Peter A Clarke

In September the Irish Data Protection Commission fined Tik Tok 345 million euros for breaching the GDPR regarding personal information of children using Tik Tok. In April the UK Information Commissioners’ Office fined Tik Tok 12.7 million pounds for misusing children’s data. In 25 March 2022 the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. In October 2021 Tik Tok reached a 92 million privacy settlement for breaching Illinois’s Biometric Privacy Act.

The genesis of this inquiry is the discovery that Tik Tok has been using tracking tools to harvest data without consent. Now the Australian Information Commissioner is inquiring into Tik Tok’s alleged practice of siphoning personal data of non users without consent.

Senator Patterson, the opposition spokesman, has been very active in scrutinising Tik Tok, not just on the privacy issues but Tik Tok’s potential national security threat given it is a company which is subject to control of the Chinese Government. It has been the subject of criticism of the information it spreads which is anti Western to say the least.

The Attorney General has been drawn to give a comment last week on this inquiry and he said:

JOURNALIST: On another matter, has TikTok breached Australia’s privacy laws by harvesting data from websites without seeking their consent?

ATTORNEY-GENERAL: The Australian Government is very concerned to protect the privacy of Australians and the privacy of Australian children. We are very pleased that the Privacy Commissioner, who is the Australian official charged under the Privacy Act with investigating privacy breaches, has commenced an investigation. I’d make the point that we’ve shown how seriously we take breaches of Australian privacy by last year legislating to increase the penalties, massively increase the penalties for breaches of privacy by corporations. And we’ve also, at the same time, legislated to give additional powers to the Privacy Commissioner. I expect that the Privacy Commissioner will be using those additional powers in this investigation. Read the rest of this entry »

Tik Tok has a truly dismal record when it comes to privacy. 

In September the Irish Data Protection Commission fined Tik Tok 345 million euros for breaching the GDPR regarding personal information of children using Tik Tok. In April the UK Information Commissioners’ Office fined Tik Tok 12.7 million pounds for misusing children’s data. In 25 March 2022 the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. In October 2021 Tik Tok reached a 92 million privacy settlement for breaching Illinois’s Biometric Privacy Act.

The genesis of this inquiry is the discovery that Tik Tok has been using tracking tools to harvest data without consent. Now the Australian Information Commissioner is inquiring into Tik Tok’s alleged practice of siphoning personal data of non users without consent.

Senator Patterson, the opposition spokesman, has been very active in scrutinising Tik Tok, not just on the privacy issues but Tik Tok’s potential national security threat given it is a company which is subject to control of the Chinese Government. It has been the subject of criticism of the information it spreads which is anti Western to say the least.

The Attorney General has been drawn to give a comment last week on this inquiry and he said:

JOURNALIST: On another matter, has TikTok breached Australia’s privacy laws by harvesting data from websites without seeking their consent?

ATTORNEY-GENERAL: The Australian Government is very concerned to protect the privacy of Australians and the privacy of Australian children. We are very pleased that the Privacy Commissioner, who is the Australian official charged under the Privacy Act with investigating privacy breaches, has commenced an investigation. I’d make the point that we’ve shown how seriously we take breaches of Australian privacy by last year legislating to increase the penalties, massively increase the penalties for breaches of privacy by corporations. And we’ve also, at the same time, legislated to give additional powers to the Privacy Commissioner. I expect that the Privacy Commissioner will be using those additional powers in this investigation. Read the rest of this entry »

St Vincent’s Health Network suffered a data breach on 19 December 2023. When first reported the details of what personal information was stolen was not known. According to the Australian as of 25 December 2023 St Vincent’s was still unable to determine what if any medical records were stolen, in St Vincent’s unable to confirm if medical records stolen. On 29 December 2023 St Vincent’s Health Australia released a statement. It provides:

Since its statement last Friday regarding the attack by cyber criminals, St Vincent’s has been working tirelessly with federal and state governments, law enforcement, and our cyber experts.

Today we again briefed our close to 30,000 team members on the latest information regarding this investigation and monitoring work.

The staff at St Vincent’s provide some of the best care in the world to our patients and residents. Our key priority in responding to this cyber criminal attack has been to preserve and protect the critical work of our staff on behalf of millions of Australians every year.

On Tuesday, 19 December, St Vincent’s began responding to a cyber security incident.

On that day, St Vincent’s immediately took steps to contain the incident, engaged external security experts CyberCX, and notified all relevant state and federal governments and their necessary agencies.

No cyber criminal activity has been detected on St Vincent’s networks since Wednesday, 20 December.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on the morning of Friday, 22 December.

St Vincent’s continues to investigate this cyber crime. Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity.

Should we discover that any sensitive data has been stolen by cyber criminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.

To date, the activities of the cyber criminals have not impacted the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks. We are managing some important network disruptions as part of our remediation works.

We thank the Australian Government, our state government partners, and our commercial and clinical partners, for their support.

We have also updated federal and state government authorities, including the Australiann Cyber Security Centre and the Office of the Australian Information Commissioner, as well as our key partners, and stakeholders.

