Peter A Clarke

There are two particular frustrations working in the cybersecurity sphere and writing on it; reading about “developments” that have been known about for years and the kabuki, theater, that governments and agencies engage in, such as claiming to hunt down hackers, which detracts from the more relevant but mundane action, getting organisations and governments to develop and maintain proper data security. The vast majority of data breaches can be linked to some form of human error or another.

Both are present in the response to the Medibank data breach.

The Government announced that it had uncovered the name of the cybhackers. That group has been identified as REvil, a group that operates in the Russian Federation with full but deniable knowledge of its government.  This is hardly a banner moment in Australian cyber security and law enforcement. Ransomware gangs are often identified and usually within short order.  They have their own techniques and have distinctive malware.  Much like many criminal gangs their modus operandi is distinctive.  REvil is so well known that it has its own wikipedia page.  Like many criminal hacker gangs operating in the Russian Federation it operates in a grey area; unofficially tolerated and occasionally used by state authorities in exchange for being left alone.  Cyber criminals also operate out of China and the Stans.

The Government has put together a task force to hack the hackers.  The Australian Federal Police and the Australian Signals Directorate are combining to identify the hackers and their associates and bring them to justice.  While that is an appropriate response a dose of realism needs to be injected into the story lest hopes are raised too high.  Cyber hackers are usually phycially beyond reach of Australian authorities and unlikely to be subject to successful extradition applications.  The Australian Federal Police is engaging with its Russian counterparts about the cyber crimninals. That is unlikely to go anywhere.  Engaging in cyber warfare with hackers is difficult.  Hackers change tactics.  For example Ransomware gangs are increasingly using their own or stolen computer code and moving away from a leasing model that made their activities easier to monitor.  Until recently hackers leased their malicious software and computing infrastructure to others in what is known as ransomware-as-a-service. That was used by gangs such as such as Conti, which shuttered Irish health systems, and REvil. Senator Paterson has called for hackers to be sanctioned.  It is another form of political theater.  Magnitsky sanctions are meaningless when dealing with hackers. If proceeds of crimecan be located, and they are in a country which has apolitical police force and independent judiciary, such as Canada, the USA and most European states, they can be seized without the need for Magnitsky sanctions.

The payment of  a ransom is not illegal.  The government is considering making such payments illegal.  Discouraging the payment of ransom is one thing.  Criminalising it is another.  Sometimes it is the only practical solution in the time available so criminalising the conduct puts a business into a terrible bind.  It is a crime that may be difficult to detect but also used by hackers to further extort those who have paid ransoms.

That is not to say that successful action can’t be taken. A Russian national linked to the LockBit ransomware gang was arrested in Ontario in October. What needs to be remembered is that ransomware is an international problem as Bleeping Computer makes clear in The Week in Ransomware – November 11th 2022 – LockBit feeling the heat.  It relevantly provides:

The big news is the arrest of a Russian LockBit member in Canada, who is said to be responsible for making ransom demands between €5 to €70 million.

Over the past few weeks, a threat actor has been trolling victims by distributing the Azov Ransomware and blaming its creation on cybersecurity researchers and journalists. Read the rest of this entry »

Hackers have reportedly put Medibank abortion data on the dark web.  Medibank confirmed as much with its media release today.  It is a common enough tactic for hackers to threaten to release and then release data online. Once the demand for  $10 million or $15 million was rejected it was hardly a surprise that some form of retaliation was not going to occur. Hackers are criminals.  Russian hackers are notorious for having even less scruples than the average hacker. REvil has a particularly savage reputation. Retaliation is a rationale response even if the Minister for Home Affairs calls the hackers scumbags.

The melancholy truth is that notwithstanding the Australian Federal Police and the Asustralian Signals Directorate being involved in the hunt for the hackers the chances of catching any individuals hackers in the short term is small.  They are based in a jurisdictions, such as Russia where they are tolerated if not supported.

The focus has to be on mitigation and remediation.  If past Read the rest of this entry »

This morning Medibank released a detailed statement of more details of the personal information taken through the data breach and what it will and will not be doing.  As with Optus Medibank is slowly beginning to follow the appropriate procedure long adopted by large companies in the United States.  Unfortunately both Medibank and Optus were slow to advise customers of the data breach, wretchedly slow to provide details, reluctant to offer assistance, did not publicly advertise the external help they were engaging and had dreadful media interviews.  Time is of the essence in responding on all levels to a data breach.  Having a proper and well rehearsed data breach response plan is critically important.  

