Health data “must vulnerable” to attack

March 1, 2023

For more than a decade I have been writing about the propensity for health data to be the subject of data breaches.  It has been a long standing problem which predates the digital age.  Health services and their practitioners have been notoriously prone to data breaches.

The Australian in Health data ‘most vulnerable’ to hack attack rehashes the obvious in breathless terms.  As if it is major discovery.  It is not.  Data Breach in Healthcare Most Hit by Ransomware Last Year, FBI Finds reports the FBI listed health care facilities as being the most attacked of critical infrastructure.

Health organisations have many and Read the rest of this entry »

Commonwealth to establish an agency to fight cyber attacks; a cyber security office and national co ordinator

February 27, 2023

When confronted with a difficult issue, either establish an inquiry or create a governmental office. The Government, conftonting the reality of significant data breaches has opted for the bureaurocratic option, establish a cyber tsar.  And of course, a discussion paper.

The rationale is set out in an interview between Clare O’Neil, the Minister for Home Affairs, on AM this morning.  It provides:

SPEAKER: First this half hour, months after millions of people had their personal data hacked during the Optus and Medibank cyber-attacks, the Federal Government setting up a new agency to tackle the problem, there will be a new senior official called a Coordinator For Cyber Security, who will lead a National Office for Cyber Security, and that’s within the Federal Government’s Department of Home Affairs, and along with a round table of business security and tech leaders the Prime Minister is releasing a discussion paper about a new cyber security strategy.

The Home Affairs Minister is Clare O’Neil, she’s spoken with the ABC this morning, saying the Government’s taking an important step forward.

CLARE O’NEIL: We arrived in Government confronting a real mess with cyber security, so what we saw was different parts of Government and the private sector doing important things, but kind of all rowing in different directions, and what was clearly needed here was political leadership, and we’ve got that from the personal investment of the PM, and he today has decided to appoint a coordinator to ensure that there is spine and strategy for the work being done throughout Government, and also an office within my department that will support the coordination work.

SABRA LANE: So practically what will that person do, and when will this office be in place? 

CLARE O’NEIL: So two really important tasks for this person. The first will be, as I said, to try to provide some strategy and structure and spine to the work being done across Government. So it will mean things like making sure that the billions of dollars that we are investing in cyber security each year are being spent in a way that’s strategic and appropriate, that we’ve got different parts of Government communicating with each other and working together on helping with cyber security protections across the country. Read the rest of this entry »

Queensland University of Technology suffers data breach involving 11,405 people

February 7, 2023

Educational institutions are prime targets for cyber attacks by state actors and criminals.  I have previously written on cyber attacks on tertiary institutions at UWAUniversity of Tasmania, Deakin University, the ANU in 2019 and 2022.  There have been many other data breaches of educational institutions in the United States and Europe.  Tertiary institutions are prime targets because they store so much personal information and intellectual property. They are especially tempting targets because tertiary institutions have poor cyber security.  The reasons are many and varied; systems cobbled together when institutions merge, too many authorisations, a failure to remove authorisations, differing protocols in different departments, a failure to encrypt data, a failure to properly silo data and, most importantly, indifferent training and inadequate funding.  Even though the attacks are regular and impact severe educational institutions remain poorly prepared.

I Having proper data security means dealing with both technical issues but also cultural problems. For too long businesses have not properly factored in the risks.  Boards and management don’t address the issues and don’t properly consider what cybersecurity risks are, and what needs to be done to protect themselves from them.  That includes promoting and developing a culture of cyber resilience.

In practical terms that includes:

  • doing an inventory of every computer system that exists across the organisation to determine if it is being properly patched, whether there is  proper user access and  multi factor authentication.
  • reviewing the type of data being held, determining where it is stored, how it is being protected and who has access to it. That exercise will expose vulnerabilities.
  • making sure there are back ups of data which are stored in a way that any data breach can’t affect that storage.
  • check whether the organisation is complying with the NIST framework.   It is not officially the standard but is as good as it gets It also adopts useful strategies when dealing with soft defence, passive defence and active defence.
  • undertaking audits and penetration testing by outside organisations. There is no substitute for testing.
  • having a data breach response plan and have exercises to determine that it works.  That means knowing who to contact when there is a data breach.

The Queensland University of Technology is the latest institutions to suffer a data breach.  It announced yesterday that the data breach affected 2492 current employees, 17 current students, 8,846 former employees  and 50 former students.  The data relating to individuals included tax file numbers and bank account details . In January it had issued a vaguer report of the data breach which it identified as a ransomware attack.

The statement provides:

QUT has identified that some data was stolen in a cybercrime attack on December 22, 2022.

