Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • UK Information Commissioner’s Office fines Advanced Computer 3.07 million pounds for security failures resulting in ransomeware attack affecting 79,404 people. Lessons for Australian organisations.

    March 28, 2025

    The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

    While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

    Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

    The statement provides:

    The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.?  Read the rest of this entry »

    Posted in Privacy, UK Information Commissioner's Office | Post a comment »

    New South Wales court website hacked

    March 27, 2025

    Courts have long been a target of cyber attacks. There was a data breach at the Australian Federal Court in 2020, revealing names of refugee applicants. In January 2024 the Victorian Court Services were hacked. That involved the recordings of hearings dating as far back as 2016. In January 2021 the United States Courts announced that it was putting in place extra safeguards to protect records in light of previous data breaches. In July 2022 the United States the House Judiciary Committee investigated data breaches involving the U.S. Fedeal Court dating back to early 2020. The latest data breach involves the New South Wales court website. The Government confirms about 9,000 court files, including domestic violence orders were accessed in a data breach.

    As is usual in Australia the initial information provided is vague, to put it kindly. It appears that credentials were used, either by a hacker/other acquiring those credentials or a person within the Department misusing his or her credentials.  While the account holder gained unlawful access to the system the obvious question is the adequacy of the controls protecting the information.  Was there a separate password, available to only those with specific  clearance, required to access that information?  Why wasn’t there notification to IT of a person without authorisation accessing the information?  How the breach was detected is not clear.  The ABC reports that the breach was only detected later during a routine maintenance when technicians noticed some data had changed. News reports that the breach was identified during a “security check” after some data had changed.  Different backgrounding going on.  Even more curious is what happened to the data.  “Accessed” is a general term with a meaning ranging from have the ability to open documents to actually opening those documents to exfiltrating those files. It seems likely that the processes operating at the New South Wales Department of Justice were deficient.

    The ABC report of the data breach Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Metropolitan police in UK install first permanent facial recognition cameras in London

    March 25, 2025

    The Times reports that the first permanent facial recognition cameras have been installed in London.  It is a being touted as a pilot project but it may be precursor to the scheme being extended across London.  The Information Commissioner’s Office has released guidance on the use of the facial recognition, described as Biometric recognition.  It has also issued specific guidance for Live Facial Recognition Technology for police. There has been significant cases of misuse of facial recognition technology and its privacy implications. The misuse of facial recognition by police is well documented.  And it is misused by the private sector. In February 2024 the ICO ordered Serco Leisure to stop using facial recognition to monitor employee attendance.   The use of CCTV technology and facial recognition technology is more extensive in the United Kingdom than in Australia.  That said, the regulator is quite active in reviewing its operation and the legislation is more rigorous than in Australia. 

    It is likely that the use of the facial recognition technology will quickly become more widespread, especially with the use of AI.  Doing so without propely adhering to the provision of the Privacy Act 1988 may attract the attention of the regulator.  On 19 November the Privacy Commissioner published a determination finding Bunnings use of facial recognition breached the Privacy Act.  On the same day the Privacy Commissioner published a guidance on the use of facial recognition technology. It is critical that organisations contemplating using this technology understand their obligations under the Privacy Act 1988.

    The Times article provides:

    Facial recognition cameras that scan for wanted criminals are being installed permanently on UK high streets for the first time.

    The Metropolitan Police will permanently put up live facial recognition (LFR) cameras in Croydon, south London, as part of a pilot project that may see the scheme extended across the capital. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy, UK Information Commissioner's Office | Post a comment »

    China publishes security measures on the use of facial recognition technology

    March 23, 2025

    In one of those “one for the books” events the Chinese agencies of Cyberspace Administration of China, in collaboration with the Ministry of Public Security have published security measures for the use of facial recognition technology. The measures will take effect on 1 June 2025. Given how intrusive Chinese authorities have been in the past with surveillance and the use of facial recognition technology it will be interesting to see how much of a real change will result.

    The measures apply to activities using facial recognition technology, which is individual biometric recognition technology that uses facial information to identify an individual’s identity, to process facial information within China.

    Interestingly the do not cover the processing of facial information from their scope for research and development or algorithm training purposes.

