Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Fiig Securities fined $2.5 million for cyber security failures in first action against financial services licensee for this sort of breach

    February 12, 2026

    ASIC has successfully obtained a fine of $2.5 million, plus legal costs of $500,000, against Fiig Securities for cyber security failures over 4 years and a data breach in 2023 which resulted in the loss of 385GB of data effecting 18,000 of its clients. ASIC is, needless to say, very satisfied with the outcome. Not only is the fine and costs order totalling $3 million painful but there is also the reputational damage. The legal action has been reported widely including by cyber daily, itnews and financial standards.

    The action highlights the changing litigation landscape.  Cyber attacks will not be considered “one of those things” or acts of god or the cost of doing business.  If, as they do, regulators look at the systems, protocols and training of organisations hity by cyber attacks and find inadequacies there is a real chance they will be the subject of civil proceedings, whether by ASIC or the Privacy Commissioner.  The best solution is to have proper, up to date cyber protection and a decent regime of training to properly handle data.  Even if there is a cyber attack having a good system will counter a regulator looking for a scalp.

    The story is covered by Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Privacy Commissioner starts 2026 with compliance sweep of privacy policies of 60 entities in the rental & property, chemists and pharmacists licensed venues, car rentals & car dealerships and pawnbrokers & second hand dealer industries

    February 1, 2026

    The lack of enforcement of the Privacy Act 1988 has been a chronic problem for many years. That reflected in a poor level of compliance and a dreadful privacy culture by many companies and organisations. It seems the Privacy Commissioner wants to change that. On 9 December 2025 the Privacy Commissioner announced that there would be a privacy compliance sweep of privacy policies of 60 entities in 6 industries.  

    The statement provides:

    Australia’s privacy regulator will start 2026 with its first-ever compliance sweep, conducting a targeted review of selected businesses’ privacy policies to ensure they meet strict rules.

    The compliance sweep, which will begin in the first week of January, will scrutinise the privacy policies of businesses that collect information in person. For example, real estate agents asking for phone numbers at open houses, or car rental agencies presenting customers with lengthy forms.

    Entities found to have non-compliant privacy policies may face compliance and infringement notices and penalties of up to $66,000. Legislative changes to the Privacy Act passed by Parliament in 2024 expanded the possible regulatory consequences for infringements of certain foundational requirements of the Act. This includes the failure to have a privacy policy containing certain information.

    The Privacy Commissioner has trained her gaze on sectors and practices involving the in-person collection of personal information for the Office of the Australian Information Commissioner’s (OAIC) first privacy compliance sweep, after identifying that such practices often involve power and information asymmetries. “When confronted with in-person requests for their personal information from retailers, licenced venues, car hire companies or real estate agents, consumers often don’t have access to all the information they might need to make an informed decision,” said the Privacy Commissioner, Carly Kind. “This makes them vulnerable to overcollection of personal information and creates risks to their security and privacy.”

    “In conducting a compliance sweep, the OAIC intends to ensure that entities are meeting their obligations to be transparent with consumers and customers about how they’re using the personal information they collect in-person. We hope this will also catalyse some reflection about how robust entities’ privacy practices are, and whether more can be done to improve compliance with the Privacy Act writ large.”

    “The Australian community is increasingly concerned about the lack of choice and control they have with respect to their personal information. The first building block of better privacy practices is a clear privacy policy that transparently communicates how an individual can expect their information to be collected, used, disclosed and destroyed.”

    The OAIC will review the privacy policies of approximately 60 entities from the following 6 sectors that may collect information in-person for compliance with requirements under APP 1.4:

      • Rental and property – collection of individuals’ personal information during property inspections.
      • Chemists and pharmacists – collection of personal information for the purpose of providing a paperless receipt and collection of identity information to provide medication.
      • Licenced venues – collection of identity information to enable individuals to access a venue.
      • Car rental companies – collection of identity and other personal information to enable an individual to enter into a car rental agreement.
      • Car dealerships – collection of personal information to enable an individual to conduct a vehicle test drive.
      • Pawnbrokers and second-hand dealers – collection of identity information from individuals who wish to sell or pawn goods.

    The target sectors have been selected noting the particular privacy risks associated with collection of personal information, particularly personal identification documents, and the privacy breaches that have occurred within these sectors. Target entities will be identified having regard to their size and location, as well as by reference to high profile and high-risk entities within each sector (including entities which may previously have been subject to a data breach).

    Entities’ privacy policies will be assessed to ensure they meet the requirements of Australian Privacy Principle (APP) 1.4, which sets out what a privacy policy must include. The OAIC has recently updated its APP 1 guidance.

    The OAIC takes a risk based and proportionate approach to regulation and if non-compliance is detected as part of the sweep, the OAIC will consider its recently expanded regulatory toolkit in determining the most appropriate regulatory response.

    This compliance sweep is consistent with a more robust and assertive approach to  enforcement by a more assertive Privacy Commissioner.  While the Commissioner has not indicated what will be the consequences of an organisation caught up in a sweep being non compliant the Commissioner referred specifically to the increased enforcement options, including issuing infringement notices.

    The Australian Privacy Principles (APPs) require Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    UK Information Commissioner fines a password manager 1.2 million pounds for data breach

    The raison d’etre of password manager companies is to protect and manage customers’ passwords for the plethora of passwords that they must use for their work, play or just personal use. Those companies must store customer passwords/logins in their data bases. Of course it would be disastrous if those companies suffered a data breach and even more damaging if personal details of their customers were stolen. Which is exactly what happened to LasstPass in the UK. The UK Information Commissioner found that LastPass suffered a data breach which resulted in personal information of 1.6 million individuals being compromised. As the media makes clear, the hacker was very thorough in testing the weaknesses in LastPass’s defences.

    They first accessed an employee’s corporate lap top to gain encrypted company credentials then targeted another employee who had access to decryption key by way of a known vulnerability in a third party streaming service.  That gave the hackers access to the LastPass vaults which were only protected by a single master password.  That gave them access to the access key to the Amazon Web Service which, combined with other stolen information enabled hackers to extract personal information on the backup database.

    As if it need be said, proper defences should not be focused on a perimeter protection.  Comprehensive protection throughout the organisation is necessary.  That means protection at all levels and any point of contact with the internet.

    The media release provides:

      • Service which promises to help people improve their security, has failed them, leaving them vulnerable 
      • Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer 
      • ‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted   

    We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users. 

    We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass. 

    The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs. 

    John Edwards, UK Information Commissioner, said: 

    “Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced. 

    “LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today. 

    “I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”. 

    Details of the two incidents 

    Incident one

      • A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
      • No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
      • LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.

    Incident two

      • The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
      • A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
      • The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
      • The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
      • This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.

    Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »