Peter A Clarke

The Federal Trade Commission (the “FTC”) has its detractors who say it is not assertive enough.  Compared to the Australian Information Commissioner it is frenetic and hyper aggressive.  In a field where the breaches are many most regulators are subject to criticism of not doing enough.  But when the FTC takes action against a company the impact is considerable and painful for the malefactor. As the agreeement the FTC made with EPIC for its violation of the Children’s Online Privacy Protection Act.

EPIC has been fined 4275 million for collecting personal information from children under the age of 13.without parental consent.  It also enabled those children to have access to voice and text chats by default, a practice that could put them into contact with strangers.

As is the way the media has been negative for EPIC with Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy and Fortnite game maker will pay $520M to settle FTC allegations.

The statement of the FTC provides:

The FTC’s $275 million proposed settlement with Epic Games, owner of Fortnite, alleges the company violated the law by collecting personal information from kids under 13 without parental consent and by enabling voice and text chat by default – an unfair practice that put kids and teens in risky contact with strangers. But to borrow a phrase from advertisers, “But wait! There’s more!” Much, much more in the form of a separate $245 million proposed settlement with Epic Games for using digital dark patterns to bill Fortnite players for unintentional in-game purchases.

How much money can a company take in by selling virtual costumes, dance moves, and piñatas shaped like llamas? It won’t surprise Fortnite fans to hear that the answer is billions, especially when, as the FTC alleges, Epic used a host of digital design tricks – dark patterns – to charge consumers for virtual merchandise without their express informed consent. What’s more, the FTC says when people disputed unauthorized charges with their credit card company, Epic locked their accounts, depriving them of access to content they had already paid for. The proposed FTC consent order is the agency’s largest administrative settlement to date. Continue reading for some insightful – and instructive – quotes from consumers and employees who didn’t hold back about their opinions of Epic’s tactics.

For the technological Rip Van Winkles among us, Fortnite is a hit video game with more than 400 million registered users, many of whom are kids. Although people can play the basic version for free, Epic charges for in-game purchases designed to enhance game play. The FTC alleges that with millions of consumers’ credit cards conveniently in hand, Epic failed to adequately explain its billing practices to customers and designed its interface in ways that led to unauthorized charges. You’ll want to read the complaint for details, but here are a few of the dark patterns the company allegedly used.

According to the complaint, Epic set up its payment system so that it saved by default the credit card that was associated with the account. That meant that kids could buy V-Bucks – the virtual currency necessary to make in-game purchases – with the simple press of a button. No separate cardholder consent was required. And although the currency was imaginary, the charges Epic packed on to Mom or Dad’s credit card were very real. What did parents and users have to say about Epic’s methods? Here are some examples:

• • “Hello Epic Games, The charges associated with this account were made without my authorization. This account is associated with my 10 year old son’s account and I am really disappointed that there is no check and balances that alerted me of these charges, and a 10 year old can purchase coins worth almost $500 so easily.”
  • “Epic Games is swindling parents with unauthorized game purchases, tricking young consumers & using shady practices for billing. I authorized a 1-time Epic Games purchase for my 11 yr-old son, only to discover EG did NOT erase my credit card info, & thus my son has been making unauthorized purchases, racking up $140 in less than 8 days after the initial authorized purchase.”

Epic’s own Fraud and Risk Consultant expressed similar concerns internally and recommended that the company require account holders to confirm their CVV numbers before charging the card on file: “This is standard / best practice and it prevents kids from using mom’s credit card without her permission[.]” However, by the time Epic finally took that advice, the company had already billed account holders for millions of V-Bucks transactions – many of which were unauthorized, according to the FTC. Read the rest of this entry »

The reviews, as in many, of the Privacy Act 1988 have been a lesson in what not to do when reviewing legislation.  The Federal Government’s response to the 2008 Australian Law Reform Commission Report was modest, selective, incomplete and largely a failure of public policy.  The amendments to the Act, which took effect in 2014, did not go very far.  The Government commissioned yet another  review in 2013, which reported in 2014, did not materially advance the findings contained in the 2008 Report.  The Government did not accept the recommendations but rather, in 2019, commenced yet another review, this time by the Attorney General’s Department.    

Innovation AU in Privacy Act Review complete after three years reports that the Attorney General has the product of the Review.  It appears that the Government is on track to release the Report with a view to amending the Privacy Act some time in 2023.    

The article Read the rest of this entry »

Not all data breaches involve criminal acts by hackers breaking into a network and exfiltrating data.  Sometimes an organisation will be reveal data through its own actions.  Telstra has suffered a data breach involving ‘s data breach impacting 132,000.   The breach involved a technical error resulting in it making personal information available on line.  Telstra describes it as a misalignment of databases.  Technical errors of this nature are not inevitable. Poor planning by IT is a common reason, focusing on the end result rather than the protections needed on the way through,  On 31 March 2020, the Federal Court of Australia  made publicly available  the names of details of several hundred people with cases currently or previously in the Court and the Federal Circuit Court (FCC) through the Commonwealth Courts Portal. Anyone visiting the Portal could have accessed the names and details of a person seeking asylum and information about their claim. The data breach was caused by an internal IT error.  The Federal Court should have been investigated by the Information Commissioner.  To its credit it did commission a review by Professor John McMillan in August 2020 which resulted in a 38 page report which was, not unusually for the Australian public service, a mix of polite tut tutting, gentle patting on the back for the work done and anodyne recommendations for improvement.  If the breach had happened in the United States the landing would have been much bumpier.  The Federal Court does have a publicly available data breach response plan.  It is fairly bare boned. One would expect a much more detailed plan to be available within the organisation.

Telstra is something of a frequent flier in the data breach world with a data breach in October 2022 with Australia’s Telstra hit by data breach, two weeks after attack on Optus, in May 2021 with Telstra service provider hit by cyber attack as hackers claim SIM card information stolen, in July 2018 with Telstra customer stumbles across contact details of 66,000 fellow customers,  in 2018 with Medical records exposed by flaw in Telstra Health’s Argus software and in Telstra privacy breach leaves customer’s voicemail exposed amongst other matters. If Telstra was operating in the United Kingdom or United States the regulators would take very strong and very public action.

The ABC has run a reasonably detailed story Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) released a preliminary public draft of NIST SP 1800-36A: Executive Summary, Enhancing Internet Protocol-Based IoT Device and Network Security.  For a change, pleasant for those overwhelmed by documentation to read, it is quite brief.

The NIST provides excellent guidance on technical issues associated with privacy and data security.  While the publications are not officially required compliance they are hugely influential and far superior to the broad guidance released by privacy regulators in Australia and New Zealand and probably even more effective than those of the United Kingdom’s Information Commissioner who provides comprehensive and detailed guidance documents.

Given the privacy regulation has already been strengthened this year and will be overhauled next year it is important that organisations pay heed to relevant publication produced by the NIST.  Complying with these guidelines would assist an organistion if there is a breach and the Information Commissioner starts investigating, which she now has greater powers to do as well as now having the power to impose fines.  The overseas experience is that commonly poor compliance on general aspects of data handling cause an organisation as many difficulties with regulators as the data breach which attracted the regulators attention.

The abstract provides:

Providing devices with the credentials and policy needed to join a network is a process known as network-layer onboarding. Establishing trust between a network and an IoT device prior to such onboarding is crucial for mitigating the risk of potential attacks. There are two sides of this attack: one is where a device is convinced to join an unauthorized network, which would take control of the device. The other side is where a network is infiltrated by a malicious device. Trust is achieved by attesting and verifying the identity and posture of the device and the network as part of the network-layer onboarding process. Additional safeguards, such as verifying the security posture of the device before other operations occur, can be performed throughout the device lifecycle. In this practice guide, the National Cybersecurity Center of Excellence (NCCoE) applies standards, recommended practices, and commercially available technology to demonstrate various mechanisms for trusted network-layer onboarding of IoT devices. We show how to provide network credentials to IoT devices in a trusted manner and maintain a secure posture throughout the device lifecycle.

Some of the interesting issues raised by the guidance Read the rest of this entry »

The woes of Medibank continue with it going offline this weekend to revamp/enhance/add data security.  It has put the best spin on it with its media release Medibank to undertake ‘Operation Safeguard’ at the weekend.  What few organisations really appreciate is the very heavy financial cost of dealing with a data breach.  The expense of bringing in experts to manage the immediate crisis becomes an costly exercise in determining the extent of the damage, then staff or consultants to liaise with media and government.  The costs continue with offering support to affected clients/customers/patients and then revamping an organisation’s security network. which is where Medibank finds itself.  Medibank also has to deal with an investigation by the Information Commissioner and a possible class action.

The media release Read the rest of this entry »

In Australia under Part IIIC of the Privacy Act 1988 organisations covered by the Privacy Act and Commonwealth Government agencies are required to notify of a data breach in certain circumstances, what is known as an eligible data breach.  It is effectively a self assessment though there are consequences if there is no notification when there should have been one.  It is regime that has been justifiably criticised in the wake of the Optus and Medibank data breaches.  The recent amendments to the regime improve rather than fix its operation.

It is an open secret that there is significant under reporting of data breaches in the United States, United Kingdom and Australia.

