Peter A Clarke

Another week, another scandal involving the AFL. This time it is not the fault of the organisation. The ABC reports in AFL investigates distribution of explicit images of past and present players online that explicit images of more than 45 players and former players have been circulated. The AFL is investigating according to its statement AFL investigating, police aware after nude photos of ‘more than 45 players’ leaked. In addition the Victoria police and the e Safety Commissioner have been notified. The role the AFL can play is constrained by its limited powers. Through technical experts it may, but not certainly, find the source of the photos and possibly where the the photos were sent. If AFL employees or members of AFL clubs were involved it has disciplinary powers. But beyond that its powers are limited. It can’t arrest anyone, it can’t enter premises with a warrant to search premises and any interview with someone has to be voluntary. The police have traditionally had a monopoly on those powers. A number of the regulators in this area have been given some coercive powers. The E Safety Commissioner has a page on its website devoted to Image based abuse.

This type of problem is not new. As the Conversation in In the 19th century, a man was busted for pasting photos of women’s heads on naked bodies … sound familiar? highlights creating false images to titillate or humiliate has only been limited by the technology and the imagination of users. Modern technology, especially the use of deep fake websites, has Read the rest of this entry »

The Australian Cyber Security Co ordinator, Darren Goldie, has confirmed in a statement that the HWL Ebsworth data breach has resulted in personal information and government information being posted on the dark web. This is confirmation of what has been known for some little time. It is covered in the Australian article HWL ­Ebsworth hack: ‘Sensitive personal and government information’ published on dark web, Darren Goldie reveals. It is also covered by Cyber Security Connect with New national cyber security coordinator releases statement on HWL Ebsworth hack.

The information provided by the cyber tsar provides little that is not known by those following this story. Given Black Cat has only published 1.4 terrabytes of the 4 terrabytes of data stolen there will be more uncomfortable moments for HWL Ebsworth in the coming weeks and months, 

To put matters into a broader context itgovernance has reported that in June 2023 there were 79 reported data breaches worldwide involving 14,353,113 records. It provided a brief summary of data breaches stating:

Number of data breaches in June 2023: 79

Breached records in June 2023: 14,353,113

Number of data breaches in 2023: 607

Number of breached records in 2023: 466,078,044

Biggest data breach of 2023 so far: Twitter (220 million breached records)

Biggest data breach in the UK: JD Sports (10 million breached records)

Most breached sectors: Healthcare (175), education (106), public (72)

The number of records compromised in the HWL Ebsworth data breach is shrouded in secrecy.  An injunction will do that.  The three known biggest data breaches, in terms of records compromised, in June 2023 were:

•  Oregon and Louisiana departments of motor vehicles which involved a compromise of  all Louisianans with a state-issued driver’s license, ID or car registration. The Oregon Department of Motor Vehicles estimates that data of 3.5 million driver’s license and identity card were  compromised. 
• Genworth Financial which was affected by the MOVEit breach, with at least 2.5 million records exposed in the attack.  Also compromised was California Public Employees’ Retirement System with  769,000 of its members affected.
• Wilton Reassurance was also affected by the MOVEit breach which compromised records of 1,482,490 of its members.  

Read the rest of this entry »

The protection of children’s privacy has been a focus of enforcement action in the United States. For good reason. There is a real problem with some companies collecting and using personal information of minors.

The Department of Justice and the Federal Trade Commission have entered into orders with Edmodo whereby Edmodo consented to a permanent injunction to prevent future violations of children’s privacy. In Edmodo’s case the claim was that it collected the personal information of children under 13 without any notice to the children’s parents or obtaining parental authorization. It used this personal information to enable third-parties to display targeted advertising to student users.

The press release provides:

The Department of Justice, together with the Federal Trade Commission (FTC), today announced that Edmodo, LLC (Edmodo) has agreed to a permanent injunction and a $6 million civil penalty in connection with its online educational platform, as part of a settlement to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA), the Children’s Online Privacy Protection Rule (COPPA Rule), and the Federal Trade Commission Act. The civil penalty is suspended due to Edmodo’s inability to pay.

The Edmodo educational platform, sold to schools throughout the United States, enabled teachers to interface with students, including children under 13 years old, to host virtual class spaces, conduct discussions, share materials, make assignments, and provide quizzes and grades, among other things. In a complaint filed in the U.S. District Court for the Northern District of California, the government alleges that, until approximately September 2022, Edmodo collected the personal information of children under 13, including their names, email addresses, phone numbers, device information, and IP addresses. Edmodo allegedly collected such information without providing notice to the children’s parents or obtaining parental authorization to collect such personal information, as required by the COPPA Rule, and used this personal information to enable third-parties to display targeted advertising to student users between 2018 and September 2022.

