Peter A Clarke

These days hackers are quite sophisticated in announcing successful attacks. Often that is done via forums in the dark web. And so GhostR, a financially motivated hacker group, claims to have stolen have stolen data from Australian logistics company Victorian Freight Specialists. There has been nary a word from Victorian Freight Specialists.That does not mean Victorian Freight are being especially clever or this is part of its strategy.  More often than not companies have no data breach response plan. GIven GhostR claims to have breached the company on 26 May and taken  846 gigabytes of company data taken on May 26. Sample data appears to include internal data taken from an SQL database and screenshots of logon screens. Information Security Media Group could not immediately verify the legitimacy of the data. The company website appeared to briefly go dark, although it is currently working. Victorian Freight Specialists did not immediately respond to a request for comment.

GhostR only recently threatened to Read the rest of this entry »

The Australian Information Commissioner has issued civil penalty proceedings against Medibank Private Limited arising from the massive October 2022 data breach. That is 20 months after the breach. This adds to Medibank’s litigation arising from that data breach. There is also a class action in the Federal Court against Medibank, Zoe Lee McClure v Medibank Private Limited (ACN 080 890 259).   It is also subject to a representative complaint.

Medibank did not issue a press release but it did released a notice to the Australian Stock Exchange stating:

The Commissioner’s press release provides:

The Australian Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank Private Limited in relation to its October 2022 data breach.

The Commissioner alleges that from March 2021 to October 2022, Medibank seriously interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information from misuse and unauthorised access or disclosure in breach of the Privacy Act 1988.

The proceedings follow an investigation initiated by Australian Information Commissioner Angelene Falk after Medibank was the subject of a cyber attack in which one or more threat actors accessed the personal information of millions of current and former customers, which was subsequently released on the dark web. Read the rest of this entry »

It is hardly a surprise that MediSecure would make a notification under the mandatory data breach notification provisions of the Privacy Act 1988. It is a very significant data breach involving very sensitive information. Today the Information Commissioner’s Office has announced a preliminary inquiry.

It is interesting that the Privacy Commissioner has used this statement to call for reform of Privacy laws.  That is topical given the Government has announced that it will introduce a Bill into Parliament in August.  By making something more than an anodyne statement the Privacy Commissioner has done something quite new.

The statement provides:

The Office of the Australian Information Commissioner (OAIC) has been notified of the data breach involving MediSecure.

The National Cyber Security Coordinator is working with agencies across the Australian Government, states and territories to coordinate a whole-of-government response to this incident. The OAIC is actively engaging and collaborating with other agencies in this process, with a particular focus on the privacy of individuals and their personal information. Read the rest of this entry »

The Health Industry is a keen target for cyber attacks. Hospitals, medical surgeries and health industry organisations collect vast amounts of personal and financial information on the one hand. On the other, the industry is notoriously prone to attack. In the United States Singing River Health System has been hacked with the records of 895,000 stolen while an attack on Ascension has resulted in Ambulances being diverted and EHRs taken off line. But it is Australia where one of the most significant attacks in the health industry has occurred. There has been a data breach at Medisecure, a company which provides electronic prescriptions and monitoring. There is good coverage by the Australian Financial Review which puts this attack in the context of large scale data breaches in Australia in the last year or so.

Given that Medisecure, a name that is deeply ironical today, is the only accredited electronic provider of prescription this is a potentially disastrous development. 

As per usual in the Australian environment MediSecure has released a very brief (non) statement which provides:

MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.

While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.

MediSecure takes its legal and ethical obligations seriously and appreciate this information will be of concern. MediSecure is actively assisting the the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.

MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.

While most of the statement is pap what is relevant is that the breach came through a third party vendor.  That is a common entrepot for major data breaches.  Many organisations have not properly grappled with ensuring that third party operators which authorisations and access rights to their Read the rest of this entry »

The Attorney General has announced the appointment of Elizabeth Tydd as Information Commissioner. It is an internal appointment, uplifting Tydd from Freedom of Information Commissioner to the top job. It is too early to say whether that is an inspired choice or not.  It is probably a safe choice.  But there is a very good argument to be made for the regulator to have an outsider to take the helm and adopt a more assertive stance, such as Sims did at the ACCC.  Australian Information Commissioners have been worthy, decent and quite conservative.  Compared to regulators in the UK, Europe and the US the Information Commissioner’s work rate is low.

