Peter A Clarke

Yesterday the Australian Information Commissioner published its Concise statement in its civil penalty proceeding against Medibank Private. It has been reported in the ABC under the heading “The absence of multi-factor authentication led to the Medibank hack, regulator alleges.” The story has also been covered by the Guardian with Medibank’s lack of multi-factor authentication allowed hackers to infiltrate systems, regulator alleges.

The Commissioner has listed Important Facts as being:

• For the financial years ending 30 June 2021, 2022, and 2023, Medibank generated revenue of approximately $6.9 billion, $7.1 billion, and $7.1 billion and annual profit before tax of $632.3 million, $560 million, and $727.1 million,respectively.
• As at 30 June 2022, Medibank employed approximately 3,291 full time employees
• the personal information collected and held by Medibank included:
  • names,
  • dates of birth,
  • home addresses,
  • phone numbers,
  • email addresses,
  • employment details,
    passport numbers,
  • Medicare numbers,
  • financial information
  • sensitive information such as:
  • sensitive information about customers’
    • race and ethnicity
    • illnesses,
    • disabilities or injuries,
    • health services
• Prior to 7 August 2022 an IT Service Desk Operator who was an employee of a Medibank contractor had access to Medibank Admin Account using his Medibank Credentials.
• the contractor saved his Medibank username and password (Medibank Credentials) to his personal internet browser profile on his work computer. When he subsequently signed into his internet browser profile on his personal computer, the Medibank Credentials were synced across to his personal computer
• the the Admin Account had access to most (if not all) of Medibank’s systems, including:
  • network drives,
  • management consoles, and
  • remote desktop access to jump box servers (used to access certain Medibank directories and databases)
• on or about 7 August 2022 the Medibank Credentials were stolen from the IT Service Desk Operator’s personal computer by a threat actor, commonly and better known as a hacker  using a variant of malware which is known to the parties but not publicly disclosed
• on 12 August 2022, log onto Medibank’s Microsoft Exchange server and test the Medibank Credentials for the Admin Account
• on or around 23 August 2022 the hacker authenticated and log onto Medibank’s “Global Protect”
  Virtual Private Network (VPN) solution (which controlled remote access to the Medibank corporate network) & began typing malicious script
• the hacker actor was able to authenticate and log onto Medibank’s Global Protect VPN using only the Medibank Credentials because, during the Relevant Period, access to Medibank’s Global Protect VPN did not require two or more proofs of identity or multi-factor authentication (MFA). Medibank’s Global Protect VPN was configured so that only a device certificate, or a username and password (such as the Medibank Credentials), was required
• on 25 and 25 August 2022 Medibank’s Endpoint Detection and Response (EDR) Security Software sent alerts the hacker’s activities  to a Medibank IT Security Operations email address. These alerts were not appropriately triaged or escalated by either Medibank or its service provider, Orro, at that time.
• from 25 August 2022 until around 13 October 2022 the hacker used Medibank Credentials to access numerous Medibank IT systems and exfiltrated 520 gigabytes of data including names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health related information and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, treatment dates).
• On 11 October 2022, Medibank:
  • triaged a high severity incident for a alert that identified modification of files needed to exploit the “ProxyNotShell” vulnerability.
  •  engaged Threat Intelligence, its existing digital forensics and incident response partner, to perform an incident response investigation.
• Until at least 16 October 2022, when a Threat Intelligence analyst noted that there had been a series of suspicious volumes of data exfiltrated out of Medibank’s network, Medibank was not aware that customer data had been accessed
• on 19 and 22 October 2022 respectively, Medibank was contacted by the hacker and provided with files containing sample data that had been exfiltrated from Medibank’s systems
• Between 9 November 2022 and 1 December 2022, the hacker published data exfiltrated during the data breach on the dark web.

Read the rest of this entry »

The Attorney General has announced the appointment of Elizabeth Tydd as Information Commissioner. It is an internal appointment, uplifting Tydd from Freedom of Information Commissioner to the top job. It is too early to say whether that is an inspired choice or not.  It is probably a safe choice.  But there is a very good argument to be made for the regulator to have an outsider to take the helm and adopt a more assertive stance, such as Sims did at the ACCC.  Australian Information Commissioners have been worthy, decent and quite conservative.  Compared to regulators in the UK, Europe and the US the Information Commissioner’s work rate is low.

The Government’s announcement Read the rest of this entry »

The Information Commissioner has released its semi annual data breach report, this time for the period July to December 2023. There was a steady increase in the reported breaches, 57 in July, 68 in August, 79 in September, 86 in October, 96 in November and 97 in December.  