Firstly, QUT is disappointed and sorry that this cybercrime has potentially impacted on our staff and former staff. It is important to note the security of our HR, student or financial systems was not compromised or accessed by the cyber criminals. We also have no evidence to date of any further illegal activity in relation to the data that may have been accessed by the cyber criminals. Read the rest of this entry »

Medibank saga reveals that personal information of those who inquired about but did not obtain private health cover from Medibank was accessed in the data breach. Real questions over data minimisation policies of Medibank

January 24, 2023

The lesson from overseas is that the data breach is only the beginning of the problems for the affected organisation.  As the organisation and, significantly, the regulator review the carnage the investigation goes well beyond the cause of the breach and what security measures were in place and goes to issues of general data collection and handling.  Organisations with poor data security commonly have a poor understanding of data collection.  All too often organisations collect too much personal information, information that is not relevant to their operations and keep what they collect for too long, often not culling irrelevant information at all. Investigations then expand and often enough penalties accrue.  Sometimes an organisation receives a greater penalty for breaches of the data protection laws not directly related to the data breach itself. These investigations increase the time it takes to put the data breach behind the organisation, increases the cost and further harms an organisation’s reputation.  Almost invariably these other deficiencies were easily avoided with proper advice, policies, protocols and training.

The Australian Reports in Data at risk just asking for Medibank quote that Medibank that non customers of Medibank who provided personal information to Medibank in their inquiries about policies had that personal information compromised by the Medibank hack. That information includes, names gender, date of birth, email and phone details. As with many organisations there was a commercial benefit in collecting that information even if the individuals did not purchase a policy.  The information can be used for marketing and modelling.  That said, that ccollection and retention is in breach of the Privacy Act and contrary to principle of data minimisation.

Maurice Blackburn, Banister Law and Centennial Lawyers have joined together in a representative action involving as many as 9.7 million affected by the Medibank Data Breach.

The Australian article Read the rest of this entry »

The Commonwealth Government considering right to be forgotten as part of its Privacy Law reforms

January 19, 2023

As is the way with modern law reform the Government of the day salts the media with stories of what may be in the yet to be released package of amendments or new laws.  So it is with the mooted reforms to the Privacy Act.  The Guardian has run a detailed story titled Australia to consider European-style right to be forgotten privacy laws. The article roams widely over some of the privacy reform proposals including a statutory right to sue for breach of privacy.  It also ventures into other areas of law reform including a Judicial Commission.

The right to be forgotten is now quite a mature part Read the rest of this entry »

A Christmas Greeting…and yes there is a Santa Claus

December 25, 2022

Merry Christmas and seasons greetings to all.

As is my tradition on this page, I mark Christmas with one of the most wonderful editorials ever written, the “Yes, Virginia, there is a Santa Claus.”   This 1897 editorial by the New York Sun is the epitome of good prose; it is precise, effective, warm and clear.  Even the most hardened cynic cannot be moved by the simple plea for a belief in the better and the essence of  Christmas, its spirituality and the concept of redemption.  It is easy to scoff at such “naive” beliefs.  Every year I

The editorial took on a life of its own and is regarded as one of the great pieces of journalistic prose,.  It still attracts column inches of analysis and shameless reproduction.  Because the message is as apt today was it was over a hundred years ago.  An

Here it is:

Dear Editor,
I am 8 years old. Some of my little friends say there is no Santa Claus. Papa says, “If you see it in The Sun, it’s so.” Please tell me the truth, is there a Santa Claus?
Virginia O’Hanlon
“115 West Ninety-Fifth Street”

VIRGINIA
    Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds. All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

    Yes, VIRGINIA, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy. Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

    Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove? Nobody sees Santa Claus, but that is no sign that there is no Santa Claus. The most real things in the world are those that neither children nor men can see. Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

    You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.
Is it all real? Ah, VIRGINIA, in all this world there is nothing else as real and abiding.

    No Santa Claus! Thank God! he lives and he lives forever. A thousand years from now, VIRGINIA, nay, ten times ten thousand years from now, he will continue to make glad the hearts of children.

Another expose about abuse of the Victorian Police LEAP database, involving litigation this time and yes, another call for an inquiry. A chronic abuse of privacy that stubbornly is not properly addressed.

December 16, 2022

The misuse of the Victorian Police’s database, known as LEAP, has been chronic and systemic for many years.  The reports of those misdeeds by sworn officers are regular.  I posted on them on 9 February 2014 with Leakage of LEAP data an ongoing privacy issue …. for so long. on 18 May 2015 with Another problem with the Victorian Police, the LEAP database and privacy, on 16 October 2016 with Victoria police has yet another problem with data security… new breaches familiar pattern of behaviour,  IBAC released a 33 page report on Unauthorised access and disclosure of information held by Victoria Police.