    Under the measures, facial recognition activities must comply with applicable laws and regulations and, inter alia:

    • have a specific purpose;
    • be necessary;
    • minimizes the impact on personal rights and interests; and
    • implement strict protection measures.

    Personal information handlers must, inter alia:

    • before processing, inform individuals in a prominent manner and clear and understandable language of certain information, such as contact information and purposes and method of processing;
    • inform individuals of any changes to the information provided to them;
    • when the processing is based on consent, obtain voluntary and explicit consent, including providing the right to withdraw consent;
    • when processing minor’s information, obtain the consent of a parent or other guardians;
    • stored information on facial recognition devices and not transmit it through the internet;
    • conduct a Personal Information Protection Impact Assessment (PIPIA) and include the contents outlined in the measures; and
    • if processing data of more than 100,000 individuals, notify the provincial-level or higher cybersecurity and informatization department within 30 working days, and provide the information outlined in the measures.

    The measures require personal information handlers to Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner, Privacy | Post a comment »

    Federal Communications Commission is taking action to protect submarine cables from cyber security attacks

    March 18, 2025

    Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure. In Australia the most notable is the Security of Critical Infrastructure Act 2018 which covers 11 sectors. Most advanced countries now have comprehensive data protection legislation dealing with critical infrastructure.

    There is also the

    In that vein the US Federal Communications Commission is reviewing its submarine cable rules since 2001 to enhance the protection of the nation’s submarine cable infrastructure amid evolving national security concerns.   The FCC is following the now standard approach of requiring cable operators to confirm they take reasonable measures to protect the confidentiality, integrity, and availability of their systems and provide cybersecurity plans.

    The FCC proposals are reported in FCC proposes new cybersecurity mandates for submarine cable operators in major rule review, seeks public input which Read the rest of this entry »

    Posted in Privacy | Post a comment »

    ASIC commences action against FIIG Securities for cyber security failures

    March 14, 2025

    The Australian Securities and Investment Commission announced yesterday that it was suing FIIG Securities for “systemic and prolonged cyber security failures” from March 2019 until 8 June 2023. As a result hackers entered FIIG’s IT system and stole personal information which was released onto the dark web. ASIC specifically referred to the Federal Court decision of Australian Securities and Investments Commission v RI Advice Group Pty Ltd (No 3) [2022] FCA 84. This was the first case where the failure to manage cyber risk was found to be a breach of its financial services obligations. That case was settled with the proposed parties proposing consent orders containing declarations and consequential orders. Given the nature of the repeated breaches RI Advices legal representatives negotiated quite a favourable outcome notwithstanding orders were made against their client. In the United States or the UK the penalties would have been much more severe.

    Helpfully ASIC has provided a concise statement of facts and the Orginating Process.  From that ASIC alleges that between 13 March 2019 and 8 June 2023, FIIG did not comply with its AFSL obligations under sections 912A(1) of the Corporations Act 2001 (Cth) to:

    1. do all things necessary to ensure that financial services were provided efficiently, honestly and fairly (s 912A(1)(a)), by failing to have in place adequate measures to protect its clients from the risks and consequences of a cyber incident;
    2. have available adequate resources (including financial, technological, and human resources) to, amongst other things, ensure that it had in place adequate cyber security measures required by its licence (s 912A(1)(d)); and
    3. have in place a risk management system that adequately identified and evaluated the risks faced by FIIG and its clients; adopt controls adequate to manage or mitigate those risks to a reasonable level; and implement those controls (s 912A(1)(h)).

