Peter A Clarke

There has been another big data breach involvng 14,000 Commbank customers 7,000 ANZ customers. 5,000 NAB customers and 4,000 Westpac customers according to the ABC’s Banking passwords stolen from Australians are being traded online by cybercriminals. The passwords were stolen from users personal devices through the “infostealer” malware.

The article provides:

More than 31,000 passwords belonging to Australian customers of the Big Four banks are being shared amongst cyber criminals online, often for free, the ABC can reveal.

Despite the anti-fraud protections in place at those banks, cybersecurity experts warn victims could “definitely” lose money as a result. Read the rest of this entry »

The list of data breaches in Australia continues to grow. It is not extraordinary compared to similar countries like the United States, Canada and the United Kingdom. The exposure to regulatory action is greater now that the Privacy Act has been amended. Whether that comes to pass is the question. With the statutory tort of interference with privacy coming into effect on 10 June 2025 there may be exposure if the actions or omissions giving rise to the data breach were reckless.

The breaches, or at least those that we know Read the rest of this entry »

The EDPB has released a report titled AI Privacy Risks & Mitigations Large Language Models (LLMs). A dry title on an important issue.

The AI Privacy Risks & Mitigations Large Language Models (LLMs) report sets out a comprehensive risk management methodology for LLM systems and, importantly, mitigation measures for common privacy risks in LLM systems.

LLMs is another important advance in artificial intelligence. They  process and generate human-like language trained on extensive datasets.

It is a long and very technical document but one that privacy practitioners should Read the rest of this entry »

Law firms are a prime target for data breaches. They hold significant personal information and sensitive information of corporations and government agencies. The UK Information Commissioner’s Office has imposed a very hefty fine of 60,000 pounds on the Merseyside-based DPP Law Ltd following a cyber attack in June 2022 which resulted in the loss of 32GB of data. The firm only became aware of this loss when it was contacted by the National Crime Agency which advised it that the data had been posted on the dark web. DPP Ltd had poor cyber security with a brute force attack being sufficient to gain access to an administrator’s account and then having the ability to move laterally across its network.  That bespeaks a very rudimentary system.  Then after being notified of the breach it regarded the loss of personal information as not constituing a personal data breach.  It waited 43 days before notifying the ICO.  It is a case study of what not to do.  Which in fact the ICO has done in publicising the litany of errors committed.

The ICO media release provides:

Cyber attack details

In June 2022, DPP suffered a cyber attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system. This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.

You can read the full details of the incident in our monetary penalty notice.

Legal requirements and our guidance

The law requires organisations to take continual and proactive steps to protect themselves against cyber attack. This includes ensuring all IT systems have MFA or equivalent protection, regularly scanning for vulnerabilities and installing the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations, including the duty for all organisations to report personal data breaches.

Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Australian firms have been hit with significant and damaging data breaches recently. The HWL Ebsworth data breach via a cyber attack in April 2023. resulted in approximately 2.2 million documents being affected. The Information Commissioner opened an investigation in February 2024, 14 months ago. There has been no public resolution of that investigation. It is the subject of a class action, with the National Justice Project is now representing 12 National Disability Insurance Scheme (NDIS) participants in a class action against HWL Ebsworth. In March cyberdaily reports in Brydens Lawyers suffers alleged 600GB data breach following ransomware attack that the firm had suffered a significant data breach in February 2025. Also in February 2025 Slater and Gordon suffered a humiliating data breach by Read the rest of this entry »