The key findings of that IBAC report were:

    • Unauthorised access and disclosure of information are key enablers of other corrupt behaviour. These corruption risks are often overlooked as risks by agencies. This is evident in the lower than expected number of reports made to IBAC, and in the behaviours uncovered in investigations undertaken by IBAC and other public sector agencies. It is expected that as the understanding of information misuse as an enabler of corruption increases, this will help detection and investigation by Victoria Police.
    • Unauthorised disclosures to the media is a risk across public sector agencies, including Victoria Police which frequently deals with issues of high public interest. These incidents are difficult to substantiate due to the source of the information leaks often being difficult to identify.
    • Sharing information with approved third parties also presents many corruption risks. Although policies may be in place to control information access and disclosure by third parties, the proactive detection and enforcement of information misuse by agencies owning the information is difficult. This is especially relevant for Victoria Police, which holds significant private personal details about citizens.
    • Increased use of personal devices and smart phones in the workplace has made unauthorised disclosure of information much easier. This is particularly the case for those Victoria Police employees who use their personal mobile phones to conduct their work duties,5 including using cameras to capture evidence or using applications to take notes or recordings.
    • IBAC intelligence suggests information misuse is under-reported across the entire public sector, including Victoria Police. This may be due to it being under-detected, an under-appreciation for information security and privacy rights, or a lack of awareness that information misuse and disclosure may constitute an offence in itself.
    • The number of reports of information misuse made to IBAC related to Victoria Police is higher than from other public sector agencies but is also declining. The higher number of reports may be due to Victoria Police employees and members of the public having a higher level of awareness of the risks related to information misuse, due to the large amount of sensitive information their organisation holds. The declining number of reports over time may reflect under-reporting and the difficulties in detection. A recent spike in reported incidents in 2017-18 may reflect improving information security practices by Victoria Police and its employees.
    • Victoria Police and IBAC often do not detect information misuse until they are investigating other misconduct or corrupt actions. This is partly due to information security systems, which have not been fully developed, and a lack of proactive monitoring and auditing processes in place to detect unauthorised information access.
    • Customised auditing of information access is under-utilised by Victoria Police and its benefits are under-appreciated. A program of proactive, extensive and repeated auditing could be used to identify and deter unauthorised access of information.
    • The introduction in 2016 of the Victorian Protective Data Security Framework (VPDSF) and the Victorian Protective Data Security Standards (VPDSS) across the public sector is expected to reduce unauthorised information access and disclosure. For Victoria Police, the VPDSS does not represent a materially higher standard for information security than the previous Standards for Law Enforcement Data Security. However the VPDSS represents a shift from prescriptive standards to a more flexible risk-based approach.

It is also relevant to note that the Victorian Information Commissioner, not the strongest or most rigorous privacy regulator, handed down a critical report on the privacy and information handling at the Victoria Police.  The 15 August report, Examination report into privacy and information handling training at Victoria Police published, find that the Victoria Police did not comply with its privacy obligations.  The media release provides:

Part of OVIC’s role as Victoria’s privacy regulator includes oversight of Victoria Police and its management of law enforcement data.

On 30 September 2021, OVIC commenced an examination into the privacy and information handling training at Victoria Police.

The objective was to examine whether the training provided to Victoria Police personnel meets the requirements of Information Privacy Principle (IPP) 4.1 under the Privacy and Data Protection Act 2014 (Vic).

IPP 4.1 outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.

During this examination, OVIC staff gathered information from relevant Victoria Police personnel on how training is developed, delivered, and evaluated at Victoria Police, with an interest in information handling and privacy both generally and within the context of family violence investigations.

“In performing its law enforcement functions, Victoria Police collects, manages, and uses sensitive and personal information of Victorians, including delicate information related to some of the most vulnerable members of the community” said Information Commissioner Sven Bluemmel.

“A lack of appropriate training in privacy and information handling can increase the risk of misuse, loss, unauthorised access, modification, and disclosure of this information.”

The examination found that as of February 2022, Victoria Police had not provided any privacy-specific training available for its members for more than a year. The examination also found a lack of resources within its Privacy unit and Education Unit.

While no dedicated privacy training was available to Victoria Police members, there was a range of training available to Victoria Police personnel that touched on information handling principles including cyber security and information security.

Due to a lack of dedicated privacy training and awareness provided, the examination found that Victoria Police may not be compliant with its obligations under IPP 4.1.