In short Medibank has determined that;

• the hackers accessed personal information of 9.7 current and former customers broken down into the following categories:
  • 5.1 million Medibank customers,
  • 2.8 million ahm customers and
  • around 1.8 million international customers
• the personal information was:
  • the name,
  • date of birth,
  • address,
  • phone number and e
  • mail address.
  • Medicare numbers (but not expiry dates) for ahm customers
  • passport numbers (but not expiry dates) and visa details for international student customers
• the hackers accessed health claims data for around:
  • 160,000 Medibank customers,
  • around 300,000 ahm customers and
  • around 20,000 international customers.
• the health claim data included:
  • service provider name and location,
  • where customers received certain medical services, and
  • codes associated with diagnosis and procedures administered.
  • contact details of  around 2,900 next of kin of these patients
• the hackers accessed health provider details, including names, provider numbers and addresses
• the hackers did not access credit card and banking details
  • Medibank will not pay a ransom.

The media statement is designed for the market and government, not customers.  It is long, probably overlong, detailed and covers a large number of issues.  A lot of what is being proposed should have already been done. 

The media Read the rest of this entry »

Threat reports are a regular feature in publications on data security and privacy.  Just recently Crowdstrike released its 2022 Global Threat Report, Akamai with its Global Sate of the Internet Reports – DDoS Attack Reports and Sonic Wall’s 2022 SonicWall Cyber Threat Report are just 3 reports of trends, surveys and findings.  Most are quite useful.

The Australian Cyber Security Centre (ACSC) has been releasing threat reports for some time, usually without much fanfare and little mainstream media coverage.  I review the reports when they come out and did a post on the 2017 and 2021 reports for example.

With the Optus and Medibank data breaches the 2022 ACSC threat report for July 2021 to June 2022 has received wide and loud media coverage.  For some in the media this report is a bolt out of the blue which uncovers previously unknown problems and foretells catastrophy.  It doesn’t on both counts.  The Report is consistent with other reports and regular advices from US, UK and European regulators, insurers, cyber experts.  The threat of cyber attack by criminals or state actors is significant and growing.  That is something I have been writing about for years.  It is part of my practice to assist in dealing with that.  It has been around for over a decade as a significant and evolving problem.  It is only now being seen as a key governmental priority.  A welcome if belated change.

Unlike previous years the relevant minister, Clare O’Neil, has issued a detailed media release about the report.  It provides:

Australians are encouraged to help protect the nation’s cybersecurity future, as the Australian Cyber and Security Centre (ACSC) – a key part of the Australian Signals Directorate (ASD) – launches its third annual Cyber Threat Report.

The Cyber Threat Report is a key tool of the ASD in helping all Australians better understand every day cyber threats, and improve their cyber defences.

Amid an increasingly deteriorating geo-strategic environment, it is now more important than ever that individuals, industry, business and government come together to reinforce our online resilience.

Key findings from the 2021-22 Cyber Threat Report include:

• • The ACSC received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year.
  • On average one cybercrime report was received every seven minutes, compared to every eight minutes last financial year.
  • There has been a 25 per cent increase in the number of publicly reported software vulnerabilities.
  • Financial losses due to Business Email Compromise increased to over $98 million, with an average cost of $69,000 per report.
  • The average cost per cybercrime report has risen to around $40,000 for small business, over $88,000 for medium business, and over $62,000 for large business.

The Albanese Government is committed to protecting the security of Australians, and welcomes the Cyber Threat Report as a key tool to help inform how we can do so into the future.

A key part of this is the Government’s 10 year investment in the ASD, known as REDSPICE, which will further harden Australia’s cyber defences in 2022-23 and beyond.

Throughout its 75 year history, the ASD has defended Australia from global threats and advanced our national interests. It remains at the frontline of defending our nation and keeping Australians safe and secure.

Quotes attributable to Deputy Prime Minister and Minister for Defence, the Hon Richard Marles MP:

“Over the last financial year Australia has witnessed a heightened level of malicious cyber activity, reflecting the evolving strategic competition across the globe.

“This has been clearly demonstrated in the brutal invasion of Ukraine – where Russia has sought to cause damage not just in traditional warfare, but through the use of destructive malware as well.