The Government’s announcement Read the rest of this entry »

Innovation Aus reports, in Privacy bill to come before Parliament in August, that the long mooted, eagerly awaited and desperately needed amendments to the Privacy Act will be introduced into Federal Parliament At the recent Privacy By Design awards the Attorney General speak generally about the need for reform but gave no specifics.

The Innovation Article provides:

Legislation for a long-awaited overhaul of Australia’s outdated privacy laws will be introduced to Parliament in less than four months, rounding out a policy reform process that has been more than four years in the making.

Prime Minister Anthony Albanese announced the timeline last Wednesday, although limited his comments to the introduction of anti-doxxing laws — a recent focus for the federal government.

On Thursday, Attorney-General Mark Dreyfus said that legislation to “overhaul the Privacy Act and protect Australians from doxxing” would be introduced by the government in August.

He reiterated that the current privacy regime is “woefully outdated and unfit for the digital age”, with “speed of innovation and the rise of artificial intelligence” only making the need for legislative change more important.

A spokesperson for Mr Dreyfus on Monday confirmed to InnovationAus.com that the legislation will address the entirety of the government’s response to the Privacy Act Review.

The legislation will institute all proposals that the government agreed to in its response to the review in September 2023, but it is not yet clear how many of the in-principle proposals will be included.

The government is expected to continue to consult on proposed reforms until the laws are introduced, although it has not been determined if draft exposure legislation will be released before the bill is tabled. Read the rest of this entry »

Location data is very valuable when combined with other data.  It is important in its own right.  The data relates in individuals so is privacy intrusive if provided to third parties without consent.  The sharing without consent was a practice by large US carriers.  Until now.  The Federal Communications Commission (“FCC”) has fined the largest carries in the USA for sharing location data. The fines were:

• Sprint $12 million 
• T-Mobile $80 million
•  AT&T  $57 million, and
• Verizon  $47 million

The FCC media release provides:

WASHINGTON, April 29, 2024—Today, the Federal Communications Commission fined the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.  Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively.  AT&T is fined more than $57 million, and Verizon is fined almost $47 million.

“Our communications providers have access to some of the most sensitive information about us.  These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel.  “As we resolve these cases – which were first proposed by the last Administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data.” Read the rest of this entry »

Qantas has suffered a data breach involving its mobile phone app. Apps are notoriously vulnerable, usually because organisations commonly sacrifice building in proper security in the rush to release a shiny new app. The data breach involving the Qantas app was that frequent flyers using the app could access other people’s accounts. A possible cause of the data breach is a fault occurring because of recent system changes.

The Australian covers the Read the rest of this entry »

Data breaches come in a variety of forms. The theft of personal information through cyber attacks by criminal gangs are widely reported but are less frequent than other, more prosaic, data breaches. Such as the recent breach of data by Hungry Jacks of its staffs personal information. This involved someone in the chain’s training and communication section sending out a spreadsheet containing staff personal information; names, email addresses, job titles etc. The story is reported in the Sydney Morning Herald’s Personal data of ‘thousands’ of Hungry Jack’s staff exposed in internal leak. This is a depressingly familiar breach. And almost de rigeour for government agencies.  It bespeaks poor privacy training and data handling by staff.  For staff to attach a document containing personal information and sending it widely typically involves a poor review of the document itself and woeful Read the rest of this entry »

The ongoing political, legal and policy controversy following the Supreme Court decision in  Dobbs v. Jackson Women’s Health Organization (“Dobbs”) to overturn Roe v Wade continues to reverberate.  Including in the area of privacy law.  It should be noted that Roe v Wade was in essence a privacy decision.  The majority opinion written by Justice Harry A. Blackmun, the Court held that a set of Texas statutes criminalizing abortion in most instances violated a constitutional right to privacy, which it found to be implicit in the liberty guarantee of the due process clause of the Fourteenth Amendment (“…nor shall any state deprive any person of life, liberty, or property, without due process of law”).   Roe was a controversial decision politically, and increasingly so, but also a decision that attracted significant debate within the legal community.  The pillars of a constitutional right to privacy are enumerated provision of the Bill of Rights.  

The response to Dobbs at the Federal level by the Executive has been to strengthen the privacy controls on the collection, use and sharing of health information. Yesterday the White House announced, through the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy.

Under the Rule there will be a prohibition on Read the rest of this entry »