Implementing proper password protection is one of the foundation blocks of proper cyber security. It has been since the internet was established. But it remains a real problem with many organisations. Bleeping Computer with ‘123456′ password exposed chats for 64 million McDonald’s job chatbot applications reports on a spectacular fail with both log ins and passwords, both being 123456.
High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.
This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.
The recommendations for best practices for key management organisations, part 2 provides:
NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Part 2 (this document) 1) identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys; 2) identifies the security planning requirements and documentation necessary for effective institutional key management; 3) describes Key Management Specification requirements; 4) describes cryptographic Key Management Policy documentation that is needed by organizations that use cryptography; and 5) describes Key Management Practice Statement requirements. Appendices provide examples of some key management infrastructures and supplemental documentation and planning materials.
The recommendations for Key Management part 3; Application-Specific Key Management Guidance provides:
IST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
The New South Wales Audit Office has published its report, titled Cyber Security insights 2025, on state agencies cyber health and preparedness against a cyber attack. it is a mixed report, which is a concern given the fact that the state collects and holds a vast amount of information of people of New South Wales and encourages, if not requires, people to do business with the state on line. The Report is quite critical about aspects of preparedness.
A cybercrime expert has warned of a “worrying pattern” after government agencies were found to have implemented less than a third of basic cybersecurity protections in New South Wales.
State government agencies only met 31 per cent of mandatory requirements to protect public data, according to a report released by the Audit Office of NSW last week.
In total, 27 of these agencies reported 152 “significant, high, and extreme” cybersecurity threats in 2024.
According to the report, 28 of the threats had remedies “that were either largely or completely ineffective”.
Additionally, 60 risks lacked specified timelines to reduce them to an acceptable level.
Professor of cybercrime at the University of NSW Richard Buckland said the report’s findings showed entities were increasingly at risk.
He said that if effective, a cyber attack could “paralyse a section of society or the government”.
“This has been a pattern, a worrying pattern,” he said.
The report found a blind spot was the use of external contractors for some cybersecurity measures, for which the NSW government has no way of measuring if they were up-to-scratch.
Professor Buckland said he understood the desire to outsource but warned it came with its own risks.
“We saw the big Microsoft blackout last year; that was really a third party used by multiple people, CrowdStrike, going wrong, so it is a big risk,”
he said.
“It’s harder to monitor, to control, so external people helping you is a double-edged sword, especially if you don’t have external capability to jump in when something goes wrong.”
It comes after Qantas reported a major cyber attack in which it said a “significant” portion of its six million customers’ data was stolen and that a “potential cyber criminal” had made contact with the airline.
Responding to the attack cost the state government more than $30 million, the audit office reported.
Professor Buckland said the report pointed out the “same problem” every year and government agencies were “just not adequately defended”.
“They [the audit office] must be tearing their hair out wondering what they can do to bring about change.”
The report also found local councils were lagging in their defence against nefarious online actors, with only 69 per cent training staff in cyber awareness.
It said one council suffered a ransomware attack that targeted local government records, employee financial data and systems responsible for monitoring water quality.
Councils in NSW are not mandated to implement Cyber Security NSW’s policies, but the agency recommends they adopt safeguards.
“In a way they’re [local councils] less capable, have less staff and less budget to deal with this, so I feel very sorry for them,”
Professor Buckland said.
“We’ve seen worldwide a big rise in targeted attacks against municipalities — the equivalent of councils in America — against libraries, schools, smaller and less well-funded data-rich organisations.”
Reacting to the report, Premier Chris Minns on Monday said the government had to find $90 million to “plug gaps” in cybersecurity funding.
“It is a concern. I’m going to be honest, I would like to see us meet all the criteria immediately that the auditor-general identified,” he said.
“That’s not possible though; most of the funding for cybersecurity in NSW had been cut or put on a funding cliff by the previous government.”
He warned it will cost a lot more to make all government agencies safe.
“Some of these organised crime gangs, usually located offshore, are pretty sophisticated, and we obviously have to be on our guard,” the premier said.
In Australia the common law has not responded to privacy protections and only tentatively in equity. The preference of legislatures was to criminalise such intrusive behaviour but shy away from providing civil remedies. That was an inadequate response. That significant gap in the law has been filled by the enactment of a statutory tort of serious invasion of privacy on 10 December 2024, taking effect on 10 June 2025. Behaviour as described in the ABC articles would provide a strong basis for issuing proceedings allegation a serious invasion of privacy.
The earlier ABC article provides:
When Sarah* moved into her first Sydney share house, the Canadian expat thought it was a “completely safe, normal environment”.