“Threat actors across the world continue to find innovative ways to deploy online attacks, as a result too many Australians have felt the impacts of cybercrime.

That is why the Government is committed to reinforcing Australia’s cyber security as a national priority.”

Quotes attributable to Minister for Home Affairs and Cyber Security, the Hon Clare O’Neil MP:

“Recent examples of malicious cyber activity have demonstrated to Australians how important it is for organisations and individuals to prioritise their cyber security.

Australia’s unique geostrategic position and information-rich environment mean we all need to work together to build our cyber defences and to ensure all Australians have the tools they need to protect against the impacts of cyber attacks.

The Albanese government is focusing our best and brightest cyber security experts both on responding to today’s cyber threats and developing the capabilities and skills we need for a secure and resilient digital future.”

The findings are catnip for statistic obsessed reports with:

• an increase in financial losses due  to over $98 million
• an average loss of $64,000 per report.
• A rise in the average cost per cybercrime report to over $39,000 for small business, $88,000 for medium business, and over $62,000 for large business
• an average increase in the cost of cybof 14 per cent.
• a 25 per cent increase in the number of publicly reported software vulnerabilities
• Over 76,000 cybercrime reports, an increase of 13 per cent from the previous financial year.
• A cybercrime report every 7 minutes on average, compared to every 8 minutes last financial year.
• Over 25,000 calls to the Cyber Security Hotline, an average of 69 per day and an increase of 15 per cent from the previous financial year.
• 150,000 to 200,000 Small Office/Home Office routers in Australian homes and small businesses vulnerable to compromise.
• Fraud, online shopping and online banking
  were the top reported cybercrime types, accounting for 54 per cent of all reports.

While the Report is sobering it does not indicate anything inconsistent with overseas experiences. If anything it confirms an upward trend in number of attacks, increased cost of cyber attacks and increased reports to the ACSC and other governmental agencie.  For example Read the rest of this entry »

In less than a month there has been a data breach at a real estate agent business.  I  wrote about Realty Assist’s breach on 18 October 2022.  Now Harcourts have suffered a data breach, on 14 October 2022.  The ABC report highlights a break down between Harcourts and Stafflink a software provider.  In its email to customers Harcourts claimed the data breach stemmed from its software service provider Stafflink, one of whose employees accounts was compromised.  That can and does happen.  Except that Staff Link has disputed that and publicly said so.  A very poor strategy by Harcourt to make an assertion and then find it contested.  I never cease to be amazed how poorly Australian businesses handle data breaches. The ABC story also covers the dreadful state of privacy and data management by real estate industry.  It has long been an industry addicted to collecting as much personal information as possible but being lax with it. Privacy advocates have long known about and Read the rest of this entry »

One of the misconceptions in privacy law is that once a person steps into a public place there is no reasonable expectation of privacy.  That is not, in and of itself correct under Australian, New Zealand,  UK and European law. That was made abundantly clear in the seminal 2004 House of Lords decision of Campbell v MGN Limited [2004] UK 22.  Naomi Campbell sued when she was photographed leaving a Narcotics Aonymous meeting in 2001.

Dani Laidley has reportedly sued Victoria Police over photographs allegedly taken of her in November 2020 at the Geelong Racecourse by a police officer.  She alleges those photographs were shared online.  The pleadings are not to hand so it is not possible to comment on the causes of action pleaded however the report in the Nine Papers claim there is a claim of a breach of duty.  Australia does not have a common law cause of action for harassment although the Gummow and Hayne JJ referred to ‘what may be a developing tort of harassment’ in ABC v Lenah Game Meats 2001] HCA 63; (2001) .  That was 21 years ago and the development of the law has stalled.  All the more reason for a statutory tort for interference with privacy which Read the rest of this entry »

Today the Australian Communications and Media Authority published its findings that the ABC has breached its privacy obligations in disclosing the identity of a person who used a dating app.  Beyond finding a breach and making recommendations there is no other sanction available to the ACMA.  Another example of why a stautory tort relating to the interference with privacy is long overdue.

ACMA’s  media release provides:

The Australian Communications and Media Authority (ACMA) has found the Australian Broadcasting Corporation (ABC) breached the privacy requirements in the ABC Code of Practice by broadcasting an identifiable person’s profile in a news report about dating app scams.