The co ordinated attack on Australian Super Funds was always going to generate a lot of press. But despite what some cynics might suggest, the press need something to write a story. Unfortunately the handling of the data breach has been, at best, pedestrian. The first problem is the lag between discovering the breach and notifyng any authority. It is not mandatory to notify the police and under the mandatory data breach notification laws an affected organisation has up to 30 days (rather than the more rigorous 72 hours in the GDPR). That said the optics in Australia seems to be that prompt notification gives organisations some cover. According to the Australian

story Tony Burke goes soft on Big Super as cyber attack sinks into farce the organisations are confused as to what they did and when they did. The AFP was notified 5 days after the attack and says that the Victoria Police would lead the investigation. The Victoria Police is yet to formally investigate. The bigger concern is the evidence appearing that suggests that there were repeated warnings for the funds to strengthen their online security and nothing was done about it. Those warnings did not just come from agencies and organisations but also from customers who wanted multi factor authorisation and were fobbed off. Multiple regulators have Read the rest of this entry »

The statutory tort of interference with privacy comes into effect on 10 June 2025; 2 calendar months away.

The tort will be prospective only in effect and the limitations period is 1 year.  It is the first time that individuals will have a stand alone right to take action in the Federal Magistrates Court for interference with their privacy; either or both intrusion upon seclusion or misuse of personal information.  The actions in equity and negligence which may deal with privacy breaches remain in existence, which have no limit on general damages or right to aggravated damages.  It will be interesting to see whether the tort is pleaded together with equitable causes of action.

The University of Western Sydney has suffered a data breach involving the loss of data of 10,000 individuals. It has posted a statement today which reveals that on 24 March 2025 it became aware of a post on the dark web referring to information taken from the university. That was over 2 weeks ago. The post itself was dated 1 November 2024, over 5 months ago. The University’s statement follows the usual pattern in Australia of saying it notified the various authorities. It lists those authorities. What it hasn’t done is notify the 10,000 current and former students but “expects to” do so. It is a fairly average notice, far below that which one would expect of a large organisation. It says very little in a lot of words.  It concludes by Read the rest of this entry »

The National Institute of Standards and Technology have released an especially valuable document, the Incident Response Recommendations and Considerations for Cybersecurity Risk Management.

The abstract provides:

This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities. Readers are encouraged to utilize online resources in conjunction with this document to access additional information on implementing these recommendations and considerations.

The Report provides a useful glossary for those reporting on or drafting protocols and procedures dealing with data breaches including:

• an event is any observable occurrence that involves computing assets, including physical and virtual platforms, networks, services, and cloud environments. Examples of events are user login attempts, the installation of software updates, and an application responding to a transaction request. Many events focus on security or have security implications.
• Adverse events are any events associated with a negative consequence regardless of cause, including natural disasters, power failures, or cybersecurity attacks. This guide addresses only adverse cybersecurity events. 
• A cybersecurity incident is “…an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” with such incidents including:
  • Employing a botnet to send high volumes of connection requests to an internet-facing service, making it unavailable to legitimate service users
  • Obtaining administrative credentials at a software-as-a-service provider, which puts sensitive tenant data entrusted to that provider at risk
  • Intruding upon an organization’s business network to steal credentials and use them to instruct industrial control systems to shut down or destroy critical physical components, causing a major service disruption
  • Deploying ransomware to prevent the use of computer systems and cause multiple data breaches by copying files from those systems
  • Using phishing emails to compromise user accounts and using those accounts to commit financial fraud
  • Identifying a new vulnerability in network management appliances and exploiting the vulnerability to gain unauthorized access to network communications
  • Compromising a vendor’s software, which is subsequently distributed to customers in its compromised state

Regarding incident response roles and Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) has published a review into the gathering of children’s data from services supplying them with current accounts, savings accounts, trust accounts, ISAs and prepaid cards. Given the greater concern about children’s privacy, long overdue, it is prudent to look at the review and consider what is being done in Australia.  What is clear is that failure to maintain proper standards with organisations will, if there is some data breach or other issue, result in acute embarrassment for organisations if the regulator reviews its processes and procedures.  Given the Privacy Commissioner now has powers to issue infringement notices/ compliance notices rather than going to the delay and expense of long and drawn out investigations and civil penalty proceedings this is a factor organisations should consider carefully.

