Peter A Clarke

The Information Commissioner has released its semi annual data breach report, this time for the period July to December 2023. There was a steady increase in the reported breaches, 57 in July, 68 in August, 79 in September, 86 in October, 96 in November and 97 in December.  

Interesting issues arising from the report:

• the health sector still remains the most affected by data breaches;
• 65% of data breaches affect organisations of 100 people or fewer;
• 67% of the data breaches were caused by malicious or criminal attacks.  There were 322 incidents, up 12%. 
• while human error was responsible for 30% of data breaches, that was an increase of 36% over the previous period
• 423 incidents involved Contact Information
• 306 incidents involved identity information
• 197 incidents involved health information
• ‘193 involved financial details
• 64% of the data breaches were identifed in 10 or fewer days
• 23% of data breaches were identified in 30 days or more
• 56 of the 211 notificatons involved ransomware while 59 involved phishing

Relevant extracts are:

Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians. Of the 26 breaches that affected over 5,000 Australians, 22 were caused by cyber incidents. The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).

Entities need to continually review whether appropriate controls and processes are in place to defend against and mitigate data breaches caused by cyber incidents. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has developed prioritised mitigation strategies – the Strategies to Mitigate Cyber Security Incidents– to help entities protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight. Read the rest of this entry »

The US Federal Trade Commission has taken action against Avast for claiming it represented to consumers that its software would protect their privacy by preventing tracking and collection of browser information while it tracked that browser information and sold it to more than 100 other companies. Avast tracked and collected the data and provided it to a subsidiary, Jumpshot, which from 2014 until 2020 sold that browsing information to some of its clients, including investment nad advertising companies, search enging optimisation firms and data brokers.  In short companies that need data as part of their business activities.  Avast has entered into a consent order whereby it agreed to pay $16.5 million and be prohibited from selling or licensing any web browsing data for advertising purposes.

The FTC generally relies upon representations for jurisdiction to take action.  That is different to the approach taken by the UK regulator, which relies the UK Data Protection Act.  In Australia the regulator relies on its powers under the Privacy Act.  FTC decisions are useful and relevant in the analysis of privacy cases because the principles relating to data security, collection and use are consistent with those principles under the UK, New Zealand and European laws. Given the FTC is a much more active regulator than the Austrlian Office of the Information Commissioner the analysis of the FTC in its complaints and consent orders is particularly useful.  The Australian resources are modest by comparison and often too general. 

The FTC’s very colourful media release provides:

When uttered by a pirate, “Avast!” is a nautical term for “Listen up and cut it out.” And when the FTC says “Avast!” to software company Avast, it means the same thing. UK-based Avast Limited told consumers that using its software would protect their privacy by preventing the tracking and collection of their browser information. But according to the FTC, from 2014 to 2020, guess who was tracking consumers’ browser information and then selling it to more than 100 other companies through an affiliate called Jumpshot? Ironically enough, Avast Limited. We’re not sure how much the $16.5 million financial remedy is in doubloons, but we hope the terms of the proposed settlement will remind other companies to relegate conduct like that to Davy Jones’ Locker.

For consumers concerned about their privacy, Avast’s claims for its anti-virus software and browser extensions were attention-getters. The company promised its products would block “annoying tracking cookies that collect data on your browsing activities.” In a major app store, the company pitched its Avast Mobile Software as way for consumers to “secure your device” by getting “alerted when you install spyware and adware apps that violate your privacy by sending your personal data to their servers.” In describing its desktop software, Avast promised it would “shield your privacy” and “stop anyone and everyone from getting to your computer.” Avast also told people that its software would allow them to “reclaim your browser. Get rid of unwanted extensions and hackers making money off your searches.” The company’s marketing hook for its Avast Secure Browser was its anti-tracking capabilities, promising it would “protect[] your privacy by preventing websites, advertising companies, and other web services from tracking your online activity.”  Read the rest of this entry »

The Information Commissioner has opened an Commissioner initiated investigation into the data breach of the HWL Ebsworth site which involved the loss of 1.1 terabytes of data. It has been some time in coming. HWL Ebsworth notified the Commissioner on 8 May 2023 and the Commissioner opened up a preliminary enquiry in June 2023. A flaw in the legislation and  the Commissioner’s approach to its regulation is the lengthy and drawn out processes.  It has been 8 months, or thereabouts, from the date the preliminary investigation opened and the date this investigation opens.  It will be months, probably many, before the Commissioner completes this investigation.  If civil proceedings are commenced that won’t happen for months.  And then a couple of years in the Federal Court.  The Commissioner’s regulatory action policy needs a significant overhaul.