The Newshour segment, which was broadcast in May 2021, included footage of a screen scrolling through a dating app showing the profile of a person, including an image of a face, age and first name.

The ACMA investigation found that although the dating app profile was shown fleetingly, the image of the face was repeated twice in the news report and the person was identifiable.

ACMA Chair Nerida O’Loughlin said having personal information broadcast on television can be distressing for the individual in question.

“Media intrusion into a person’s private life without consent must be justified to be in the public interest,” Ms O’Loughlin said.

“There is a clear public interest in reporting on online scamming, however there are limits to the type of personal information that should be disclosed in a news report. In this case, there was no justifiable reason to identify the person and the ABC did not undertake adequate measures to ensure their privacy.”

The ACMA’s enforcement powers when it finds the ABC has breached its Code are limited to recommending the ABC take particular actions. In this case, the ACMA did not consider this necessary as the ABC had already removed the footage from its archive and advised that the ACMA finding will be made available to relevant ABC News staff. 

FACTS

The Australian Broadcasting Corporation (the ABC) broadcast the News Hour on 11 May 2021 at 5:00 pm.

The Report was comprised largely of the studio presenter and expert guest discussing the ramifications of the rise in online scamming appearing on dating apps. A montage sequence of people using mobile phones to view dating apps, with faces and names of subscribers to those dating apps appearing on-screen, punctuated the discussion.

In the Report, the relevant footage was Read the rest of this entry »

ISO 27001 is a global specification for an information security management system (known as ISMS). It is the standard for effective information management. Properly implemented it helps organisations to avoid security breaches. An ISMS is a framework of policies and procedures relating to  that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

The new ISO 27001 has just been released.  It is called ISO 21001:2022. This version introduces significant changes in the way organisations manage information security. The Standard was last revised almost a decade ago.

The standard  is no longer divided into 14 control categories.  It is now split into four ‘themes’:

• organisational,
• people,
• physical and
• technological.

The total number of controls has decreased from 114 to 93. This is because many of its controls have been reordered and merged. Under the new ISO 27001:

•  35 controls are unchanged,
• there are 11 new requirements which  are:
  • threat intelligence
  • information security for use of cloud services
  • ICT readiness for business continuity
  • physical security monitoring
  • configuration management
  • information deletion
  • data masking
  • data leakage prevention
  • monitoring activities
  • web filtering
  • secure coding

Read the rest of this entry »

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced into the House of Representatives by the Attorney General earlier today.

The amendments will provide the Commissioner with new powers including, but not limited to:

• The commissioner will have “new information-gathering powers regarding  the notifiable data breache reporting and notification requirements.
• The commissioner will have … information-gathering powers to conduct assessments of organisations’ practices.
• the Commissioner will have powers to issue a direction for the entity to notify individuals who have been affected by a data breach
• the Commissioner will have infringement notice powers.

The Commissioner being provided with infringement notice powers brings the Australian regulation more in line with the UK legislation where the UK Commissioner can issue monetary penalty notices.  Similarly the Federal Trade Commission has a different process but has a similarly quicker way of imposing penalties.  It will be critical for businesses and organisations to understand their obligations otherwise they may be the subject of significant financial penalty, not to mention the reputational damage that comes with that.

Itnews has undertaken a reasonable summation, from a lay perspective, of the proposed amendments in  Privacy Act amendments land in parliament which provides:

The Bill Read the rest of this entry »

Governments of both persuasion have avoided privacy law reform for over 20 years.  A Coalition Government made the most minimal changes to the Privacy Act in 2001 to cover the private sector. The ALP Government made relatively few amendments in 2012 in response to the mammoth and comprehensive Australian Law Reform Commission Report on privacy handed down in 2008. For the last 6 years the previous Coalition Government sat on another Australian Law Reform Commission Report and then instituted an internal Attorney General’s review of the Privacy Act.

Medibank provided an update yesterday about the cyber attack in October.  The data exfiltrated is more extensive than previously known.  It now includes Medibank customer data of both current and previous customers. The statement provides:

There has been a further development in Medibank’s cybercrime event, which is subject to a criminal investigation by the Australia Federal Police (AFP).

It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers.

This is a distressing development and Medibank unreservedly apologises to our customers.

Here is what we can update

We have received a series of additional files from the criminal. We have been able to determine that this includes: Read the rest of this entry »