Some of the findings from the review are:

• 69% of participants had policies and procedures in place to control the use of children’s data;
• only 67% of those organisations proactively monitored compliance with their policies and procedures.
• 45% of participants had limited assurance that staff are processing children’s information in line with internal or even legislative requirements.
• only 14% of participants had assigned responsibility for children’s data in policy or relevant job descriptions
• while 97% of participants provided staff with general data protection training however, only 18% of participants included content about the use of children’s personal information
• while 49% of participants say they provided children with age appropriate privacy information ess than a quarter of all participants have carried out any testing to check how easily children would understand their privacy information
• only 36% of children’s savings account products which are opened by parents but transferred to the child at 16 provided the child with privacy information during the transfer process
• When opening a child owned savings account, 83% of participants provided children with privacy information
• 5% of participants also required children to acknowledge that they have read the privacy information, usually recorded by signing the application form
• only 11% of these participants actually carried out any assessment as to whether children are competent enough to understand their notice
• 66% of participants indicated it would be the parent’s (where they are present) responsibility to ensure the child understood privacy information and no attempt would be made to confirm the child understood the privacy information
• 66% of participants reviewed the categories of information they collect on a regular basis to make sure it is limited to what is necessary
• 40% of participants collected special category data, limited to health data and will only be processed having obtained explicit consent.
• 24% of participants relied on consent obtained from the child to process their information for specific purposes. However, 42% of those participants relied on acknowledgement of information provided within privacy information or key facts documents to obtain the consent. This did not meet the requirements of the UK GDPR
• 88% of participants had no process in place to assess a child’s understanding of their data protection rights. For 34% of these participants this was because they had preset age limits which determined whether a child was able to exercise their rights or not.  n most cases this age limit was set at 13 years old although some participants had set this age as high as 16 years old.
• 20% of participants who offer products which process children’s information, but are controlled by parents, did not allow children to access their information or exercise this right at any age
• 96% of participants had an embedded process for verifying the age of children when an account is opened
• 63% of participants had a policy in place to govern communications provided to children, including marketing material. For 83% of participants the policy prohibited the provision of marketing material to children.
• 75% of participants provided communications which included general information about the service provider and also administrative account information. 29% of participants provided communications containing general organisational administrative information. 8% of participants provided marketing communications to children
• 33% of participants had a process in place to regularly update the contact information they hold
• Only 8% of participants required children to have access to their own email and/or phone to enable them to open an account, however if children did have these, then this information was recorded in the majority of cases where the child has some control over the account (current or savings accounts). 76% of participants used parents contact information such as email or phone to provide communications.
• Of the participants who do allow marketing to children, 75% of them included opt in and opt out options on the account application form.  The remaining 25% of participants sought consent from the parent only.

The Executive Summary Read the rest of this entry »

What many organisations fail to appreciate is that a data breach can result in multiple regulators investigating and taking action, not just the Privacy Commissioner. In fact the Privacy Commissioner can be the least aggressive. That is particularly the case with financial institutions where there are quite specific regulations regarding maintaining accounts and security. This is highlighted by the Australian’s article Australian super funds face steep fines after massive cyber attack. Australian Super will refund its members. And the story refuses to die as new facts emerge. And 2 days after the co ordinated attack there is a separate attack on another superfund, Cbus. Cbus says that it has been hacked. Which gives rise to feverish speculation and recollection of warnings about cyber risk being dismissed.

The exposure of Super Funds to regulatory action is significant.  There is a real problem with breaches of APP 11, the requirement to maintain proper data security.  Financial services licencees have obligations under section 912A of the Corporations Act 2001. In May 2022 the Federal Court found that R I Advice, a financial Services licensee had breached its licence obligations by failing to manage cyber security risks. In that case ASIC brought the civil proceeding. APRA also has jurisdiction.  Furthermore there is likely exposure on any representations Super Funds made about the security of their deposits and claims in equity. 

In addition to regulators investigation and bringing action the various cyber security agencies and the Federal Police become involved.  It becomes a hugely Read the rest of this entry »