In contrast, the examination found that since the 2016 report of the Royal Commission into Family Violence, Victoria Police has done extensive work on providing family violence training to its personnel, including providing comprehensive guidance about handling information gathered in a family violence context.

Victoria Police’s response to the Royal Commission into Family Violence demonstrates it can deliver effective training on handling sensitive and personal information when this is prioritised and appropriately resourced” said Mr. Bluemmel.

Victoria Police has accepted the findings of the examination and has provided further resourcing to its privacy team. It has also undertaken to review privacy and information handling education annually.

OVIC will continue its engagement with Victoria Police to promote, support, and ensure reasonable steps are taken to protect the personal information of Victorians.

The ABC reports in Victoria Police allegedly use LEAP database to pursue, stalk, harass women prompting calls for inquiry that the problem continues but now legal action is being taken against the Victoria Police.  It provides:

Rachel Wilks was just 15 when Jayden Faure used his position as a police officer to try to pursue a relationship with her. 

Ms Wilks had been assaulted by a family member. She was alone in the city with no phone or train ticket home when she came into contact with police.

“I was in a super vulnerable place,” she said. Read the rest of this entry »

Data breaches come in all shapes and sizes as Telstra’s addition to the hall of infamy reveals. Telstra reveals personal information onto the web through its own technical error

December 13, 2022

Not all data breaches involve criminal acts by hackers breaking into a network and exfiltrating data.  Sometimes an organisation will be reveal data through its own actions.  Telstra has suffered a data breach involving ‘s data breach impacting 132,000.   The breach involved a technical error resulting in it making personal information available on line.  Telstra describes it as a misalignment of databases.  Technical errors of this nature are not inevitable. Poor planning by IT is a common reason, focusing on the end result rather than the protections needed on the way through,  On 31 March 2020, the Federal Court of Australia  made publicly available  the names of details of several hundred people with cases currently or previously in the Court and the Federal Circuit Court (FCC) through the Commonwealth Courts Portal. Anyone visiting the Portal could have accessed the names and details of a person seeking asylum and information about their claim. The data breach was caused by an internal IT error.  The Federal Court should have been investigated by the Information Commissioner.  To its credit it did commission a review by Professor John McMillan in August 2020 which resulted in a 38 page report which was, not unusually for the Australian public service, a mix of polite tut tutting, gentle patting on the back for the work done and anodyne recommendations for improvement.  If the breach had happened in the United States the landing would have been much bumpier.  The Federal Court does have a publicly available data breach response plan.  It is fairly bare boned. One would expect a much more detailed plan to be available within the organisation.

Telstra is something of a frequent flier in the data breach world with a data breach in October 2022 with Australia’s Telstra hit by data breach, two weeks after attack on Optus, in May 2021 with Telstra service provider hit by cyber attack as hackers claim SIM card information stolen, in July 2018 with Telstra customer stumbles across contact details of 66,000 fellow customers,  in 2018 with Medical records exposed by flaw in Telstra Health’s Argus software and in Telstra privacy breach leaves customer’s voicemail exposed amongst other matters. If Telstra was operating in the United Kingdom or United States the regulators would take very strong and very public action.

The ABC has run a reasonably detailed story Read the rest of this entry »

To disclose or not disclose a data breach…UK companies fear reporting while a Brooklyn Hospital suffers a backlash because it did not notify about a data breach

December 7, 2022

In Australia under Part IIIC of the Privacy Act 1988 organisations covered by the Privacy Act and Commonwealth Government agencies are required to notify of a data breach in certain circumstances, what is known as an eligible data breach.  It is effectively a self assessment though there are consequences if there is no notification when there should have been one.  It is regime that has been justifiably criticised in the wake of the Optus and Medibank data breaches.  The recent amendments to the regime improve rather than fix its operation.

It is an open secret that there is significant under reporting of data breaches in the United States, United Kingdom and Australia.

In UK Companies Fear Reporting Cyber Incidents, Parliament Told Data Breach today reports that there may be a deep reluctance to report breaches to the UK Information Commissioner.  There is mandatory data breach notification in the United Kingdom and affected entities are supposed to report within 72 hours of becoming aware of the breach.  This reluctance to report can and often does backfire as the story Brooklyn Hospitals Decried for Silence on Cyber Incident.  In that case Brooklyn Hospitals were hit with a ransomware attack on 19 November which necessitated transferring patients to other hospitals. The lack of explanation caused annoyance, at minimum, for other hospitals as well as the patients affected.  This poor practice results in even closer scrutiny by regulators.