Interesting issues arising from the report:

• the health sector still remains the most affected by data breaches;
• 65% of data breaches affect organisations of 100 people or fewer;
• 67% of the data breaches were caused by malicious or criminal attacks.  There were 322 incidents, up 12%. 
• while human error was responsible for 30% of data breaches, that was an increase of 36% over the previous period
• 423 incidents involved Contact Information
• 306 incidents involved identity information
• 197 incidents involved health information
• ‘193 involved financial details
• 64% of the data breaches were identifed in 10 or fewer days
• 23% of data breaches were identified in 30 days or more
• 56 of the 211 notificatons involved ransomware while 59 involved phishing

Relevant extracts are:

Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians. Of the 26 breaches that affected over 5,000 Australians, 22 were caused by cyber incidents. The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).

Entities need to continually review whether appropriate controls and processes are in place to defend against and mitigate data breaches caused by cyber incidents. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has developed prioritised mitigation strategies – the Strategies to Mitigate Cyber Security Incidents– to help entities protect themselves against various cyber threats. The most effective of these mitigation strategies is the Essential Eight. Read the rest of this entry »

The Information Commissioner has opened an Commissioner initiated investigation into the data breach of the HWL Ebsworth site which involved the loss of 1.1 terabytes of data. It has been some time in coming. HWL Ebsworth notified the Commissioner on 8 May 2023 and the Commissioner opened up a preliminary enquiry in June 2023. A flaw in the legislation and  the Commissioner’s approach to its regulation is the lengthy and drawn out processes.  It has been 8 months, or thereabouts, from the date the preliminary investigation opened and the date this investigation opens.  It will be months, probably many, before the Commissioner completes this investigation.  If civil proceedings are commenced that won’t happen for months.  And then a couple of years in the Federal Court.  The Commissioner’s regulatory action policy needs a significant overhaul.

The other problem with the Commissioner’s approach to regulation is that typically results of those investigations do not see the light of day.  Or the results are quietly announced with little coverage in the media.  This is significantly different to the regulators more expansive approach in the United States, the United Kingdom and the European Union.

HWL Ebsworth adopted a “batten down the hatches” approach to the data breach.  After an initial anodyne statement it kept its counsel.  It applied for and obtained an injunction against those using information leaked onto the dark web.  The utility of that application is problematical but it does restrain those who are not criminals who may be tempted to access or otherwise view that material.  Notwithstanding sporadic stories of which of HWL Ebsworth’s clients were affected the strategy seemed to overall effective.  HWL Ebsworth avoided the intense media scrutiny and censure that Medibank and Optus experienced even if the data stolen was at least as sensitive and sometimes even more sensitive than each of those other organisations. 

Given the large volume of data stolen, accross the breadth of the firm’s operations there will be serious questions as to the data storage policies, training, data handling processes, why so much data was retained for so long and how the hackers were able to range so widely across practice areas.

The Commissioner’s Statement provides:

The Australian Information Commissioner has commenced an investigation into the personal information handling practices of HWL Ebsworth Lawyers (HWLE), arising from a data breach notified to the Office of the Australian Information Commissioner (OAIC) on 8 May 2023. The decision follows the OAIC’s preliminary inquiries into the matter, commenced in June 2023.

The OAIC’s investigation is into HWLE’s acts or practices in relation to the security and protection of the personal information it held, and the notification of the data breach to affected individuals.

The Commissioner has a range of options available to her if following her investigation she is satisfied that an interference with the privacy of one or more individuals has occurred.

This includes making a determination, which can include declarations that HWLE take specified steps to ensure that the relevant act or practice is not repeated or continued, and to redress any loss or damage suffered by reason of the act or practice. If the investigation finds serious or repeated interferences with privacy of individuals, then the Commissioner has the power to seek civil penalties against HWLE from the Federal Court of Australia.

In line with the OAIC’s Privacy regulatory action policy, the OAIC will await the conclusion of the investigation before commenting further.

About Commissioner-initiated investigations

The Commissioner is authorised to investigate an act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1 under section 40(2) of the Australian Privacy Act 1988.

Under the Notifiable Data Breaches scheme in the Privacy Act, in certain circumstances organisations are required to take such steps as are reasonable to notify affected individuals of an eligible data breach and do so as soon as practicable.

