Peter A Clarke

An obligation to report data breaches is part of the GDPR and most privacy legislation in the common law countries. It is an obligation under Part IIIC of the Privacy Act, especially section 26WE. Now the Federal Communications Commission (“FCC”), according to FCC orders telecom carriers to report PII data breaches within 30 days, has ordered telecom carriers to report data breaches involving access to personal information within 30 days, commencing on 13 March 2024. That is generous when compared to Read the rest of this entry »

The Government has been spurred into expediting reform of the Privacy Act 1988 in response to the doxxing of details of members of a Jewish Whats App group. Those details found their way into the hands of activists and have been posted on line. According to the Sydney Morning Herald’s ‘Doxxing’ laws to be brought forward after Jewish WhatsApp leak doxxing will constitute a criminal act and that legislation will be introduced with the other Privacy Act reforms. When that will happen is not specified. Attorney Dreyfus stated that the anti doxxing provisions will be made through the eSafety Commissioner but as part of the “civil reforms to the Privacy Act”. The Guardian covers the story in Albanese government to propose legislation to crack down on doxing. The Australian covers it with Albanese vows to crack down on doxxing. The Attorney just did a doorstop on doxxing where he suggested that provisions criminalising doxxing would be brought foward. 

The transcript provides:

ATTORNEY-GENERAL MARK DREYFUS KC MP: The Albanese Government is committed to protecting the safety of Australians, and stronger privacy protections for individuals are essential. The increasing use of online platforms to harm people through practices like doxxing, the malicious release of their personal information without their permission, is a deeply disturbing development. The recent targeting of members of the Australian Jewish community through those practices like doxxing was shocking, but sadly, this is far from being an isolated incident. We live in a vibrant multicultural community which we should strive to protect. No Australian should be targeted because of their race, or because of their religion. The Albanese Government committed last year to stronger protections for Australians through reforms to the Privacy Act. We’ve had a long running review to the Privacy Act and late last year I announced the Government’s response to that review of the Privacy Act. The Prime Minister has asked me to bring forward, as part of that set of reforms to the Privacy Act, some new provisions to deal with this practice of doxxing, with the malicious use of people’s personal information without their consent. And we’ll also be bringing forward provisions, and the Prime Minister has asked me to do this as well, some provisions that strengthen current laws that deal with hate speech. The work will complement work that is already underway right across government, as we seek to strengthen online safety for all Australians. It’s work that my colleague, the Minister for Communications, Michelle Rowland has also been working on.

REPORTER: Given that accounts can hide behind dishonest profiles when committing acts of doxxing. How will these measures actually be affected? Will social media companies be compelled to expose those who release private information?

ATTORNEY-GENERAL: We’ve already got some provisions through the eSafety Commissioner that enable online platforms to be required to take down. We’ve seen the eSafety Commissioner not only sending takedown notices, but imposing penalties. That’s one of the measures that we’re certainly going to be looking at in relation to this practice of doxxing.

REPORTER: Can you define doxxing, in terms of which attributes it would be unlawful to maliciously reveal? Is it just identity, race and religion does it extends to other protected attributes, like sexuality and gender identity?

ATTORNEY-GENERAL: Doxxing is a broad term but I think it’s generally understood to be the malicious release publicly of personal information of people without their consent. That takes different forms. It’s clearly got different malicious purposes, depending on the context. But that’s something that we’re going to have to deal with when we prepare this legislation.

REPORTER: These group chats were released to the Nine papers originally where they were published. Would that leaked information and the group chat messages come under doxxing under this legislation?

ATTORNEY-GENERAL: We see that with massive changes in digital technology that is throughout our society, that the opportunities for invasions of privacy, the opportunities for the use of people’s personal information without consent, the opportunities for really malicious actions to take place, affecting hundreds of thousands of people very, very quickly, has been made possible. Legislation has struggled to keep up. That’s part of the reason behind this reform of the Privacy Act that we’ve embarked on. And clearly, all of those things are needing to be looked at.

……………

REPORTER: Can I clarify, bulking up the hate speech laws, that will be contained in the Religious Discrimination Bill? Will it? And when can we expect to see that?

ATTORNEY-GENERAL: We’ve already been working on the hate speech provisions. It is our intention to bring them forward with the Religious Discrimination Bill that we plan to bring forward. The Prime Minister has asked me to accelerate the work on the hate speech part of that package.

………..

The Australian article Read the rest of this entry »

The UK Information Commissioner has reprimanded the South Tees Hospitals NHS Foundation Trust for a serious data breach. The breach involved providing sensitive information to an unauthorised family member. The nature of the information is not specified but it involved sending a letter relating to an upcoming appointment which found its way into the hands of another person. 