    ASIC alleges that FIIG failed to have the following cybersecurity measures:

    • Planning and training: here was no cyber incident plan communicated and accessible to employees which is tested at least annually, and mandatory cyber security training (at commencement of employment and annually);
    • Access restrictions:
      • there were no proper management of privileged access to accounts, including non required access being revoked, and greater protections for privileged accounts; and
      • configuration of group policies to disable legacy and insecure authentication protocols;
    • Technical monitoring, detection, patches and updates: there was a failure to have or inadequate
      • vulnerability scanning, involving tools deployed across networks and endpoints, and processes run at least quarterly with results reviewed and actions taken to address vulnerabilities;
      • next-generation firewalls (including rules preventing endpoints from accessing file transfer protocol services);
      • endpoint detection and response software on all endpoints and servers, with automatic updates and daily monitoring by a sufficiently skilled person;
      • patching and software update plans (with critical or high importance patches applied within 1 month of release, and 3 months for all others), and a practice of updating all operating systems, with compensating controls to systems incapable of patching or updates; and
      • security incident event management software configured to collect and consolidate security information across all of FIIG’s systems with appropriate analysis of the same (daily monitoring);
    • Testing: there was a lack of
      • processes to review and evaluate efficacy of technical controls at least quarterly; and
      • penetration and vulnerability tests from internal and external points.

    Read the rest of this entry »

    Posted in Corporations Law, Federal Court, Legal, Privacy | Post a comment »

    NIST announces a review of its cyber security framework in light of developments in AI

    Artificial Intelligence is becoming the great disrupter. And in privacy and cyber security its impact is especially acute. the National Institute of Science and Technology (“NIST”) has announced the process to develop a new cyber AI profile.

    The NIST notes Read the rest of this entry »

    Posted in Privacy | Post a comment »

    EU release pseudonymisation guidelines

    March 13, 2025

    On 16 January the European Data Protection Board (EDPB) adopted Guidelines 01/2025 on Pseudonymisation which is effective on 17 January 2025. Pseudonymisation is poorly understood by organisations and some practitioners. It is also an important means of data protection.

    t should be noted that OVIC has undertaken a very detailed assessment into de identification and higlighted the problems with it.

    The guidelines sets out in details guidance on on the use and benefits of pseudonymisation under the General Data Protection Regulation (GDPR). Importantly it clarifies

    • what pseudonymization means,
    • how to use it to meet data protection requirements, and
    • how to implement it.

    Australia operates under the Privacy Act and is not bound by the GDPR.  That said many organisations in Australia operate in Europe nad to that extent are bound by hte operation of the GDPR.  Further, the guidelines from the EU like the NIST publications provide valuable assistance in dealing with privacy issues. 

    What is Pseudonymization?

    Art. 4(5) of the GDPR defines pseudonymisation as “the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that it is not attributed to an identified or identifiable natural person.”

    Pseudonymisation can be implemented through various techniques, such as the use of tables that map pseudonyms to original identifiers while keeping pseudonyms and original identifiers separate and secure (e.g., in the hands of two separate organizations). 

    Pseudonymisation should at least concern direct identifiers (e.g. passport or social security numbers, but also the combination of the full name of a person with his or her date of birth) which, alone, allow to identify data subjects. The pseudonymising entity should also be mindful of indirect identifiers (e.g. by deleting such indirect identifiers, generalising or randomising them), which may also allow to identify a data subject despite the pseudonymisation.
    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Office of the Information Commissioner attend Estimates

    March 1, 2025


    Senate Estimates is an annual event. For Governments it is a mandatory evil. For oppositions it promises to reveal a cornucopia of a information to embarrass the government and burnish its credentials. For the agencies, in particular the public servants who front the various Estimates Committees, it is a burden to be carried as part of the job. This year the Information Commissioner’s attendance before the Legal and Constitutional Affairs Legislation Committee proved to be no different. The Commissioner’s opening statement was the usual anodyne, nothing to see here, statement providing.

    With the chair’s leave I take this opportunity to acknowledge the committee’s role and in doing so provide a brief opening statement outlining the important work of the Office of the Australian Information Commissioner (OAIC).

    I appear today with the assistance of the FOI Commissioner Ms Toni Pirani and with the chair’s leave the Privacy Commissioner Ms Carly Kind appearing via link and Executive General Manager, Information Rights Ms Ashleigh McDonald.

    Supported by our new organisational structure we are better positioned to operate as a contemporary and proactive regulator. Some of our recent initiatives and outcomes demonstrate our future direction. We have:

      • commenced preliminary inquiries into the privacy impacts of connected vehicles
      • commenced the development of a Children’s Online Privacy Code
      • developed a public facing dashboard to ensure that agency freedom of information (FOI) data is reported and presented more effectively
      • We will shortly deliver a report examining the use of messaging apps by Australian government agencies
      • We are building our strategic intelligence capabilities.