The story has been covered by itnews with Read the rest of this entry »

The Government today announced the appointment of Carly Kind as a stand alone Privacy Commissioner, effective on 26 February 2024. This is an appointment that was foreshadowed in May 2023. The Privacy Commissioner was never abolished, and is a statutory position. The Information Commissioner was created in 2010. The new Federal Government announced that it would abolish the Information Commissioner in the 2014 budget and for a time cut its funding drastically. The Information Commissioner also held the position of the Privacy Commissioner. The attempts to abolish the Privacy Commissioner ended in May 2016 and the Government increased its funding, Its funding situation has steadily improved since then. With data breaches being a high profile issue the Commissioner has received very significant funding increases. In this year’s May budget it received an extra $17.8 million for the 2023 – 24 financial year and $44.3 million to support privacy activities and another $9.2 million over two years to regulate privacy elements of Consumer Data Right, My Health Record and Digital Identity.

The timid enforcement and spotty regulation of the Privacy Act 1988 has been attributed to the inadequate  funding in the past, especially in the 2014 – 2016 period, and beyond.  That is partly true but far from the whole story.  The Privacy Commissioner then Information Commissioner was a less than optimal regulator in the period pre 2014 and after 2016.  Since it obtained civil penalty proceeding powers in 2014 it has only commenced two actions, one of which was earlier this month.  That is regrettable. 

The Attorney General’s announcement of the appointment is:

Carly Kind has been appointed as Privacy Commissioner, reinstating the standalone position abolished by the Coalition. Ms Kind brings to the Privacy Commissioner role expertise in data protection; AI policy, practice and governance; privacy; and technology law and policy.

Ms Kind has held the role of inaugural Director of the London-based Ada Lovelace Institute since 2019. Between 2015 and 2019 she was an independent consultant to a number of human rights organisations, trusts and foundations, international organisations and the private sector. She has provided advice on legal, ethical and practical issues at the intersection of technology and human rights.

Ms Kind will commence on 26 February 2024. Ms Angelene Falk, the Australian Information Commissioner, will continue as Privacy Commissioner until that time.

When the Government amends the Privacy Act, probably some time next year, the Privacy Commissioner is likely to have stronger powers. In addition to the enhanced powers given to her this year.  The test will be whether they are used and how effective such regulation is.

After coming off some serious questioning in Senate Estimates about poor enforcement practices the Commissioner announced on 3 November 2023 that the Office of the Information Commissioner has launched proceedings against Australian Clinical Labs on 2 November 2023 (file number NSD1287/2023). The Commissioner has filed a Concise Statement and Originating Application and Australian Clinical Labs Limited has filed a Notice of Address for service. The Commissioner is represented by DLA Piper, out of its Brisbane Office.  Previously the Commissioner has been represented by HWL Ebsworth.  Gilbert & Tobin, out of its Sydney Office, is representing Australian Clinical Labs.  GIlbert & Tobin represented RI Advice in the Federal Court case of  Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. That case has been heralded as a positive development in enforcing data security as an obligation of Financial Service Licensees under the Corporations Act 2001, being 912A.  While R I Advice was the subject of compliance orders and penalties it is fair to say that Gilbert & Tobin did a good job in keeping the stringency of the orders and penalty to a moderate level.  Compared to overseas penalties by the European regulators, the UK Information Commissioner’s Office and Read the rest of this entry »

Last Friday ( known trash day for those wanting to put out news that won’t get a run in the mainstream press) the Information Commissioner announced that she would not be seeking a third term. Her term ends in August 2024.  What is not clear from the statement was whether the Commissioner received an indication from the Government that  a third term was a reasonable prospect if she wanted it. 

Her statements is:

The Australian Information Commissioner Angelene Falk has advised the Attorney-General that after having the privilege of serving two terms she will not be seeking a third term.

The Australian Information Commissioner said: “I am greatly honoured to have led the Office of the Australian Information Commissioner (OAIC) through a time of exponential growth, technological development, heightened community expectations and great domestic and international change in the regulatory landscape. I remain focused on the protection and promotion of privacy and information access rights and ensuring the OAIC is well positioned for the challenges of the future.”

Commissioner Falk said the move to a three Commissioner model marked an exciting chapter for the OAIC.

“There is much I wish to do in the remainder of my term and a key priority is to support Commissioners in their roles and leverage our current strategic review so the OAIC can continue to serve the Australian community over the next decade,” she said.

The Attorney-General’s Department has advertised the position ahead of the conclusion of the Australian Information Commissioner’s term in August 2024.

Falk’s tenure has been more effective than her predecessors.  That is partly because she has had more resources of late and the pressures to do more given the increased number and size of data breaches have grown.  That said, previous Commissioners left a disappointing legacy.  Regulation has been weak and enforcement negligible.  As such Read the rest of this entry »

Senate Estimates are an invaluable way of scrutinising government departments and asking questions on issues that do not find their way into Government reports. So it was with the Senate Legal and Constitutional Affairs Legislation Committee asked some long overdue questions of the Information Commissioner on 23 October 2023.  With the Information Commissioner top of the list of questions is the delay in investigating complaints and the lack of vigorous enforcement by the Commissioner.  Compared to other privacy regulators the Australian Information Commissioner’s Office is tardy and timid.