The complaint further asserts that Edmodo was retaining this personal information indefinitely. As of March 2020, Edmodo retained the personal information associated with approximately 36 million student accounts, of which only one million were actively using the platform. This indefinite retention violated COPPA’s requirement that an operator not retain personal information of children for longer than “reasonably necessary to fulfill the purpose for which [the information] was collected.”  Read the rest of this entry »

Even users of porn deserve their privacy. Especially users of porn. That doesn’t seem to be a viewpoints shared by Pornhub. It has been illegally collecting masses of its users data. There is an excellent story in Wired with Pornhub Is Being Accused of Illegal Data Collection. It has also been picked yp by Mashable with Pornhub accused of abusing user data, cybernews with Pornhub accused of illegal data collection in Europe and VPN Overview with Pornhub’s Data Practices Violate EU Privacy Laws: Complaint.

There are serious complaints; about inadequate consents, opaque about how it shares the data it collects and arbitrarily assigns its users sexual prferences without their consent. 

This is not the first time that Pornhub has failed to protect its users privacy. The Canadian House of Commons’ Standing Committee on Access to Information, Privacy and Ethics published a report in June 2021 titled Ensuring the Protection of Privacy and Reputation on Platforms such as Pornhub in June 2021.

The Wired article Read the rest of this entry »

Another report stating what has long been understood by those involved with cyber security and privacy law; cybercrime is a chronic problem that is getting worse. The Report covers a broader range of cyber crimes including on line abuse and harassment, which was 27% of the reported cyber crimes in in the survey.The Report by the Australian Institute of Criminology makes for sobering reading. It is a comprehensive report, at 113 pages.

The harms from cyber crime are significant.  That makes it all the more concerning that there is such poor education on how to recognise some forms of cyber crime, such as ransomware and fraud and cyber scams.  The loss to business from data breaches puts into sharp relief the need for individuals and businesses to maintain proper cyber defences.  The lax state of affairs is as much due to poor regulation and enforcement as it is on poor education.

The Abstract provides:

This is the first report in the Cybercrime in Australia series, which aims to provide a clearer picture of the extent of cybercrime victimisation, help-seeking and harms among Australian computer users. It is based on a survey of 13,887 computer users conducted in early 2023. In the 12 months prior to the survey, 27 percent of respondents had been a victim of online abuse and harassment, 22 percent had been a victim of malware, 20 percent had been a victim of identity crime and misuse, and eight percent had been a victim of fraud and scams. Overall, 47 percent of respondents experienced at least one cybercrime in the 12 months prior to the survey—and nearly half of all victims reported experiencing more than one type of cybercrime. Thirty-four percent of respondents had experienced a data breach. Cybercrime victimisation was not evenly distributed, with certain sections of the community more likely to have been a victim, and certain online activities associated with a higher likelihood of victimisation.

Most cybercrime victimisation went unreported to police or to ReportCyber, meaning official statistics significantly underestimate the size of the problem. Satisfaction with the outcomes of these reports was mixed, and relatively few reports resulted in an offender being apprehended. Rates of help-seeking varied and were influenced by the perceived seriousness of cybercrime and knowledge of how and where to report it.

The financial losses experienced by victims were wide ranging. Some victims reported losing large sums of money, but most victims reported relatively small financial losses. This report measures, for the first time, the harms experienced by individual victims and small businesses that extend beyond these financial costs. Twenty-five percent of respondents were negatively impacted by cybercrime in the 12 months prior to the survey, while 22 percent of respondents who owned or operated a small to medium business said their business was negatively impacted by cybercrime.

The Scope of the report was described in these Read the rest of this entry »

In the 1980s it was fashionable in the The Federal Government to create tsars. The term signified that they were doing something important and had enhanced powers. There were drug tsars and education tsars. The terminology was a bit unfortunate. Tsars historically had a habit of coming unstuck in horrible ways. Nothing like that happened in America but not much was done either. Australia is not nearly so grandiose. In Australia the tradition is to appoint directors or co ordinator. In that tradition the Government has announced the appointment of Air Marshal Darren Goldie AM CSC as the innuagural National Cyber Security Coordinator. The position is administrative. It is probably a good idea however the real need for improvement in cyber security is at the ground level with organisations and agencies applying fit for purpose programs, keeping them up to date and training staff to avoid making mistakes that lead to a data breach. Not nearly enough of that is being done.

The consequences of a major data breach are rarely minor or quickly resolved. The cost of remediation is almost always significant. Litigation is a common offshoot. Medibank is facing a significant class action suit. Finally there are usually more than one regulator which can take action. In this case the Australian Prudential Authority has taken action against APRA forcing Medibank to increase its capital adequacy requirement to $250 million.

Chapter 10 of the Attorney General’s Privacy Act Review Report considers the operation of Privacy Policies and Notice obligations when collecting personal information.

