Peter A Clarke

There have been some very significant data breaches in Australia in May. They include a data breach at Gregory Jewellers, with the loss of 574 gigabytes from the company, Champion Homes lost 44 gigabyte which was posted on the darknet, a data breach of a third party provider to Queensland Education and a data breach at Scope Systems. The Canvas data breach by the cybercriminal group Shiny Hunters has been the biggest data breach story in May. The Information Commissioner published an almost proforma statement on the data breach involving Canvas. Seven months ago Canva was hacked using an encrypted password data accessing 4 million Canva accounts. Canva published a reasonable statement of where things are at and the need to change passwords. The data breach had a huge impact on education providers in Australia. They were amongst the 9,000 institutions worldwide who were impacted. It also highlighted the poor response plans of many educational institutions. This lead to a scam warning about those trying to make some quick money pretending to be from Education Departments. Canva ultimately paid a ransom. It is rumoured to be $US10 million but that has not been confirmed. This has led to the usual hand wringing about the problems with paying ransoms, with a lot of speculation about the dangers of making payments without much hard data to support them. And there are problems with giving in to hackers. But it is not a simple issue and definitely not a binary choice. Operations like Canva have been damaged severally by this attack which has affected its primary, if not sole, business. The Australian Government does not recommend that ransomware be paid but has not criminalised that conduct. Under Part 3 of the Cyber Security Act 2024 a “reporting business entity” must report a ransomware payment within 72 hours of making that payment.