Senator Shoebridge asked questions relating to those very issues.  The answers were not particularly inspiring.  The good Senator hightlighted what privacy practitioners have long suspected, that the Commissioner doesn’t do enforcement.  This extract is revealing:

Sen ator SHOEBRIDGE: How could it be that 1,748 data breaches are referred to your office with not a single penalty over two years? What has gone wrong?

Ms Falk : It’s not a matter of something going wrong. It’s about regulatory strategy. It’s about ensuring that we’re using the right tool in the right circumstances.

Senator SHOEBRIDGE: It’s about never using the stick, isn’t it—never.

Ms Falk : That’s not the case. You’ll be aware that I do have proceedings before the Federal Court in relation to Facebook and also aware of the time that it takes for these matters to progress.

The regulatory strategy is not to take enforcement action.  In the US or the UK the enforcement would very much to the fore.  Here is is not the “right tool.”  Little wonder that there is a very poor privacy culture.  If enforcement is off the table there is Read the rest of this entry »

Its annual report time. And the Information Commissioner is no exception to this exercise ordained by law. And, in the tradition of the Australian Public Service, it was released on a Friday. The 19th October to be exact, even though the Information Commissioner signed the report as being 3 October 2023. That way it avoids serous scrutiny by the traditional media. There is no time to push out a story for the weekend papers and the electronic media would have no interest in that being a weekend story. By Monday the caravan has moved on.

The media release provides:

The Office of the Australian Information Commissioner (OAIC) delivered work for the Australian community through unprecedented times in 2022–23 as millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme.

Releasing the OAIC’s annual report for 2022–23, Australian Information Commissioner and Privacy Commissioner Angelene Falk said the volatile events of the financial year had underscored the need for the regulator to have the right foundations in place to promote and protect information access and privacy rights.

“Throughout the year, the OAIC has continued to develop and advocate for these foundations to support a proportionate and proactive approach to regulation. This includes appropriate laws, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and, importantly, collaboration,” Commissioner Falk said.

“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms.”

Commissioner Falk said the OAIC had sought to influence quality freedom of information (FOI) decision making by providing guidance to government agencies and working with them to improve the system. However, the OAIC still requires sufficient resources to meet current demand and address backlogs.

This year, applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years, and FOI complaints fell 2% to 212.

The OAIC finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 35% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.

“We continued to engage with government agencies on issues of regulatory concern and to promote the principles of open by design, which support agencies to build a culture of transparency and trust by prioritising, promoting and resourcing proactive disclosure,” Commissioner Falk said.

The OAIC performs an important privacy complaint handling role for the community. In 2022–23, it received 34% more privacy complaints (3,402, a record number) than in 2021–22.

In a year in which data breaches were so prominent, the OAIC received a 5% increase in notifications.

“Not surprisingly, our Australian Community Attitudes to Privacy Survey 2023 released soon after the end of the reporting period in August 2023, found that data breaches are seen as the number one privacy concern by the community,” Commissioner Falk said.

During 2022–23, the OAIC launched significant investigations into Optus, Medibank Private, Latitude Group and Australian Clinical Labs in relation to their data breaches. Investigations were also opened into the personal information handling practices of retailers Bunnings and Kmart, focusing on the companies’ use of facial recognition technology.

The OAIC continues to co-regulate the Consumer Data Right (CDR) with the Australian Competition and Consumer Commission. During 2022–23, the OAIC provided advice on the privacy and confidentiality impacts of expanding the CDR to the non-bank lending sector, legislation to establish new functionality in the CDR to allow consumer-directed action and payment initiation, and new and amended data standards.

During the reporting period, the OAIC contributed to the Attorney-General’s Department’s review of the Privacy Act 1988. The Australian Government released its response to the review in September 2023 and legislation is expected in 2024.

“In the May 2023 Budget, the OAIC received additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future,” Commissioner Falk said.

“This is an opportunity full of promise and will occur alongside a change in the composition of the OAIC following the Australian Government’s announcement that the 3 statutory office holder model will be reinstated, with an Information Commissioner (as agency head), FOI Commissioner and Privacy Commissioner.

“The OAIC has a strong foundation on which to build, and it will move from strength to strength with the leadership of 3 expert commissioners.”

Read the OAIC Annual report 2022–23.

