The continuing ripples from the HWL Ebsworth data breach; NAB bank data leaked online

June 20, 2023

Large data breaches are rarely resolved quickly. That is why I am so surprised that organisations with the means and structures are so complacent with their data security. The focus is minimal compliance rather than security that is fit for purpose. The HWL data breach will be a long and excruciating process. The latest development is that data belonging to NAB have been found on line. See the Australian’s story NAB the latest to be confirmed as victim of HWL Ebsworth hack, with bank data leaking online . Beyond the revelation that the NAB has been affected the article itself is something of a reheating of earlier reporting. 

NAB has been motivated to issue a statement which provides:

“We are aware that HWL Ebsworth, a law firm engaged by NAB for some legal services, has been impacted by a cyber-attack. NAB’s systems were not impacted and remain secure. We are working with HWLE as they continue to get more information in relation to the content of these matters.”

There will be more statements like this from affected HWL Ebsworth clients (or ex clients). 

Based on the limited information provided to date it appears that the transfer of documentation from clients to the firm was not through access provided to the firm, as often happens with third party services providers working with an entity.  In those circumstances the danger is the initial hack will give rise to another hack as permissions and authorisations are stolen and used to access the other organisation.  Here HWL Ebsworth and its clients probably adopted the more traditional, and logical, means of transfer of documents.  The clients provided Read the rest of this entry »

The HWL Ebsworth data breach; the ripple effect. Its government clients set up working groups to sort through the rubble and work out what happens next

June 16, 2023

.

With large organisations/firms/government data that are comrpromised often belong to third parties such as clients or other organisations. With law firms that involves information provided necessary to permit advice work or litigation. And so it is with the HWL Ebsworth data breach. Which has led to the inevitable round two of the data breach, the clients of the firm doing damage assessments of what has happened to their data. The Australian reports in Fears government data has been stolen by cyber criminals grow as law firm’s clients are revealed that government departments have set up committees to determine the extent of the damage. And not before time.  Black Cat has not released 2/3rds of the data it exfiltrated. That is likely to happen at the most inopportune time given HWL Ebsworth has stated it will not pay a ransom. 

The Australian article provides:

The Albanese government has established a crisis group to examine what commonwealth data has been stolen by Russian-linked hackers who infiltrated the systems of HWL Ebsworth, the giant law firm that has tens of millions of dollars of contracts across at least 40 government departments and agencies. Read the rest of this entry »

To pay or not to pay ransomware hackers..the Government says no pay and the Business Council says provide a safe harbour

June 9, 2023

The Verizon’s 2023 Data Breach Investigations Report finds that ransomware was tied to 16% of all data breaches. That is double compared to last year’s report and that ransomware continued to be a factor in 24% of all data breaches. Interestingly in 93% of security incidents involving ransomware, victims reported no financial losses, at least based information submitted to the FBI. The remaining 7% of victims reported a median loss of $26,000. That was double what victims reported two years prior.

The overall costs of recovering from a ransomware incident are increasing while the ransom payouts are lower. This is due to the increase of automation and efficiency of ransomware operators.

The question of paying a ransom is vexed. Ransoms are paid and more often than observers think. Sometimes the hackers abide by the agreement and provide the key which unlocks the data. Sometimes the hackers behave like the criminals they are and take the ransom and provide no key and in fact release the data they exfiltrated from the site, if that was part of the data breach. Some provide the keys but upon unlocking the owner finds the ransomware program has damaged the data. Regulators generally advise against paying ransoms but acknowledge that it is a reality.

The Australian Government is considering making ransomware payments illegal. This has been met with some push back by cyber insurers. The Australian Business Council of Australia has called for a Safe Harbour. This has been reported by the Australian Financial Review at Businesses call for ‘safe harbour’ during major cyber incidents.