The other problem with the Commissioner’s approach to regulation is that typically results of those investigations do not see the light of day.  Or the results are quietly announced with little coverage in the media.  This is significantly different to the regulators more expansive approach in the United States, the United Kingdom and the European Union.

HWL Ebsworth adopted a “batten down the hatches” approach to the data breach.  After an initial anodyne statement it kept its counsel.  It applied for and obtained an injunction against those using information leaked onto the dark web.  The utility of that application is problematical but it does restrain those who are not criminals who may be tempted to access or otherwise view that material.  Notwithstanding sporadic stories of which of HWL Ebsworth’s clients were affected the strategy seemed to overall effective.  HWL Ebsworth avoided the intense media scrutiny and censure that Medibank and Optus experienced even if the data stolen was at least as sensitive and sometimes even more sensitive than each of those other organisations. 

Given the large volume of data stolen, accross the breadth of the firm’s operations there will be serious questions as to the data storage policies, training, data handling processes, why so much data was retained for so long and how the hackers were able to range so widely across practice areas.

The Commissioner’s Statement provides:

The Australian Information Commissioner has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023. The decision follows the OAIC’s preliminary inquiries into the matter, commenced in June 2023.

The OAIC’s investigation is into HWLE’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.

The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred.

This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Australian Privacy Act 1988.

Under the Notifiable Data Breaches scheme in the Privacy Act, in certain circumstances organisations are required to take such steps as are reasonable to notify affected individuals of an eligible data breach and do so as soon as practicable.

The story has been covered by itnews with Read the rest of this entry »

The road to hell is paved with good intentions. That is never so true when ABC with University program shut down amid class action investigating veterans’ medical data distributed without consent. A program, operating since 2005, that was designed to help veterans involved some quite cavalier practices in handling their personal information. The first problem was that the data was disclosed without the veteran’s consent. This story is not new. Senator Lambie raised specific concerns about no consent, no opt out ability and the Department of Veteran’s Affairs looseness with the truth regarding the concerning practices of MATES in an adjournment debate in the Australian Senate on 2 August 2023.

Why did it take 6 months for those who ran the program to respond.  Even today the University of South Australia is crowing about how good the program is with Keeping patients alive by monitoring their medication . That is quite foolish in the circumstances. 

The ABC article provides:

A University of South Australia program has been shut down and a class action is being considered amid claims by advocates that sensitive information about veterans was disclosed without their consent.

The Medicines Advice and Therapeutics Education Services (MATES) program has been cancelled amid revelations that the program was using identifiable data.

The program, led by the Department of Veterans’ Affairs (DVA) and has been running since 2005, involved the use of veteran’s healthcare card billing data provided by the department to conduct medical research.

Last week, the department’s ethics committee revoked its approval of the program.

Returned and Services League (RSL) South Australia president Dave Petersen said the impact on veterans has been profound.

Read the rest of this entry »

The numbers can boggle the mind. the data breach affecting Viamedis and Almerys  has resulted in exposure of 33 million individuals personal information. Viamedis and Almerys are healthcare payment service providers. The services provided by these companies are quite common in advanced countries.  It is cheaper and more effective to have specialist companies processing payments of usually complex insurance or goverment payments.  That makes them a high value target for hackers.  So much information collected from a range of sources.

Bleeping Computer’s article on that data breach provides:

Data breaches at two French healthcare payment service providers, Viamedis and Almerys, have now been determined to impact over 33 million people in the country.

Viamedis and Almerys provide healthcare and insurance services in France with technological and administrative solutions to facilitate transactions.

They manage the sensitive data of policyholders required for granting reimbursements and generally streamline the payment process in France’s complex, multi-layered insurance coverage system.

Viamedis first disclosed the cybersecurity incident one week ago on LinkedIn (the company’s website remains down), saying that it suffered a data breach impacting beneficiaries and healthcare professionals.

The company said the exposure includes names, dates of birth, insurer details, social security numbers, marital status, civil status, and guarantees open to third-party payment. Read the rest of this entry »

The Federal Trade Commission has taken action action against Blackbaud and required it to delete personal data that it does not need. The genesis of this outcome was the poor security practices that let a hacker access a trove of sensitive personal information in 2020, much of it which should not have been kept.  The FTC set out the multiple Blackbaud transgressions; failing to segment data, failing to have multi factor authentication and not notifying customers of the breach.  In this case, as in many others, a data breach doesn’t reveal one flaw but usually a system wide failure. 