The Australian Federal Police are engaged with the matter and St Vincent’s is fully supporting their criminal investigation.

We have established a dedicated support line 1300 124 507, as well as a dedicated email address stvincentscybersafety@svha.org.au, for anyone wishing to seek further information about this matter.

Media contact: Dexter Gillman 0439 393 196

Q&As

When did St Vincent’s first become aware that they were experiencing an incident?

On Tuesday, 19 December 2023, St Vincent’s Health Australia (SVHA) began responding to a cyber security incident.

SVHA immediately took steps to contain the incident, engaged external cyber security experts, and notified all relevant state and federal governments and the necessary agencies.

The investigation into this incident is ongoing.

Why did it take until Friday 22 December 2023 to tell the public?

St Vincent’s took immediate steps to contain the incident upon its discovery. We also engaged external security experts, notified all relevant state and federal governments and their necessary agencies.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on Friday morning.

What steps did St Vincent’s take to understand the incident?

Our teams have worked tirelessly through the night, and into today to:

•    Implement enhanced monitoring of St Vincent’s networks and systems;

•    Deploy investigatory tools; and

•    Review system logs and telemetry.

At this time, no new activity by the threat actor has been detected inside St Vincent’s networks since early morning Wednesday, 20 December. Containment activities are still ongoing.

Do you know who might be behind this incident?

Not at this time.

Do you know if any information that may be sensitive (corporate or personal) may have been accessed?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

Do you have any evidence data has been removed from your network?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

When will SVHA be able to say what type of data was stolen?

This is a complex and highly technical investigation, and we do expect it will take some time before we know exactly what data was taken from our systems.

How will you notify patients or staff if their data has been stolen?

Should we discover that any sensitive information has been stolen by cyber criminals, we will do all that we can to contact the impacted persons to inform them of this, give them information about the steps that they can take to protect themselves and support them through that process.

Are hospital operations impacted?

At this time, our ability to deliver the frontline services that our patients, residents, governments and the broader community rely on us for, has not been impacted. We are managing some network disruptions as part of our remediation works.

What support is available?

We have established a dedicated support line 1300 124 507 and email address stvincentscybersafety@svha.org.au for anyone with additional questions about this matter.

St Vincent’s statement when issued was quite good as far as it went.  In fact, very good by Australian standards.  It was the basis for the Australian report in St Vincent’s Health still trying to work out if personal medical records stolen in cyber attack. 

While the statement provided a good overview it continues with the unfortunate usual Australian practice of not providing, even in the most general terms, the cause of the breach.  That is can give rise to criticism.  Just ask the executive s of Medibank and Optus which was a bleeding wound that took months to be only partially staunched.  While providing too much detail is not necessary and can be  poor practice in highlighting weaknesses that may be exploited with other organisations it goes too far to fail to provide some information, even in very general terms, as to how it occurred is appropriate. Withholding information can be embarrassing if the media finds out what caused the breach.  That seems to be case here as the Australian Financial Review (the “AFR”) provides details not provided by St Vincent’s Health in Read the rest of this entry »

Itgovernance has provided its annual report of annual data breaches this year.  Some of the grim statistics this year are:

Number of incidents in 2023: 1,404

Number of breached records in 2023: 5,951,612,884

Biggest data breach of 2023 so far: DarkBeam (3.8 billion breached records)

Biggest data breach in the UK: DarkBeam (3.8 billion breached records)

Integrity 360 has listed the Top Reported Cyber Security Incidents of 2023 covering much the same ground but delving into particular data breaches such as DarkBeam and UK Electoral Commission which involved personal information of 40 million people.

Webber Insurance Services provides a list of reported data breaches in Australia.  The data breaches identified in 2023 highlight the increasing number of attacks and growing magnitude.  In November alone there was a data breach at 

• Australian Clinical Labs

• NDIA
• TissuPath
• Alfred Health

The challenge in privacy and cyber security is identifying and dealing with the constantly evolving threats.  Hackers are versatile while organisations and people are less so.  The difference is successful cyber attacks with the damage they cause.  Hackers are very good readers of psychology.  They are good are taking advantage of peoples’ habits.  They have moved into using QR codes to get access.  That is clever.  Many are now accustomed to using QR codes to sign in, order or obtain goods or services. The Federal Trade Commission has issued a warning about QR Codes to steal personal information.

The media release provides:

QR codes seem to be everywhere. You may have scanned one to see the menu at a restaurant or pay for public parking. And you may have used one on your phone to get into a concert or sporting event, or to board a flight. There are countless other ways to use them, which explains their popularity. Unfortunately, scammers hide harmful links in QR codes to steal personal information. Here’s what to know. Read the rest of this entry »

It never ceases to amaze me how few businesses, and government agencies, encrypt their data. Given it is feasible the refusal to do so, particularly by organisations that collect and store masses of data is a major failure of cyber security. Apple released a report, titled The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase, in support of its push for end to end encryption.  The release provides:

The report itself makes Read the rest of this entry »

Optus may have had an annus horribilis as far as data breaches go but Telstra has had anything but a good record in terms of protecting privacy. The latest iteration is Telstra being fined by ACMA for privacy and safety breaches. It has also issued an infringement notice and entered into an enforceable undertaking.  This fine is on top of a $2.5 million fine in 2021 for breach of IPND rules.