The BCA Read the rest of this entry »

Real Estate Institute of Australia call for retention of small business exemption in Privacy Act review. Nothing particularly new in the complaints

May 20, 2023

The small business exemption is a real weakness in the Privacy Act. The exemption applies to businesses with a turnover of $ 3 million or less. It was included in the amendments which brought the private sector under the regulation of the Privacy Act in 2001. The rationale for the exemption was not legal. Far from it. The stated reason was a concern about regulatory burden and cost of compliance. Given other universal regulatory obligations at the time and since, exempting small business operators from keeping records secure and not interfering with customers privacy was poor public policy. It remains so. In 2001 the volume of data held by the typical small business was modest compared with now. As costs of storing data decrease and the speed of processing increases coupled with programs to analyse data small businesses are as enthusiastic in collectng and analysing personal information as their larger counterparts. It is not hard setting up loyalty schemes and email lists. Or just want the information full stop. Real Estate agents are, generally speaking, voracious collectors of data. Of more concern is that many Real Estate agents collect more information than they need to deal with renters and register interest of potential purchasers. They have also been the subject of significant data breaches (see here, here, here, here and here).

It is then more than passing strange that the President of the Real Estate Institute of Australia, Hayden Groves, resists reform to the Privacy Act by removing the small business exemption as reported in Real estate agents push back against Australian privacy law changes designed to protect personal data. The arguments encompass the original justification for the exemption, the cost fo compliance, and then moves onto a claim that other form of regulations make coverage by the Privacy Act unnecessary. No details are provided. Of course. The additional cost complained off is not specified. There has never been Read the rest of this entry »

Commonwealth Attorney General announces the (re) creation of the Privacy Commissioner.

May 3, 2023

Today the Attorney General announced that the Government will create a stand alone position of Privacy Commissioner. The statement provides:

The Albanese Government will appoint a standalone Privacy Commissioner to deal with the growing threats to data security and the increasing volume and complexity of privacy issues.

Australians rightly expect their privacy regulator to have the resources and powers to meet the ongoing challenges of the digital age and protect their personal information.

The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.

This action is in significant contrast to that of the former Liberal Government, which left Australia disgracefully unprepared for this challenge by failing to strengthen privacy laws, and scrapping the position of a standalone Privacy Commissioner.

The Albanese Government takes privacy regulation seriously and has already acted to significantly increase penalties for companies which fail to take adequate care of customer data and give the Australian Information Commissioner improved and new powers.

The Australian people rightly expect greater protections, transparency and control over their personal information and the appointment of the standalone Privacy Commissioner restores the Office of the Australian Information Commissioner to the three-Commissioner model Parliament originally intended.

Currently, the Australian Information Commissioner, Ms Angelene Falk, holds a dual appointment as the Privacy Commissioner. I thank Ms Falk for her dedicated service in this role since 2018. Ms Falk will remain Information Commissioner and head of the OAIC.

A merit-based selection process to fill the role of Privacy Commissioner will commence today. Ms Falk will continue as the Privacy Commissioner until this process is finalised.

Freedom of Information Commissioner

In light of the recent resignation of Mr Leo Hardiman PSM KC as Freedom of Information Commissioner, I am also pleased to announce that we have appointed Ms Toni Pirani as acting Freedom of Information Commissioner, effective 20 May 2023. I thank Mr Hardiman for his significant contribution and wish him well in his future endeavours.

Appointing an acting FOI Commissioner will ensure that the OAIC can continue to undertake its FOI functions until a permanent appointment is made.

A merit-based selection process to select the ongoing FOI Commissioner vacancy will also commence today.

Read the rest of this entry »

The Information Commissioner’s Office releases submission of the 2023 – 2030 Cyber Security Strategy

April 21, 2023

There are no shortage of discussion papers involving Cyber Security/privacy/data management at the moment.  One of the most recent is the the Department of Home Affairs 2023-2030 Australian Cyber Security Strategy Discussion Paper. It is not particularly long or detailed. Being a Strategy it focuses on high policy and directions rather than detailed amendment and analysis. The Information Commissioner has published Submission to 2023–2030 Cyber Security Strategy Discussion Paper.