The media release provides:

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. Read the rest of this entry »

An obligation to report data breaches is part of the GDPR and most privacy legislation in the common law countries. It is an obligation under Part IIIC of the Privacy Act, especially section 26WE. Now the Federal Communications Commission (“FCC”), according to FCC orders telecom carriers to report PII data breaches within 30 days, has ordered telecom carriers to report data breaches involving access to personal information within 30 days, commencing on 13 March 2024. That is generous when compared to Read the rest of this entry »

The Government has been spurred into expediting reform of the Privacy Act 1988 in response to the doxxing of details of members of a Jewish Whats App group. Those details found their way into the hands of activists and have been posted on line. According to the Sydney Morning Herald’s ‘Doxxing’ laws to be brought forward after Jewish WhatsApp leak doxxing will constitute a criminal act and that legislation will be introduced with the other Privacy Act reforms. When that will happen is not specified. Attorney Dreyfus stated that the anti doxxing provisions will be made through the eSafety Commissioner but as part of the “civil reforms to the Privacy Act”. The Guardian covers the story in Albanese government to propose legislation to crack down on doxing. The Australian covers it with Albanese vows to crack down on doxxing. The Attorney just did a doorstop on doxxing where he suggested that provisions criminalising doxxing would be brought foward. 

The transcript provides:

ATTORNEY-GENERAL MARK DREYFUS KC MP: The Albanese Government is committed to protecting the safety of Australians, and stronger privacy protections for individuals are essential. The increasing use of online platforms to harm people through practices like doxxing, the malicious release of their personal information without their permission, is a deeply disturbing development. The recent targeting of members of the Australian Jewish community through those practices like doxxing was shocking, but sadly, this is far from being an isolated incident. We live in a vibrant multicultural community which we should strive to protect. No Australian should be targeted because of their race, or because of their religion. The Albanese Government committed last year to stronger protections for Australians through reforms to the Privacy Act. We’ve had a long running review to the Privacy Act and late last year I announced the Government’s response to that review of the Privacy Act. The Prime Minister has asked me to bring forward, as part of that set of reforms to the Privacy Act, some new provisions to deal with this practice of doxxing, with the malicious use of people’s personal information without their consent. And we’ll also be bringing forward provisions, and the Prime Minister has asked me to do this as well, some provisions that strengthen current laws that deal with hate speech. The work will complement work that is already underway right across government, as we seek to strengthen online safety for all Australians. It’s work that my colleague, the Minister for Communications, Michelle Rowland has also been working on.

REPORTER: Given that accounts can hide behind dishonest profiles when committing acts of doxxing. How will these measures actually be affected? Will social media companies be compelled to expose those who release private information?

ATTORNEY-GENERAL: We’ve already got some provisions through the eSafety Commissioner that enable online platforms to be required to take down. We’ve seen the eSafety Commissioner not only sending takedown notices, but imposing penalties. That’s one of the measures that we’re certainly going to be looking at in relation to this practice of doxxing.

REPORTER: Can you define doxxing, in terms of which attributes it would be unlawful to maliciously reveal? Is it just identity, race and religion does it extends to other protected attributes, like sexuality and gender identity?

ATTORNEY-GENERAL: Doxxing is a broad term but I think it’s generally understood to be the malicious release publicly of personal information of people without their consent. That takes different forms. It’s clearly got different malicious purposes, depending on the context. But that’s something that we’re going to have to deal with when we prepare this legislation.

REPORTER: These group chats were released to the Nine papers originally where they were published. Would that leaked information and the group chat messages come under doxxing under this legislation?

ATTORNEY-GENERAL: We see that with massive changes in digital technology that is throughout our society, that the opportunities for invasions of privacy, the opportunities for the use of people’s personal information without consent, the opportunities for really malicious actions to take place, affecting hundreds of thousands of people very, very quickly, has been made possible. Legislation has struggled to keep up. That’s part of the reason behind this reform of the Privacy Act that we’ve embarked on. And clearly, all of those things are needing to be looked at.

……………

REPORTER: Can I clarify, bulking up the hate speech laws, that will be contained in the Religious Discrimination Bill? Will it? And when can we expect to see that?

ATTORNEY-GENERAL: We’ve already been working on the hate speech provisions. It is our intention to bring them forward with the Religious Discrimination Bill that we plan to bring forward. The Prime Minister has asked me to accelerate the work on the hate speech part of that package.

………..

The Australian article Read the rest of this entry »