Telstra’s media release provides:

Telstra has paid a $306,360 infringement notice issued by the Australian Communications and Media Authority (ACMA) for failing to provide accurate details of thousands of customers to the Integrated Public Number Database (IPND).

The IPND is used by Triple Zero to help locate people in an emergency, for the Emergency Alert Service to warn Australians of emergencies like flood or bushfire, and to assist law enforcement activities. Read the rest of this entry »

On November 29, 2023, the Attorney General, the Minister for Justice, and the Minister for the Prevention of Domestic and Family Violence announced that the Information Privacy and Other Legislation Amendment Act 2023 was passed by the Queensland Parliament, creating, among other things, a mandatory data breach notification scheme (MDBN Scheme).

The press release, found here,provides:

Queensland government agencies will be subject to new requirements for managing personal information, and a mandatory data breach scheme will be established, after the Information Privacy and Other Legislation Amendment Act 2023 was passed by parliament today. 

The information privacy reforms are currently expected to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme as it applies to local governments not commencing until 1 July 2026.

The legislation improves privacy protections available to individuals while the mandatory data breach notification scheme will strengthen and regulate the response to data breaches by government agencies.

It will require agencies to notify affected individuals and the Office of the Information Commissioner of eligible data breaches that could result in serious harm. Read the rest of this entry »

Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.

The ICO’s media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.

The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.

They should make sure:

• • Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
  • A proper process is in place for address changes
  • Data protection training is carried out, including refresher training.

In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner. Read the rest of this entry »

The Government today announced the appointment of Carly Kind as a stand alone Privacy Commissioner, effective on 26 February 2024. This is an appointment that was foreshadowed in May 2023. The Privacy Commissioner was never abolished, and is a statutory position. The Information Commissioner was created in 2010. The new Federal Government announced that it would abolish the Information Commissioner in the 2014 budget and for a time cut its funding drastically. The Information Commissioner also held the position of the Privacy Commissioner. The attempts to abolish the Privacy Commissioner ended in May 2016 and the Government increased its funding, Its funding situation has steadily improved since then. With data breaches being a high profile issue the Commissioner has received very significant funding increases. In this year’s May budget it received an extra $17.8 million for the 2023 – 24 financial year and $44.3 million to support privacy activities and another $9.2 million over two years to regulate privacy elements of Consumer Data Right, My Health Record and Digital Identity.

The timid enforcement and spotty regulation of the Privacy Act 1988 has been attributed to the inadequate  funding in the past, especially in the 2014 – 2016 period, and beyond.  That is partly true but far from the whole story.  The Privacy Commissioner then Information Commissioner was a less than optimal regulator in the period pre 2014 and after 2016.  Since it obtained civil penalty proceeding powers in 2014 it has only commenced two actions, one of which was earlier this month.  That is regrettable. 

The Attorney General’s announcement of the appointment is:

Carly Kind has been appointed as Privacy Commissioner, reinstating the standalone position abolished by the Coalition. Ms Kind brings to the Privacy Commissioner role expertise in data protection; AI policy, practice and governance; privacy; and technology law and policy.

Ms Kind has held the role of inaugural Director of the London-based Ada Lovelace Institute since 2019. Between 2015 and 2019 she was an independent consultant to a number of human rights organisations, trusts and foundations, international organisations and the private sector. She has provided advice on legal, ethical and practical issues at the intersection of technology and human rights.

Ms Kind will commence on 26 February 2024. Ms Angelene Falk, the Australian Information Commissioner, will continue as Privacy Commissioner until that time.

When the Government amends the Privacy Act, probably some time next year, the Privacy Commissioner is likely to have stronger powers. In addition to the enhanced powers given to her this year.  The test will be whether they are used and how effective such regulation is.

The UK Information Commissioner has released a media release regarding the successful prosecution of a secretary of the National Health Service for illegally accessing medial records of 150 people without authorisation. This ties in with my recent post of a pharmacist being terminated for accessing personal information. It is a fraught issue in the health industry.There is a chronic problem.  One of the many in the health industry when when it comes to privacy. 

The ICO’s media release provides:

A former NHS employee has been found guilty and fined for illegally accessing the medical records of over 150 people.

Loretta Alborghetti, from Redditch, worked as a medical secretary within the Ophthalmology department at Worcestershire Acute Hospitals NHS Trust when she illegally accessed the records.

In June 2019, a complaint was raised by a patient who was concerned that their medical records had been accessed by an employee.
An investigation revealed that Ms Alborghetti had accessed this individual’s records 33 times between March 2019 and June 2019, without consent or a business need to do so. Read the rest of this entry »