The ICO’s release provides:

Read the rest of this entry »

It has been a busy year for data breaches in Australia in January 2024 (so far). Eagers Automotive stopped trading in late December 2023 with the notification of a cyber attack being advised in early January. The LockBit 3.0 ransomware group claimed responsibility. A Melbourne travel agency, Inspiring Vacations, had its data base non password protected. It had 112,605 records relating to customers. This usually involves poor configuration.

Iconic, an online retailer, had inadequate basic security measures to verify customer details which put its 2.1 million customers at risk of defrauded. And some were according to Iconic. The hackers embarked on credential stuffing, using stolen usernames and passwords from one organisation to infiltrate and access client accounts on separate websites. This form of attack exploits common online behavior of individuals reusing the same email and password combinations across multiple digital platforms. Iconic’s response was truly abysmal, initially denying it had suffered a data breach. Later Iconic promised to issue refunds to hacked customers. While Iconic’s volte face was fairly rapid it was a major mistake to deny what was obviously taking place. Print Music company Hal Leonard was hit by a ransomware attack by the Qilin ransomware gang. It gave Hal Leonard a week to pay a ransom. Hal Leonard has made no comment. Qilin has shared 37.6 gigabytes of Hal Leonard’s data. On 23 January Nissan Oceana notified customers of a cyber attack. it is a very bare bones notification, not even identifying when the attack was detected.

The Nissan statement Read the rest of this entry »

On 5 February 2024 Google was going to trial in a class action which alleged that it tracked users’ browsing activities when in private mode. The claim was for $5 billion dollars. Obtaining such an award was always unlikely. Even a substantial financial award would pale into the huge reputational damage associated with disclosing Google’s practices. Not surprisingly the case has settled, as reported by Forbes and the BBC.

Google fought this case hard, with multiple attempts to strike out the proceeding. The modus operandi is common to technology companies, fight and fight and fight until the hearing date nears and then try to settle.

The Forbes article provides:

Alphabet Inc.’s Google subsidiary has tentatively settled accusations of misappropriating user data, averting a potentially revealing court trial. The lawsuit originally sought $5 billion in damages, but terms of the settlement terms were not disclosed. The news was first reported by Reuters.

According to court documents, the search giant agreed to resolve claims that despite promises of privacy, it tracked the internet activity of users browsing in what they believed was an undercover mode. Consumers contended that they were shadowed by Google even while using the supposedly concealed ‘Incognito’ mode on Chrome, raising alarms over the sanctity of online privacy. The company tried to get the court to throw out the case multiple times, but failed.

The agreement, announced before a pending trial date on February 5, 2024, halts the progression of a class-action suit that sought damage payments of at least $5 billion. Terms of the settlement, brokered through a private mediation process, are not yet public, but will be revealed upon submission for court approval by the end of February 2024.

While the plaintiffs’ attorneys and Google refrained from commenting on the settlement, the crux of the legal challenge put Google’s transparency under scrutiny.

The case hinged on the assumption that Google’s analytics and ad-targeting mechanisms continued to siphon personal data regardless of user privacy settings, converting virtually anonymous browsers into valuable data points. Read the rest of this entry »

Today’s Age has comprehensively covered the data breach of the Court Services system with Victims exposed in court hack ‘unlikely’ to be able to sue: legal expert. Bleeping Computer, a US based tech magazine, has reported on the breach with Victoria court recordings exposed in reported ransomware attack , a brief piece by cyberdaily with Victorian court systems allegedly breached by Qilin ransomware gang and Security with Victoria court records exposed following cyberattack.

As the Age article states, there would be challenges in bringing proceedings arising from this data breach.  But they may not be insurmountable.  It is most likely that the ransomware infected the system via an email and that someone in Court Services opened it.  Alternatively somehow the attackers obtained log in and password details allowing access.  Finally it may have been through a third party service provider.  Each of those means of ingress should be the subject of proper processes and training.  In my experience, they rarely are.  Often an audit of a system after a cyber attack reveals many, many flaws.

While the data breach probably does not involve a large number of individuals it is particularly significant because it involves court recordings which should be properly protected.  Especially where files involve sensitive information, of which some of the recorded evidence would be.  It is early days but the potential for continuing havoc is real.  Hackers have been known to Read the rest of this entry »

It is not surprising that the cyber attack on the Victorian Court system has brought in comments from the Attorney General and intense media focus. The Chief Executive of Court Services Victoria released a statement yesterday (after my post of yesterday) where she stated.

On Thursday 21 December 2023, Court Services Victoria (CSV) was alerted to a cyber security incident impacting Victoria’s courts and tribunals.  

The cyber incident led to unauthorised access leading to the disruption of the audio visual in-court technology network, impacting video recordings, audio recordings and transcription services.

CSV took immediate action to isolate and disable the affected network and to put in place arrangements to ensure continued operations across the courts.  As a result, hearings in January will be proceeding. 