    To deliver a proactive and contemporary regulatory approach to benefit the Australian community, agencies and industry alike, we will also focus on building staffing capabilities through an investment in new ways of working and professional development. Within our budgetary parameters, our technology and systems will also be a focus to support our new direction.

    However, we are also mindful to deal with our core case management responsibilities and reduce our backlog in both FOI and privacy cases. Our resources are challenged by a 25% increase in FOI Information Commissioner review (IC review) applications compared to the same period last year. This is against a backdrop of an increase in FOI IC review applications over the last 5 years that is estimated to double the number of FOI IC review applications received in 2019–20. We also face an overall growth in privacy case work and increasing complexity in our case work arising from digital services and emerging technologies. This has a particular impact on our privacy case work.

    Our enforcement capabilities have been assisted by an increase of funding in recognition of the complexities of enforcement. Similarly designated funding has been provided to the OAIC to develop the Children’s Online Privacy Code and guidance regarding the social media age limit.

    Our appearance and preparatory papers are informed by data as at 15 January 2025.  However, to assist the committee, as at 23 February 2025 the OAIC 2024–25 case statistics are as follows:

      • 1,279 FOI review applications were received and 1,494 finalised.
      • 196 FOI complaints were received and 216 finalised.
      • 1,966 privacy complaints were received and 1,687 finalised.

    During this period, we also finalised a number of complex privacy matters that have delivered a strong enforcement message and importantly established our expectations of the regulated community. In doing so, we are upholding the rights of privacy and information access enshrined in statute by the Australian Parliament and better serving the values and expectations of the Australian community.

    I wish to acknowledge the significant work and expertise of the OAIC leadership in taking forward this major change program and recognise with gratitude OAIC staff for their dedication and commitment as we secure the fundamental human rights of privacy and information access in an increasingly complex environment.

    The hearing before the Estimates Committee focused on the reduction in staffing in the office from 200 to 138 staff in the Office.  A 23% reduction in staff.  Also of interest is the Privacy Commissioner’s admission that the the findings of the Property Lovers determination is not being complied with.  In short, the behaviour complained of is continuing.  The Privacy Commissioner is investigating what to do next.  

    An understaffed office is bad news for effective regulation.  That has been a chronic problem for this office.  Fortunately there will be a statutory tort as of June 2025 so in many cases individuals will not need to rely on the Commissioner taking up an investigation from a member of the public.

    The Transcript provides:

    CHAIR: With 20 minutes to go in our hearing, we’re going to politely and apologetically, dismiss the Australian Human Rights Commission. We won’t get to them this evening. We thank them for their time and for travelling. We do have questions for them, but we won’t have time to put them. We thank them for their ongoing work, particularly in the current environment. I know they’re working very hard. So thank you very much.

    Welcome, commissioners. Do you have an opening statement you’d like to table?

    Ms Tydd : I do have a very brief opening statement and I’m happy to table that.

    CHAIR: Thank you very much. That will be circulated to senator so they can read from that when they have it in front of them. In the meantime, I’ll pass the call to Senator Scarr.

      Senator SCARR: Commissioner, how many staff have left the OAIC since August last year?

    Ms Tydd : I don’t think I could speak with authority from the date of August, but I can give you the very high-level numbers of staffing pre and post our organisational redesign.

      Senator SCARR: Can you give me the dates for the organisational redesign, so I can calibrate that with my August date.

    Ms Tydd : Yes. That was finalised in mid-November, about 17 November. The organisational redesign responded to our significant budgetary situation, in which we would be operating at a deficit. Action was taken around that. At the time, in July, we had an FTE of just over 200. Our organisational redesign that allowed us to operate within our budgetary parameters—

      Senator SCARR: Sorry; it’s late. I’ve got to get these numbers right. In July your FTE was just over 200?

