Peter A Clarke

The Canadian House of Commons has passed (on 18 June 2015) the Digital Privacy Act, amending the Personal Information Protection and Electronic Documents Act.  The key provisions are mandatory data breach notification requirements whereby an organisation will be required to notify the Office of the Privacy Commissioner of Canada following a breach of security safeguards involving personal information under its control when there is a real risk of significant harm to individuals from the breach. Importantly the organisations will also be required to notify affected individuals. There will also be Read the rest of this entry »

There has been yet another call for mandatory data breach notification laws, this time from a cyber security firm, FireEye as reported by the Fairfax press in ‘We need accountability’: Security firm warns that we needs mandatory data breach disclosure laws.  The history of privacy law reform in Australia is Read the rest of this entry »

The privacy vulnerabilities associated with mobile phones and especially their apps have been well known for some time.  And the Android system, which powers Samsung mobile phones, has been particularly prone to security problems as is reported in Questions over Samsung’s handling of security flaw in millions of smartphones and Massive security flaw found in 600 million Samsung phones, including Galaxy S6.

Solutions Review reports in  New PulseSecure Report Finds Nearly 1,000,000 Unique Mobile Malware Threats on the ongoing and growing problem with mobile malware.  This is an issue Read the rest of this entry »

Data breaches by hackers have evoked significant adverse publicity for the organisations affected and understandable concern of those whose personal information was viewed and taken.  Breaches of Sony Pictures and Target have resulted in considerable financial losses not to mention reputational damage for those brands.  Breaches of Government networks are equally damaging, if not more so.  Data held by authorities often relate to everyday individuals.  There is a high potential of identity theft if enough personal information of an individual is taken.  There are other impacts, such as being profiled and monitored, if the intent ifs non economic, as often occurs with hacking by other countries.  What is often not mentioned in reports of these data breaches is that the breaches themselves are almost invariably due to poor cyber security practices such as failing to patch security programs, not fixing well known vulnerabilities, giving third parties with poor security practices access to a network and poor staff training.  Inadequate security practices were behind the recent massive breach of the United States Office of Perosnal Management (OPM).  The OPM has a large database of personal information of US federal employees though it could also affect personal information of private citizens.   The Economist’s article Put up the firewalls makes it clear  that the breach was avoidable and the measures to detect the hack once the breach occurred were inadequate.  It is a familiar story brought about by a combination of poor practices and inadequate enforcement of regulations.
Read the rest of this entry »

Following from the PwC report regarding data breaches in the United Kingdom (post found here) the Information Age has a very prescient article on data breaches referencing the UK breaches into a global conetet in 96% of UK corporations have been hacked, new data reveals. The basis for the story is the Global business outlook survey which found:

• 92% of European corporations have been hacked but 23% have not acted to prevent attacks.
• in excess of 80%  U.S of companies “indicate” they have been hacked.
• globally, over 85% of firms have been hacked across Asia, Africa and Latin America.

The article relevantly Read the rest of this entry »

Price Waterhouse Coopers have released a report 2015 INFORMATION SECURITY BREACHES SURVEY survey of breaches over the last 12 months in the United Kingdom.  The results are broadly consistent with reports relating to data breaches, such as the 2015 report by Verizon.

The PwC report highlights Read the rest of this entry »

Password protection is critically important for both users of online accounts and those who operate the accounts.  An organisation has a responsibility to have a sufficiently rigorous password system to avoid random attacks.  One option is 2 factor authentication.  The Privacy Act does not specify the nature of the password protections that must be in place however, if the overseas experience is any guide, once a security breach is Read the rest of this entry »

With the passage of the metadata laws Australian telcos will be soon storing a huge amount of personal information belonging to Australians.  It is a huge task and a massive potential risk if there is a data breach. There is also the potential honeypot effect, with hackers knowing that a very significant amount of information will know be stored by telcos. In that context it is concerning that iinet has reportedly suffered a data breach in iiNet alert over security breach.  Interestingly the knowledge of the breach came about as a result of the hacker offering to sell personal information.  That is more common than one might think.  If Read the rest of this entry »

When Adobe suffered a data breach on 3 October 2013, or at least announced knowledge of a data breach, it was regarded as a totemic event.  Since then there have been breaches which have pushed the Adobe breach into the more mundane category. It affected the accounts of hundreds of thousands of Australians.  The data breach and notification by Adobe occurred Read the rest of this entry »

There is a familiar theme in dystopian sci fi stories; the government/corporation has used technology to control the ordinary citizens.  The technology Read the rest of this entry »