Recordings of some hearings in courts between 1 November and 21 December 2023 may have been accessed. It is possible some hearings before 1 November are also affected.  The potential access is confined to recordings stored on the network. Further details for each court are found below.

No other court systems or records, including employee or financial data, were accessed. 

Maintaining security for court users is our highest priority.  Our current efforts are focused on ensuring our systems are safe and making sure we notify people in hearings where recordings may have been accessed. 

We understand this will be unsettling for those who have been part of a hearing.  We recognise and apologise for the distress that this may cause people.  CSV has established a Contact Centre with dedicated staff which is available to those seeking further information or assistance. This includes support from IDCARE, Australia’s national identity and cyber support community service. The Centre can be contacted from today via telephone or email:   

• • Call: 03 9087 6116
  • Email: CSVData@courts.vic.gov.au

We are working closely with the cyber security experts in the Victorian Department of Government Services. All relevant authorities have been notified of the incident and are assisting with the investigation and response. 

All courts have put in place arrangements so that they can continue to safely and securely hear matters while CSV re-establishes the affected network.  We appreciate the cooperation of court users during this period. 

The work on the restoration of systems includes works to strengthen security across the broader court and tribunal-wide technology environment.

With limited exceptions, court and tribunal hearings are held in public and are not confidential.  The unauthorised use of recordings of hearings is not permitted. 

The table below sets out which recordings of hearings may have been accessed. 

Frequently asked questions

What is the cyber incident that’s happened?

Court Services Victoria (CSV) became aware on Thursday 21 December of a cyber incident that impacted in-court audio and video (AV) systems.

During the incident, there was unauthorised access to CSV’s audio visual in-court technology network.

Recordings of some hearings in courts and tribunals between 1 November and 21 December 2023 may have been accessed. It is possible some hearings before 1 November are also affected. Read the rest of this entry »

The ABC reports today that, in Russian hackers believed to be behind cyber attack on Victoria’s court system, the Victorian Court system was subject to a ransomware attack on 21 December 2023. The Guardian reports on it here. While someone from Court Services made comment, with the usual (1) detected the breach, (2) secured it, (4) working on it & (5) will notify people where appropriate & the tried and true (6) security is our highest priority, there has been no statement on its homepage. At least not yet.  Based on the story it is an extortion attempt by a Russian hacking group.

As the story notes there must have been a deficiency in the security system or privacy training.  Ransomware programs don’t just appear on systems.  They are commonly delivered through email or acquired authorisations.  If it was because someone opened an attachment or clicked on a hyperlink on an unfamiliar email that bespeaks poor privacy training. 

This is not the first attack on the Court system. In 2020 a former registrar hacked the system to create a false intervention order. The registrar was jailed for fraud.

Courts Victoria falls under the regulation of Read the rest of this entry »

The Federal Trade Commission is proposing changes to the COPPA Rule, the principle regulation relating to the protection of child privacy on line.  COPPA stands for Children’s Online Privacy Protection Act.The purpose is to restrict third parties monetising children’s data.

The release Read the rest of this entry »

A very common form of data breach by government agencies is for an officer, usually mid ranked or lower, to attach a list of names to an email, advertently or inadvertently, and then send the email to the wrong recipient or sending the wrong attachment to the intended recipient.  Another variation I see quite commonly is someone sending an email to a large number of recipients as part of a “Reply All” when the intention was to respond to only one person.  Many of the “Alls” should not have seen the document.   

Before Christmas the UK Information Commissioner fined the Ministry of Defence for releasing via email the names of 265 Afghans seeking relocation to the UK in the wake of the Taliban takeover. Here the email was sent to a distribution list of Afghan nationals releasing personal information of 245 people. The ICO statement provides:

• • Details of 265 people compromised in email data breaches weeks after Taliban took control of Afghanistan in 2021
  • Egregious breach “let down those to whom our country owes so much” – UK Information Commissioner
  • Email error could have resulted in a threat to life

The Information Commissioner’s Office (ICO) has fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021.

On 20 September 2021, the MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles. Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.

The original email was sent by the team in charge of the UK’s Afghan Relocations and Assistance Policy (ARAP), which is responsible for assisting the relocation of Afghan citizens who worked for or with the UK Government in Afghanistan. The data disclosed, should it have fallen into the hands of the Taliban, could have resulted in a threat to life.

Soon after the data breach, the MoD contacted the people affected asking them to delete the email, change their email address, and inform the ARAP team of their new contact details via a secure form. The MoD also conducted an internal investigation, made a statement in Parliament about the data breach, and updated the ARAP’s email policies and processes, including implementing a ‘second pair of eyes’ policy for the ARAP team when sending emails to multiple external recipients. Such procedure provides a double check whereby an email instigated by one member of staff is cross checked by another. Read the rest of this entry »