    Ms Tydd : Correct. And our ASL cap came down to 173. We knew that within our budgetary parameters we’d need to operate at around 165. We didn’t purely look at staffing levels in relation to meeting our budgetary parameters; we looked at a range of measures. They included external supply costs. Legal costs were something that we focused on as well. So, yes, we were required to reduce staffing in response to our revised budgetary parameters, and that process was completed around mid-November.

      Senator SCARR: Okay. What were the FTE numbers as at mid-November, when you completed that process?

    Ms Tydd : There probably was still some lag. I’d say it would be about 175. I’ll see if I have any dates that will help you further. I can tell you that as at 18 December, as we were still working through that process, our staffing level was 175.

      Senator SCARR: Do you have the data as at today or the most recent data as at the end of the month? Do you have any most recent data?

    Ms Tydd : As at 29 January, it was 138.4.

      Senator SCARR: So you went from 175 as at 18 December—that was the figure you gave?—

    Ms Tydd : Correct.

      Senator SCARR: to 138.4 as at 29 January?

    Ms Tydd : That’s correct, with a headcount of 156.

      Senator SCARR: Okay, so you’ve got part-time—

      Senator SHOEBRIDGE: So as we don’t have to traverse across this, do you mind if I ask: you’ve been talking FTE all the time through, so these have all been the same dataset of FTE, full-time equivalents?

    Ms Tydd : Yes.

      Senator SCARR: So you went from—we’ll try and use the common terminology—FTE as at 18 December of 175 to FTE as at 29 January, which is only a month later, of 156. Is that correct?

    Ms Tydd : The figure I have is 138.4.

      Senator SCARR: 175 to 138.4?

    Ms Tydd : Yes. They’re the figures I have before me. Read the rest of this entry »

    Posted in Commonwealth Privacy Commissioner | Post a comment »

    Patient information from the Genea data breach posted on the dark web..

    February 27, 2025

    Exactly a week ago I posted on the Genea data breach and raised concerns about the way it was handling the matter. The public statement was dreadful and it was clear from the subsquent reporting that it was keeping a lot of information away from the public eye. Information that is commonly provided by US companies when they suffer data breaches. That dreadful approach has given way to a much more expansive attitude with a long statement on 24 February 2025 and notice of an injunction yesterday.

    The Genea statement of 24 February provides:

    We are endeavouring to communicate with all current and former Genea patients the latest updates of our investigation into the incident. A copy of our communication is included below.
     
    Thank you for your patience as we investigate the cyber incident that has impacted our organisation (Genea Pty Limited). We understand that hearing about an incident like this can cause concern and we sincerely apologise for this. We want to reassure you that our teams of specialists, nurses, scientists and support staff are working tirelessly to minimise any impact to the treatment of our patients which is always our highest priority. Our technology teams have also been working around the clock with cyber security professionals to securely restore our systems while progressing our investigation.
     
    We are committed to doing all we can to protect your privacy. In this letter, we’ll step you through what happened, what types of personal information relating to you may have been involved in the incident and identify clear steps you can take to help ensure your information is protected.

    What has happened?

    On 14 February 2025, we became aware of suspicious activity on our network. Following this, we promptly launched an investigation to determine the nature and scope of the activity. In the course of these investigations, Genea discovered that it had been impacted by a cyber security breach.  
     
    Since the incident, we have undertaken extensive remediation efforts and actions in line with our incident response process to prevent reoccurrence. This has involved securing our networks in partnership with our cybersecurity partners and bringing our core systems online to ensure that we can continue to provide the very best care to our patients.
     
    We advised in our prior communication that we were continuing to investigate the nature and extent of data that had been accessed and the extent to which it contained personal information. As a result of our ongoing investigation, we now believe the attacker may have accessed and taken personal information which we hold.
     
    We have notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre of the incident. We are meeting with the National Office of Cyber Security, the Australian Cyber Security Centre and other government departments to discuss the incident with them.
     
    Our investigation is ongoing, and we will continue to communicate any relevant updates you.
     

    What personal information has been impacted?

    Our investigation has identified that Genea’s patient management systems, which contain information about you, was accessed by an unauthorised third party. We stress that at this point in time it is unknown what personal information within the folders on the patient management system has been compromised. However, the folders on the patient management system include the following types of your information:  

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    « Previous Entries