Months after moving out, she would find out it was the backdrop of a horrific violation of privacy and trust, perpetrated by her former male housemate.Read the rest of this entry »
The coverage demonstrates how important it is for companies to move quickly and transparently to respond to a data breach. It also highlights the poor understanding of privacy law based on some of th claims made. The Qantas data breach saga is a lesson in how not to respond to a data breach.
The SMH’s Qantas hack victims could get compensation ay experts highlights the sketch understanding of how civil penalty proceedings operate and what options are available for seeking compensation. The story accurately sets out the maximum penalty the Federal Court could impose if a civil penalty action were brought under section 13H of the Privacy Act 1988. But that does not equate to compensation to consumers. It is a penalty. Whether the Privacy Commissioner distributes whatever penalty imposed if unknowable. Given that, Dr Srivastava’s quoted statement as to how the Privacy Commissioner operates is confusing. A more likely route for compensation would be a class action alleging various common law causes of action and potentially statutory claims. It is possible but difficult to consider using the new statutory tort of serious interference with privacy. It would be necessary to show that Qantas’ conduct was reckless. provides:
Qantas customers affected by the data hack could ultimately be entitled to compensation if the airline were found to have breached passenger privacy, experts say.
A week after Qantas disclosed the loss of data of up to six million customers, consumer law experts say the airline could ultimately face penalties, if a series of conditions are met.
Qantas detected unusual activity on a “third-party platform” used by the airline’s contact centre in Manila early last week, prompting an investigation, which determined customer names, email addresses, phone numbers and birthdates, as well as frequent flyer numbers had been accessed, through a third-party vendor to Qantas.
On Monday, Qantas said “a potential cybercriminal has made contact” with the airline, saying it was “working to validate” the communication. Cybersecurity officials fear the data could ultimately be used as ransom.
The uncertainty over the status of customer data highlights the volume of data held by Qantas.
Maurice Blackburn class action lawyer Lizzie O’Shea, who specialises in privacy issues, said: “Qantas is a holder of a very significant amount of consumer information, involving huge amounts of data that are used for all sorts of purposes, including profiling consumer behaviour.”
Australian privacy law requires an entity to take reasonable steps to protect customers’ information from misuse and unauthorised access.
The use of the data “may not meet the standards of what most people expect for the way the data is collected and how it’s used,” O’Shea says.
There is no “social license for companies to collect huge amounts of data”, especially as polls show the public continues to show a preference for stronger data protections, she says.
“For that reason, these kinds of data breaches are hugely illuminating for the public. They act as a lightning rod for consumer frustrations, which are usually accompanied by a call for governments to enact stronger privacy laws.”
It’s understood that following the high-profile and damaging hacks of Medibank Private and Optus in 2022, Qantas purged old customer data.
Monash Business School Department of business law academic Dr Aashish Srivastava said: “Under the Privacy Act, if there is a data breach and the customer complains to the Office of the Australian Information Commissioner, and after an investigation the OAIC finds there were privacy breaches by Qantas, as part of that, the OAIC can give the consumer some kind of remedy for any loss or damage suffered as a result of the privacy breach.”
Under the Privacy Act, the watchdog can impose a range of civil penalties, from a maximum of $2.5 million for an individual and up to $50 million for a company. Optus and Medibank were the target of class actions following their damaging losses of customer data during separate hacks. The privacy watchdog also took civil action against Medibank.
The watchdog conducted a routine review of Qantas’ frequent flyer data management in 2017, finding that while all “personal information is stored in Australia, Qantas frequent flyer use several offshore customer service centres”.
At the time, Qantas conducted “overseas contract staff background checks” and put provisions in employee contracts “related to the handling of personal information”, the OAIC said.
The watchdog in 2019 recommended in the assessment that the Qantas frequent flyer program “develops and implements a privacy management plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations”.
The Notifiable Data Breaches scheme requires companies to notify the Office of the Australian Information Commissioner and customers “at risk of serious harm from … a data breach”.
Cybersecurity expert Lani Refiti, from national security firm Azcende, said that if a ransom were sought at this point, Qantas’ corporate and government-led cyber response team would have to be in discussions with the attackers.
Qantas is investigating after it was contacted by a suspected cyber criminal days after a major hack.
Qantas has finally posted details of compromised personal information by way of an update today. Nine days after first detecting the intrusion. The stolen data related to 5.7 million customers. Of that number:
4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
1.2 million customer records contained name and email address.
2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
Date of birth – 1.1 million
Phone number (mobile, landline and/or business) – 900,000
Gender – 400,000. This is separate to other gender identifiers like name and salutation.
Meal preferences – 10,000
So the majority of the stolen records were limtied to names, email addresses and Frequent flying points. Plenty to undertake some phishing and a good start for identity theft. Those 1.7 million customers whose residential addresses, data of birth and phone number are in a more vulnerable situation. Those data points are very useful for a range of illegal activities, especially identity theft.
Qantas has finally provided some advice and pointed to IDcare as providing assistance. It is fairly rudimentary but better than the non responsiveness of earlier days.
The protection of children’s privacy on line is a key area of regulation and development worldwide. The US State of Nebraska has from 30 May 2025 implemented an age-appropriate design code law. The Code mandates online service providers prioritize children’s privacy and safety through proactive design principles. Effective January 1, 2026, the Code imposes stringent requirements on covered entities, including data minimisation, default privacy settings, and restrictions on targeted advertising to minors. Enforcement by the Nebraska Attorney General begins on July 1, 2026, with penalties up to $50,000 per violation.
The Code requries collection and use of the minimal personal data necessary to deliver the specific services a minor knowingly engages with. Data use beyond this purpose is prohibited unless explicitly consented to by the minor or their parent.
There is an obligation for online services to have default settings which offer the highest level of privacy protection for minors including:
limiting communication between minors and other users;
preventing unauthorised access to minors’ personal data;
restricting precise geolocation tracking;
allowing the minor to control all design features unnecessary to operate the services requested by the minor;
permitting the minor to control personalised recommendation systems by allowing opt-in to chronological feeds or prevent certain types of content from being recommended; and
controlling the use of in-game purchases by allowing opt-outs or the option to limit such purchases.
These settings apply to ‘covered design features.’.
The media report (in the Australian amongst others) that a/the cyber hacker has approached Qantas and it and the Australian Federal Police are determining whether the approach is by the cyber hacker. As per usual with Qantas has stated there has been an approach but said nothing else. It is consistent with approaches taken by many Australian companies affected by data breaches but not consistent with best practice in the United States where there is more candour which, usually, results in more sympathy. It is a different story when it comes to paying to remove ransomware. In that regard non disclosure is universal. Given that the Australian Federal Police are trying to determine whether the approach is from the hacker or just an opportunist there won’t be any payment of ransom.
There is some confusion about what to do regarding ransoms. It is not illegal to pay a ransom. It may be illegal not to report such a payment. Whether such a payment is reportable depends on the circumstances and applying them to the legislation. It can be quite a technical exercise.
Under Part 3 of the Cyber Security Act 2024, which took effect on 30 May 2025, entities covered by the legislation must provide notification of ransom payments that have been made in certain circumstances. The legislation sets out the process in detail. It is important to appreciate that some assessment is required to determine whether an entity is obliged to make a report or not.
Itnews reports in Home Affairs officer accessed data on “friends and associates” that a former immigration officer accessed restricted data relating to 17 friends and associates 1,164 times in 6 years. These actions were discovered by the National Anti Corruption Commission investigating corrupt, unrelated, practices by this officer. This is a serious failure of data management under the Privacy Act 1988. If there was no lawful reason to access the personal information of these individuals then that officer did not have authority to access that information. The Department’s failure is in not having systems to detect such breaches of the Privacy Act. Software to detect unusual or unauthorised access exist. Banks have systems monitored by IT departments which raise flags when an employee seeks to or does access an account which has nothing to do with his or her role. In the bank setting that results in instant dismissal. Why there was no such system in the Department is a major failing in the data protection architecture.
How a company/organisation/agency initially responds to a data breach often sets the tone on how the problem is perceived to be managed afterwards. The quality of the response is directly linked to the preparedness for such a contingency. Recent mega breaches in Australia, such as the Medibank, HWL Ebsworth and Optus data breaches, were notable for the poor intitial responses. That inevitably led to prolonged poor press, unnecessarily drawn out investigation to determine the cause of the breach and fix the problem and often litigation. Qantas’ response has been poor to date. Qantas is not an outlier. Many companies and organisations give little thought to how they collect and store personal information. And no thought to what might happen in the event of a data breach. One of the causes of those inadequate responses is the overall complacency in the market. And a large part of that has been the inadequate laws, poor enforcement and lack of consequences for data breaches. The Australian has good piece dealing with this concerning state of affairs with ‘Disappointing, frustrating’: How Qantas data breach exposes deep flaws in Australia’s cyber defences. The story’s reference to work the Australian Signals Directorate does and Government spending is a distraction from the main issue; the need for companies to have proper data handling practices and security, cyber and otherwise.