The reluctance of UK entities to report a data breach because of additional scrutiny from the Information Commissioner remains poor practice.  It is almost trite to say that organisations that suffer data breaches almost invariably had privacy and data security as a low priority which translated into inadequate training and data handling practices.  When regulators respond to a notification they often find a litany of other issues.  Sometimes those are the issues that cause the organisations the greater difficulty. A common problem is data collection.  Many organisations hold onto personal information long after they have any need for it. Names of long departed or deceased customers/patients, details of people who have unsubscribed to a service and solicited information are commonly held .  Because the cost of storage is relatively inexpensive and data held digitally do not absorb physical space it is not inconvenient to hold that data for whatever reason.

As Medlab discovered once Read the rest of this entry »

Re Straightline Construction Co Pty Ltd [2022] VSC 708 (18 November 2022); Application to set aside a statutory demand pursuant to s 459G of the Corporations Act 2001 (Cth) on grounds of genuine dispute, dispute as to the identity of the contracting parties

December 4, 2022

In Re Straightline Construction Co Pty Ltd [2022] VSC 708 the Supreme Court, per Gardiner AsJ, considered an application to set aside a statutory demand on the grounds that the applicant was not a party to the agreement giving rise to a liability which formed the basis of a statutory demand.  This is quite a common issue where parties are involved in the building and construction industry.  It is not uncommon for builders to work through multiple entities, many of whose names are quite similar.   As this case demonstrates, it is not simply enough for the Applicant to allege that the wrong party was served with a demand as another entity was a party to the contract. As this case shows such a contention can be successfully challenged if the respondent has contemporaneous documentation and concessions by representatives of the applicant .

FACTS

 On 9 December 2021, Hansen Yuncken Pty Ltd (‘Hansen Yuncken’), as head contractor, engaged Straightline Civil Pty Ltd (‘Straightline Civil’), as subcontractor, (‘the Hansen Yuncken Contract’) to carry out retention and foundation piling works as part of a large residential construction project at Bills Street, Hawthorn (‘the Project’) [6]

Straightline Construction’s evidence was that:

  • it defined the issue as

[Straightline Construction] disputes that the debt claimed in the Statutory Demand is due and payable, by reason of there being a genuine dispute that the debt is owing as the Company is not the entity which contracted with [Browns] to perform the services detailed in the Invoices, and the debts have not been sufficiently particularised.

  •  Straightline Construction was incorporated in March 2020
  • Straightline Construction performs civil construction works in metropolitan Melbourne, partiuclarly in  Brighton and Clayton
  • there are various ‘Straightline’ entities with different controllers, each having its own role in different projects & that Straightline Construction is not involved in the Hansen Yuncken contract at all [38]
  • where it is said that Browns had dealings with ‘Straightline’ for several years, it was in fact engaged by four separate Straightline entities depending on the project and the entity involved in the Project was Straightline Civil, not Straightline Construction [40].
  • a direction should have been issued to make it clear that invoices were to be issued to Straightline Civil and not Straightline Construction [41] invoices addressed to Straightline Construction should have been requested to be reissued to Straightline Civil.
  • on 20 September 2022, Peter Greenstreet, an Operations Manager of Browns, sent an email enquiring as to whom the invoices for the remaining works on the Project should be issued to & Oltan Yemez, representing Straightline Civil, responded, stating that all invoices should be issued to Straightline Civil [42].
  • an ASIC search of Straightline Civil  records Tarkan Gulenc as the sole director & the correspondence referred to between Mr Gulenc and representatives of Browns confirms that Straightline Civil admits it owes the debt [43]
  • in regard to correspondence relied on by Browns to support their proposition that Straightline Construction owes the debt, the reference to intentions to pay  does not refer to Straightline Construction being liable to pay the debt [46].
  • the communications containing promises to pay in the text message exchanges on 8 July 2022 were in the context of a statutory demand having been served by Browns approximately one month before and no reference to the identity of the contracting party as Straightline Civil [47]
  • an agreement has been reached (which he refers to as the ‘Tri-Partite Deed’) between representatives of Hansen Yuncken, Straightline Civil, and Browns in relation to the payment of outstanding amounts, whereby Hansen Yuncken agrees to pay progress payments due to Straightline Civil in respect of the Project directly to Browns, in satisfaction of outstanding invoices rendered by Browns in relation to the Project (including those the subject of the Demand) and that a total of $193,775.56 has been paid to date, being the payment of $105,739.93 (including GST) in relation to the July Payment Schedule and $88,035.63 (including GST) in relation to the August Payment Schedule [51] – [52].
  • Staightline Construcion has never been contracted to perform subcontract work on any sites in Hawthorn [12]

The respondent’s evidence Read the rest of this entry »