that may be exploited with other organisations it goes too far to fail to provide some information, even in very general terms, as to how it occurred is appropriate. Withholding information can be embarrassing if the media finds out what caused the breach.  That seems to be case here as the Australian Financial Review (the “AFR”) provides details not provided by St Vincent’s Health in Read the rest of this entry »