The Commissioner’s submissions are consistent with one agency commenting on power arrangements of other agencies, strong on administrative analysis and recommendations The Commissioner’s recommendation that the Strategy.  The Commissioner’s key recommendation is that any strategy has to sync carefully with the amendments to the Privacy Act.  The Commissioner also identifies the need for regulatory frameworks to work cohesively.  Unfortunately in this area matters have gone rapidly from weak regulation to multiple Acts and agencies.  It has been entirely responsive, after years of ignoring the threat of cyber attacks and failing to keep up with regulation.  The Commissioner is right to be concerned that even with multiple agencies and legislation they should cohere and avoid regulatory gaps.  Better to have overlap than gaps.  The Commissioner’s recommendation that she be permitted access to protected information in relation to matters involving data breaches is sensible as is the recommendation to ensure that reporting of breaches be consistent across the board. 

The key with any strategy is enforcement.  There is little point having comprehensive regulation and the affected organisations and agencies ignoring it because they know the regulators are timid and the penalties small.  There has long been a cultural problem in Australia in putting time, effort and money into maintaining proper data protection, of both the analog and digital kind.

The Submission provides, Read the rest of this entry »

Commonwealth Attorney General Privacy Act 1988 Review Report Part 1, chapters 3 & 4. Some observations about the analysis and proposals.

April 16, 2023

The date for submissions to the Attorney General’s Review of the Privacy Act Report closed on 31 March 2023.

I will be undertaking a detailed review of the Report, by related chapters, between now and when the draft Bill is released by the Government, probably before or after the Winter Recess.

This analysis relates to Chapters 3 and 4. The proposals contained in both chapters are not controversial and address weaknesses in the Privacy Act drafting that were identified for some time.  The recommendations regarding de identified and anonymised information attempt to address what remains a very difficult issue. The extent to which de identification is possible in a practical sense is matter of significant debate.  Those issues may come into sharp relief if a data breach involved theft of de identified information which was subsequently re identified.

CHAPTER 3 OBJECTS OF THE ACT

The Report notes that Privacy is not defined in the Act. It is a concept that can be broadly construed and may be understood as comprising a number of related concepts including informational privacy, bodily privacy, privacy of communications, and territorial privacy.

The Report proposes:

3.1 Amend the objects of the Act to clarify that the Act is about the protection of personal information.

The rationale for the amendment is that as the focus of the Act is to provide a framework for the handling and protection of personal information, the objects should more clearly reflect this.

The Report then states that the Act implements Australia’s international obligations in relation to privacy in part by providing a framework for regulating the collection, use, storage, disclosure and destruction of personal information but does not cover all aspects of privacy as the term is commonly understood.

The Report recommends:

3.2 Amend the objects of the Act to recognise the public interest in protecting privacy.

The Report notes that:

  • protection of privacy sits alongside other important interests: this is recognised in Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and reflected in paragraph 2A(b) of the objects which are are sometimes, but not always, in tension.
  • paragraph 2A(b) of the objects should continue to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities.
  • the recognition of a public interest, as well as individual interest, in privacy will inform the balancing exercise, retaining sufficient flexibility for ‘countervailing interests to be given the weight they deserve’
  • the protection of privacy and the interests of entities in carrying out their functions and activities, including private commercial activities, are not necessarily in conflict. It is not a zero-sum game.
  • businesses that use data in a fair and responsible manner may serve the public interest indirectly, and deliver benefits to individuals and the broader economy, as well as their own commercial interests.

4.   Personal information, de-identification and sensitive information

The Report identifies a problem with principles-based definition of a lack of understanding  how to apply it to information in practice.

The Report notes that the definition has to be seen in context in the Act and as such the Act:

  • does not prohibit the collection, use and disclosure of personal information.
  • requires that the principles around personal information handling set out in the APPs must be followed, including only collecting reasonably necessary information and only using or disclosing it for the purposes for which it was collected unless the individual consents or another exception applies.

The definition of personal information is intentionally broad which ensures that APP entities keep privacy and risk-based personal information handling at the forefront of their minds when conducting their functions or activities,

Section 6 of the Privacy Act defines personal information as follows:

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Individual is defined as a ‘natural person’.

The current definition of personal information has two limbs:

  • the information is about an individual, and
  • the individual is identified or reasonably identifiable.

The Report identifies two categories of uncertainty about the definition:

  1. it is unclear which types of information can be personal information. For example, there is confusion about whether technical information that records service details about a device is the personal information of the owner of the device. Further, there is uncertainty about whether inferred information about an individual, for example in an online profile, will be personal information.
  2. there should be more clarity about how to ‘reasonably identify’ an individual and correspondingly how to know when an identifiable individual becomes ‘de-identified’.