A Privacy Policy is a critically important document for compliance under the Privacy Act 1988.  Privacy policies are part of most privacy legislation across most jurisdictions.  They serve an important function of informing people how their personal information will be handled, That doesn’t mean they are free of controversy.  Privacy policies are commonly criticized for being unduly complicated, very long and often a model of opacity rather than transparency. Some organisations have excellent policies designed provide useful information.  Others are mass of legalese which defy easy understanding.

Australian Privacy Principle (“APP”) 1 requires:

• entities to maintain a ‘clearly expressed’ and ‘up-to-date’ privacy policy that addresses the matters listed in APP 1.4.
• per he APP Guidelines a ‘clearly expressed’ privacy policy should be:
  • ‘easy to understand (avoiding jargon, legalistic and in-house terms),
  • easy to navigate,
  • only include information that is relevant to the management of personal information by the entity’.
• an APP entity to regularly review and update its privacy policy to ensure that it reflects the entity’s information handling practices.
• an APP entity to take such steps as are reasonable in the circumstances to make its privacy policy available:
  • free of charge and
  • ‘in such form as is appropriate.’
• that where an individual requests a privacy policy in a particular form, the APP entity must take reasonable steps to accommodate that request.
• APP entities to make a privacy policy available by publication on a website.
• where it is foreseeable that the privacy policy may be accessed by individuals with accessibility needs, or where individuals request a copy of the privacy policy in an accessible form, appropriate accessibility measures should be put in place.

APP 5 requires Read the rest of this entry »

The World Economic Forum has released Adopting AI Responsibly: Guidelines for Procurement of AI Solutions by the Private Sector. It has also launched the AI Governance Alliance for Responsible Generative AI. The Guidelines are part of a growing set of guidelines and rules. The US President released a BluePrint for an AI Bill of Rights in October last year. That is a long way from government regulation.

At this stage the talk is greater than the action. The US President met with tech leaders a few days ago and raised concerns about the risks posed by AI to Security and the Economy amongst other areas. Even though Europe has taken strong initial steps and is ahead of the United States no jurisdiction has complete fit for purpose Read the rest of this entry »

The EU is far ahead of Australia in regulating privacy and cyber security through both the GDPR and rules and guidances for good cyber security practices. The United States is well served by the publications of the National Institute of Science and Technology.

The European Union Agency for Cybersecurity has released Good Practices for Supply Chain Cybersecurity.  It is a long and complex document but particularly relevant given the spate of data breaches in Australia.  It is relevant to note that the document makes regular reference to NIST guidances.  I regularly post on NIST guidances.

• between 39 %  and 62 %  of organisations were affected by a third-party cyber incident.
• supply chain compromises were the second most prevalent initial infection vector identified in 2021. and accounted for 17 % of the intrusions
• in 2021, 66 % of the supply chain attacks the suppliers did not know, or were not transparent about, how they were compromised
• Around 62 % of the attacks on customers took advantage of their trust in their supplier. In 62 % of the cases, malware was the attack technique employed. When considering targeted assets, in 66 % of the incidents, attackers focused on the suppliers’ code in order to further compromise targeted customers.
• 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
• 47 % allocate budget for ICT/OT supply chain cybersecurity.
• 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
• 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
• 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.
• only 24 % of the surveyed organisations have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
• 59 % of the surveyed organisations that have TRM policies in place also have a dedicated budget or budget line for supply chain security
• regarding cybersecurity risk mitigation techniques:
  •   61 % of the surveyed organisations preferred security certificates,
  • 43% preferred  security risk rating services
  • 37% used due diligence or risk assessments
  • 9 % did not evaluate their supply chain security risks in any way.

1. Although organisations understand the significance of supply chain security, they do not allocate the necessary resources for ICT/OT supply chain cybersecurity.
2. Even when they invest in ICT/OT supply chain cybersecurity projects, the majority do it without clear governance corporate structures which ideally should take into account the costs and benefits of implementing ICT/OT supply chain cybersecurity practices and controls.
3. Organisations with formalised ICT/OT supply chain cybersecurity corporate procedures are the minority of the surveyed sample.
4. Banking is the sector with most established ICT/OT supply chain cybersecurity policies and dedicated budget and FTEs
5. Classification of a supply chain incident as such is cumbersome due the lack of concrete criteria.
6. Certifications are the most preferred way for organisations to follow suppliers’ cybersecurity practices; however, they are accompanied by high costs, especially for non-cybersecurity relevant vendors.
7. The surveyed organisations agree that common cybersecurity requirements for products and services would be beneficial for the market.
8. There is room to improve the visibility of the organisations over their information assets.
9. The majority of surveyed organisations do not have a vulnerability management system which covers all organisational assets.
10. Vulnerability management and testing of products contribute to better ICT/OT supply chain cybersecurity posture.