Key 2022–23 statistics

• • Received 1,647 applications for IC review of FOI decisions (down 16% compared to 2021–22) and finalised 1,519 (up 10%).
  • Received 212 FOI complaints (down 2%) and finalised 124 FOI complaints (down 44%). The fall in complaints finalised was due to a focus on finalising IC reviews received in 2018 and 2019.
  • Received 3,402 privacy complaints (up 34%) and finalised 2,576 privacy complaints (up 17%).
  • Received 895 notifications under the NDB scheme (up 5%) and finalised 77% of notifications within 60 days against a target of 80%.
  • Handled 11,672 privacy enquiries (up 7%) and 1,647 FOI enquiries (down 15%).

The overview provides:

In 2022–23 the OAIC delivered our work for the  Australian community through unprecedented times, as tens of millions of Australians were impacted by the biggest data breaches the country had experienced since the commencement of the Notifiable Data Breaches (NDB) scheme in 2018.
With the welcome support of additional government funding for privacy, we commenced and have
substantially progressed major investigations into these breaches. They have brought into sharp relief the requirement for boards across corporate Australia, Ministers and Secretaries of Departments, to prioritise investment in protecting personal information and limiting its collection and retention. As cyber-attacks become increasingly prevalent and impactful, it’s individuals who are at risk of harm but business and others with custody of personal information at risk of serious reputational damage.
This is why the OAIC seeks to serve the Australian people by putting the individual at the centre of our approach. We focus on applying our regulatory tools to promote access to government-held information and protect personal information. This means assessing where potential community impacts are most significant, being targeted in our approach, maximising the use of our resources, and adapting to a rapidly changing and increasingly complex environment.
Achieving that goal requires certain foundations to be in place: appropriate law, resources, capability – the right people with the right tools – effective engagement with risk, appropriate governance and
importantly, collaboration.
The OAIC has developed these foundations to take a proportionate and proactive approach to identifying and reducing harms. We have sought to influence quality Freedom of Information (FOI) decision-making by providing guidance to agencies and working with them to improve the system. However, to achieve the vision for the OAIC’s role in FOI requires sufficient resources to meet current demand and address backlogs which have arisen since the office’s establishment, resulting in a legacy case load that persists and continues to grow.
This year applications for Information Commissioner review (IC review) of FOI decisions of agencies and ministers fell 16% to 1,647, a break in the significant increases of recent years primarily attributable to the Department of Home Affairs; and FOI complaints fell 2% to 212.
We finalised 1,519 IC reviews in 2022–23, an increase of 10% compared to 2021–22, which followed increases of 37% and 23% in the previous years respectively. But of 2,004 IC reviews on hand at 30 June, over half were more than 12 months old.
In 2018 the OAIC began efforts to garner support for a review of its functions and resourcing requirements, to ensure the organisation is positioned to meet the needs of the community. We have been consistent and persistent in our representations across all our functions. In the May 2023 Budget we were pleased to receive additional funding to bring in expertise to conduct a strategic assessment to ensure we are well placed to meet the regulatory challenges of the future. Read the rest of this entry »

The Office of the Information Commissioner has released the latest Data Breach Report for the first half of 2023. It was a reduction over the previous 6 months.  It should be noted that there are usually more data breaches in the second half of a year. 

Some of the interesting points made in the report was:

• Health services continued to be the most affected by data breaches, with 63 notifications of the total of 409.
• 42% of the data breaches resulted from cyber security incidents
• 288 of of the attacks were malicious or criminal attack
• human error breaches were the fastest to be identified in 30 days or fewer. 

• 21 of the 23 breaches that affected over 5,000 Australians were caused by cyber incidents. Of these,

  • 7 were caused by ransomware,

  • 7 by compromised or stolen credentials ,

  • 4 by hacking and 1 each by brute-force attack, malware and phishing (compromised credentials).

  • 2 breaches that affected over 5,000 Australians in this period were caused by a rogue employee or insider threat and theft of paperwork or a data storage device.

• 87% of information affected was contact information, such as an individual’s name, home address, phone number or email address.
• in 78% of cases the breaches were identified in 30 days or less.

The media release provides:

The need for organisations to strengthen data security and promptly respond to suspected breaches is highlighted in the latest Notifiable data breaches report, released today.

The Office of the Australian Information Commissioner (OAIC) expects organisations to have robust and proactive procedures in place to protect the personal information they hold, Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

“As the guardians of Australians’ personal information, organisations must have the security measures required to minimise the risk of a data breach,” Commissioner Falk said.

“In the event of an incident such as a cyber-attack, organisations must also be able to adequately assess whether a data breach has occurred, how it has occurred and what information has been affected.”

The Notifiable Data Breaches scheme aims to protect individuals by requiring that they are notified when they are at likely risk of serious harm from a data breach. Read the rest of this entry »