The Report proposes to clarify the two categories of uncertainty through proposals that address the two limbs of the test for Read the rest of this entry »

41.9 million records compromised in cyber attacks in March 2023

April 11, 2023

Estimating the number of records accessed or otherwise compromised by data breaches is a fraught business. In the United States, Canada, the United Kingdom, Europe and Australia with mandatory data breach notification laws and a media which has a interest in data breaches it is possible to assemble some reasonable statistics about cyber attacks. There is some data available from Latin America and more advanced economies of Asia, the Middle East and Africa. As for the rest information is spotty and often unreliable. Itgovernance has calculated that in March alone there were 100 publicly disclosed cyber attacks in March which affected 41,970,182 records. These figures should be regarded as an understatement as to the worldwide number of breaches in March. Given the volume of data breaches it is also fair to surmise that the reported breaches to the Australian Information Commissioner is also an understatement of the number and extent of those breaches.

According to itgovernance the biggest of these data breaches were:

  • Latitude Financial

The largest confirmed data breach of March 2023 occurred at Latitude Financial, with more than 14 million records being compromised.

The Melbourne-based company, which provides personal loans and credit cards to people in Australia and New Zealand, reported that cyber criminals had captured several different types of data.

Almost 8 million drivers licences were stolen, along with 53,000 of passport numbers and dozens of monthly financial statements.

An additional 6 million records dating back to “at least 2005” were also compromised in the attack, the source of which is not yet known.

The most concerning aspect of this breach is that Latitude Financial originally reported that only 300,000 people had been affected. This suggests that it had a poor understanding of the attack and rushed to disclose the breach.

Having to then update its estimate invites further public scrutiny of the attack and could see customers lose faith in the company. Read the rest of this entry »

Latitude Financial woes continue and follow a trajectory all too common with large data breaches suffered by organisations with poor breach response plans.

March 29, 2023

The Latitude Financial data breach has taken the familiar path marked out by previous organisations who have suffered a data breach and who had poor understanding of their obligations and were hopelessly unprepared for dealing with the possibility of a breach . Latitude’s slow and inept response has mirrored many of the failings of Optus and Medibank in their responses to data breaches. After the initial vague publicity about the data breach Latitude provided on 27 March 2023 an increased estimate of the numbers of customers whose personal information was impacted, of approximately 7.9 million individuals. The same day the Information Commissioner issued a statement which doesn’t say much beyond that it is making enquiries and working with other government agencies. This seems to be the new approach when a big data breach occurs, remind people that the Commissioner exists and is doing stuff. The question is what exactly is that stuff.

There is a real skill to drafting statements about data breaches.  In the United States where data breach notifications have been a feature of regulation for a significant number of years the advice to the market and consumers are crafted carefully.  They tend to be Read the rest of this entry »

Australian Information Commissioner and Marriott International enter into enforceable undertaking on 4 February 2023

March 10, 2023

The Marriot Hotel entered into an enforceable undertaking with the Australian Privacy Commissioner for a data breach arising out of breaches between 2015 – 2018. I have posted on those breaches and the regulatory action taken by the UK Information Commissioner here, here, here and here. Worldwide the breaches affected the personal information of 339 million individuals. In Australia the records of 2.2 million were compromised. The Marriot Breach highlighted poor data security practices, with the breach occurring over a 3 year period, and the challenges of legacy IT issues. All too often IT systems are cobbled together and not properly maintained.

The enforceable undertaking is operable for 5 years.  Compared to agreements in the United States between the Federal Trade Commission and organisations for similar transgressions, that is a short time frame.  It is not uncommon for the FTC to enter into 20 year agreements.  This enforceable undertaking is more robust than the previous few enforceable undertakings the Commissioner has entered into however it is not as stringent as those imposed in the United States. In the United States such agreements usually incorporate a very significant fine.  Given the legislation in Australia that was not possible.

Some of the relevant matters of note from the enforceable undertaking Read the rest of this entry »