In UK Companies Fear Reporting Cyber Incidents, Parliament Told Data Breach today reports that there may be a deep reluctance to report breaches to the UK Information Commissioner.  There is mandatory data breach notification in the United Kingdom and affected entities are supposed to report within 72 hours of becoming aware of the breach.  This reluctance to report can and often does backfire as the story Brooklyn Hospitals Decried for Silence on Cyber Incident.  In that case Brooklyn Hospitals were hit with a ransomware attack on 19 November which necessitated transferring patients to other hospitals. The lack of explanation caused annoyance, at minimum, for other hospitals as well as the patients affected.  This poor practice results in even closer scrutiny by regulators.

The reluctance of UK entities to report a data breach because of additional scrutiny from the Information Commissioner remains poor practice.  It is almost trite to say that organisations that suffer data breaches almost invariably had privacy and data security as a low priority which translated into inadequate training and data handling practices.  When regulators respond to a notification they often find a litany of other issues.  Sometimes those are the issues that cause the organisations the greater difficulty. A common problem is data collection.  Many organisations hold onto personal information long after they have any need for it. Names of long departed or deceased customers/patients, details of people who have unsubscribed to a service and solicited information are commonly held .  Because the cost of storage is relatively inexpensive and data held digitally do not absorb physical space it is not inconvenient to hold that data for whatever reason.

As Medlab discovered once Read the rest of this entry »

On 27 October 2022 Medlab pathology announced that it had experienced a cyber attack in February 2022. The timing is interesting given the Optus Data notified customers in September about the breach and in October further notifications and advice was provided.  Coincidence.  It is very curious.

In its statement Medlab doesn’t say when the breach was first detected however confirms that the ACSC contacted Medlab in June when it detected data that had been published on the dark web.  Its explanation as to why it did not notify customers until 27 October is general and convoluted to the point of disingenuous. It says that it took several months to download and analyse “what information was and who it belonged ot.”  That is far from best practice and would attract the ire of regulators in England and  the European Union.  Medlab’s statement is not good. It begs many more questions than it answers.  Perhaps it is the best that could be done given the way Medlab handled the breach.

Subsequent to the October announcement there were reports stating that the cyber attack affected 223,000 Australians and:

• 17,539 individual medical and health records associated with a pathology test;
• 28,286 credit card numbers and individuals’ names. Of these records, ~15,724 have expired and ~3,375 have a CVV code; and
• 128,608 Medicare numbers (not copies of cards) and an individual’s name.

The Office of the Information Commissioner undertook preliminary enquiries which is entirely understandable given the size of the breach, the apparent delay in notification and the  sensitivity of the personal information lost.  Those enquiries have led to today’s announcement that it would open a formal investigation.  That is hardly surprising.

Under the legislation an affected organisation has 30 days to notify the Commissioner and clients if there has been a notifiable data breach.  It is critically important to respond efficiently to the data breach.  That means having a plan that can be put in place before suffering a data breach. Trying to understand the law as well as undertake remediation efforts as well as continue to run the business at the time of the data breach is a recipe for poorly thought through actions, missteps and poor outcomes possibly ending up with the regulator investigating.

This may be a very influential investigation in setting parameters as to what reasonable steps are taken to investigate the data breach and notification to customers.  A complicating factor is the likelihood that the data breach notification regime will be overhauled.  It may still be an influential investigation if the Commissioner sets down principles if there is a determination or the court may provide judicial guidance on what reasonable steps constitute Read the rest of this entry »

Itgovernance reports that that in November there were 95 breaches resulting in 32,051,144 records being affected.  What is significant is almost half of the records affected came from 2 data breaches, Whoosh and Twitter.

The report provides:

Welcome to our November 2022 review of data breaches and cyber attacks. We identified 95 security incidents throughout the month, accounting for 32,051,144 breached records.

Almost half of that figure comes from two incidents. The first was a data breach at Twitter, in the latest PR disaster for the social media giant. Reports emerged late last week that user records were stolen using an API vulnerability that has since been fixed.

The second was a cyber attack on the Russian scooter-sharing service Whoosh, which was discovered after customers’ data was put up for sale on the dark web.

As always, you can find the full list of data breaches and cyber attacks below, divided into their respective categories.

Meanwhile, be sure to subscribe to our Weekly Round-up to receive the latest cyber security news and advice delivered straight to your inbox.

Some of the significant data breaches Read the rest of this entry »

The core advice given by privacy lawyers is that organisations should put the time, effort and coin into having proper software, systems and training to minimise the chance of a data breach rather then spending multiples of that time, effort and money in cleaning up after a data breach.  The Medibank data breach highlights the correctness of that approach.  Medibank is suffering multiple wounds from the hackers who stole the personal information of millions of its customers. The latest assault is the release of a significant volume of data onto the dark web. 

The Medibank press release provides:

Read the rest of this entry »

The Irish Data Protection Commission commenced an inquiry on 14 April 2021 arising from discovery that there was a collated dataset of Facebook personal data available on the internet.

The media release provides as follows: