Peter A Clarke

First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Read the rest of this entry »

Another day, another data breach in Australia. This time iiNet has announced that it has suffered a data breach. Mode of entry, use of employee credentials to get into iiNet’s order management system. The breach is reported by the Australian in iiNet latest Aussie company to be hit by hackers. iiNet released a media release earlier today titled Cyber incident involving iiNet customers. As is the way the story has been covered across the media with News.com.au, Information Age, Australian Cyber Security Magazine, AFR, Cyber Daily amongst others.

This data breach will be hugely embarrassing for iiNet.  It’s whole image is based around being more accessible (not in that way) and different from other telco providers.  And better in a geekier more friendly but more efficient sort of way.  Now it finds itself suffering the sort of data breach other big organisations suffer.  

iiNet’s media statement is quite good.   For Australia.  It provides some detail of what happened and how though much is not revealed.  That will be revealed if the Privacy Commissioner takes action or there is a class action.  But being as transparent as possible is preferable to saying virtually nothing as Genea has done with its much more serious data breach.  iiNet provided detail of the nature of the personal information stolen; emails (280,000), phone numbers (20,000) and user names, streeet addresses (10,000) and modem set up passwords (1,700).  Distressing and damaging as that may be it did not involve financial information, dates of birth and any other personal information.  iiNet has been more specific than most in how it responded.  It can’t help itself in advising how it is liasing with the ACSC, the NOCS and the OAIC.  On a more relevant note it has set up a dedicated hotline.  That is an excellent initiative.  By contrast Genea has been very difficult to contact and responses have been wholly unhelpful, enraging patients.   It provided some preliminary advice on what to do and answering frequently asked questions.  Interestingly iiNet responds to the question as to why it was holding information on people who are no longer customers of iiNet.  The answer is somewhat mealy mouthed including being due “to legal, regulatory, or operational requirements.” Mmmm.  

The statement provides:

iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.

The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections. The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.

What we are doing

Upon confirmation of this incident on Saturday, 16 August 2025, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our investigation. Read the rest of this entry »

It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

The statement from the Information Commissioner provides:

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. Read the rest of this entry »

Today the OAIC released its regulatory action priorities for 2025 – 26. In the privacy sphere the Commissioner states that it is:

Rebalancing power and information asymmetries

The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

• • the rental and property, credit reporting and data brokerage, sectors
  • advertising technology (Ad tech) such as pixel tracking
  • practices that erode information access and privacy rights in the application of artificial intelligence
  • excessive collection and retention of personal information
  • systemic failures to enable timely access to government information

Rights preservation in new and emerging technologies

The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

• • facial recognition technology and forms of biometric scanning
  • new surveillance technologies such as location data tracking in apps, cars and other devices
  • the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

It is interesting to note that the Commissioner has previously flagged a focus on data collection by cars.  The Commissioner has already taken action in relation to facial recognition technology.  

The media release Read the rest of this entry »

The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious.  To call for a change to the law while appealing a decision involving the extant law is not illegal.  But it is quite arrogant.  Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act. 

Meanwhile in CBA using facial recognition logins to verify disputed payment the CBA is showing itself to be an enthusiastic user of facial recognition.  

The AFR article Read the rest of this entry »

There are three distinct issues that confront a company dealing with a data breach. The first is the legal issue, who to notify and when and what steps need to be taken to mitigate any loss. The second is the practical and technical issues; find out how the breach occurred, the extent of the damage and what repairs need to be undertaken. The final is the public engagement; notifying the public, media, advising what when wrong and what is being done to fix the problem. Australian companies are a long way back in their sophistication than their contemporaries in the United States and Europe. Given the more effective regulation overseas companies are quicker to notify regulators. In the United States there is a culture of more transparent and effective communication with the public. Not always but commonly. Australian companies tend to be dreadful at advising the public. Many put together bland boilerplate statements which mean nothing, which is their intent. That can lead to escalating problems and great mistrust. And rather than containing the fallout it increases it as more information leaks about about the data breach, much of it inconsistent with the blandly reassuring statements in the media releases.

It is good practice to have a data breach response plan which deals with each issue.  In Australia even the companies that have such a plan rarely conduct practices and simulations.  Many of their lawyers take a very rigid approach to the problem.  As a result many responses are stilted, inflexible, incredibly defensive and often counterproductive.

The ABC piece Qantas executives slow to be seen after data breach affecting up to 6 million customers summarises the problem with tardy and inadequate responses.  And so for Qantas handling has been at best mediocre. About on a par with most large Australian companies hit by a cyber attack.  The Australian also covers the response in How Qantas is managing the fallout of a cyber attack targeting the personal details of 6 million people. The article quotes a class action lawyer from Maurice Blackburn on the inadequacy of the privacy laws.  She claims that the data breaches in other parts of the world are “..not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security.” That is partly correct but mostly not.  Australian privacy legislation lags the UK and Europe and even parts of the United States of America, such as California’s Consumer Privacy Act.  It is not fit for purpose in digital age where the collection of data is easy to do and can be done at a rapid pace with an enormous volume.  But the real problem in Australia has been very lax regulation and enforcement.  That has led to a culture of complacency.  For Read the rest of this entry »

Today kicks off Privacy Awareness Week for 2025. The Privacy Commissioner has published rights under the Privacy Act 1988 which includes material on Australian Privacy Principles and Privacy guidances. The Victorian Information Commissioner has published a page on Privacy Awareness Week.

The Information Commissioner releases a report of data breaches semi annually. Those statistics are data breaches reported to the Commissioner under the Notifiable Data Breaches Scheme or because the organisation or agency chooses to report out of an abundance of caution or because the data breach has been reported in the media. There is not an automatic requirement to notify the Commissioner of a data breach. And there are entities that are exempt from coverage of the Privacy Act 1988, notably Small Businesses. And there are organisations that do their best to keep data breaches quiet. According to the report for the period July to December 2024 the Commissioner was notified of 595 data breaches. That makes for a total of 1,113 notifications in the year. That is over 200 more notifications than 2023 which had 893 notifications.

What needs to be understood is that these figures are only reflective of a trend in data breaches.  The number of actual data breaches suffered by Australian entitities is far larger that those reported to the regulator.

Some interesting statistics regarding Read the rest of this entry »

The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.

Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place.  Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity.  It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration.  It is also important to have a data breach response plan, involving roles for members of the organisation.  There also needs to be a plan to take court action if necessary.  It is common to seek injunctive relief against ex staff or consultants who make off with data.  That is not as an alternative to contacting police but complementing such action.

One question the regulators will no doubt ask is Read the rest of this entry »