Peter A Clarke

The National Institute of Standards and Technology (“NIST”) has released recommendations which specific techniques for the derivation of additional keying material from a secret key obtained through either a key establishment scheme or shared through other way. 

It is common that a cryptographic key is not sufficient.  Usually additional Read the rest of this entry »

In my professional experience cyber attacks are not predominantly made on large organisations or businesses.  Those attacks get most press because they commonly involve a large number of people whose personal information was accessed.  Attacks on small businesses are frequent and often crippling.  This is highlighted in a recent Age report Hackers target small businesses’ social media accounts.   Small businesses tend to have a smaller IT spend, a lack of knowledge about cyber security practices and less diligence in maintaining proper cyber security, for example by patching regularly.  Phishing attacks on small businesses are Read the rest of this entry »

The UK Information Commissioner has highlighted the case of Christopher O’Brien who was prosecuted for unlawfully accessing patient records of 14 patients of the South Warwickshire NHS Foundation Trust, all of whom were known to him.  The media release provides:

and

A former health adviser has been found guilty of accessing medical records of patients without a valid legal reason.

Christopher O’Brien, 36, was working at the South Warwickshire NHS Foundation Trust when he unlawfully accessed the records of 14 patients, who were known personally to him, between June and December 2019. He did so without a valid business reason and without the knowledge of the Trust.

One of the victims said the breach left them worried and anxious about Mr O’Brien having access to their health records, with another victim saying the breach put them off from going to their doctor.

Mr O’Brien pleaded guilty to unlawfully obtaining personal data in breach of section 170 of the Data Protection Act 2018 when he appeared at Coventry Magistrates’ Court on 3 August 2022. He was ordered to pay £250 compensation to 12 patients, totalling £3,000.

Stephen Eckersley, ICO Director of Investigations, said:

“This case is a reminder to people that just because your job may give you access to other people’s personal information, especially sensitive data such as health records, that doesn’t mean you have the legal right to look at it.

“Such behaviour can be extremely distressing for the victims. Not only is it an invasion of their privacy, it potentially jeopardises the important relationship of trust and confidence between patients and the NHS.

“I would urge organisations to remind their staff about their data protection and information governance responsibilities, including how to handle people’s sensitive data responsibly.”

This sort of misbehaviour is not confined to the United Kingdom. The National Public Radio in 2015 did a piece on hospital workers snooping on celebrities medical records, including George Clooney, Kim Kardashian and Michael Jackson, to name a few.  It is a chronic problem in Australia within the health sector.  Last year the Health Care Complaints Commission prosecuted a complaint against registered nurse Ms Cody Rae Payne at the NSW Civil and Administrative Tribunal (‘the Tribunal’). Between January and August 2019  Payne accessed her own medical records as well as those of 34 other persons, including family members involved in family court legal proceedings without lawful authority. She provided information to her husband that she acquired as a result of that unauthorised access.

The hearing before the NSWCAT occurred after Payne had been criminally prosecuted for Read the rest of this entry »

The US Federal Trade Commission (the “FTC”), as close as the US gets to a privacy regulator, has announced an inquiry into the use of surveillance in a commercial context.  It is wide ranging, covering cookies.

The FTC first announced the Proposed Rule Making on Commercial Surveillance on 11 August with FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices which provides:

The Federal Trade Commission today announced it is exploring rules to crack down on harmful commercial surveillance and lax data security. Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. Mass surveillance has heightened the risks and stakes of data breaches, deception, manipulation, and other abuses. The FTC’s Advance Notice of Proposed Rulemaking seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.

“Firms now collect personal data on individuals at a massive scale and in a stunning array of contexts,” said FTC Chair Lina M. Khan. “The growing digitization of our economy—coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used—means that potentially unlawful practices may be prevalent. Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.” Read the rest of this entry »

The Victorian Information Commissioner undertook an examination of the privacy and information handling and training of the Victoria Police.  To anybody familiar with the Victoria Police’s dismal history of privacy breaches the Commissioner found that Victoria Police provided inadequate training.  In fact there had been no training for over a year and Victoria Police had starved its Privacy and Education Unit of funding. As a result the Commissioner found the Victoria Police non compliant with its obligations under IPP 4.1.

I have posted regularly on privacy issues involving Victoria Police because they are so serious and so regularly occurring.  A Victoria Policeman took photographs of Dani (Dean) Laidley while he/she was in custody, and distributed them to other serving officers which resulted in Laidley suing the Victoria Police.    In 2016 the Victorian Commissioner for Privacy and Data Security set out in his annual report 453 information security incidents and a 30% increase of incidents year on year.  Police were caught misusing the LEAP database in 2015.  And in 2014. In 2006 the ABC reported on 18 Victoria Police being disciplined for misuse of the the LEAP database.

The Commissioner’s media release provides:

Part of OVIC’s role as Victoria’s privacy regulator includes oversight of Victoria Police and its management of law enforcement data.

On 30 September 2021, OVIC commenced an examination into the privacy and information handling training at Victoria Police.

The objective was to examine whether the training provided to Victoria Police personnel meets the requirements of Information Privacy Principle (IPP) 4.1 under the Privacy and Data Protection Act 2014 (Vic).

IPP 4.1 outlines that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification, or disclosure.

During this examination, OVIC staff gathered information from relevant Victoria Police personnel on how training is developed, delivered, and evaluated at Victoria Police, with an interest in information handling and privacy both generally and within the context of family violence investigations. Read the rest of this entry »

The US National Institute of Standards and Technology (the “NIST”) has released a guide to a secure Enterprise Network Landscape.

The Guide to a Secure Enterprise Network Landscape is designed to provide guidance for navigating the current enterprise network landscape. It examines the security limitations of current network access solutions and point security solutions through traditional appliances with enhanced security features. It also considers new appliances, emerging network configurations, frameworks that incorporate the configurations, and cloud-based wide area network (WAN) services with integrated security infrastructures. The guide considers the following security impacts:

• disappearance of the concept of a perimeter associated with the enterprise network;
• an increase in attack surface due to the sheer multiplicity of IT resource components; and
• sophistication of the attackers in their ability to escalate attacks across several network boundaries leveraging the connectivity features.

Specific areas addressed in the Guide include:

• Feature enhancements to traditional network security appliances
• Secure enterprise networking configurations fs
• Security frameworks that integrate individual network configurations
• Evolving wide area network (WAN) infrastructure that provides a comprehensive set of security services

The abstract Read the rest of this entry »

As it does, it Governance has collated data breaches and cyber attacks for July 2022 and found that 99.2 million records were breached.  That is quite outstanding. They include:

• the comic reading platform Mangatoon has suffered a massive data breach involving 23 million accounts. The breach apparently occured when a hacker found an unsecured Elasticsearch database. It seems that credentials just said password.
• Twitter suffered a data breach involving 5.4 million records involving phone numbers and email addresses.  The hacker attempted to sell data for $30,000.
• the virtual pet website Neopets had a data breach involving the theft of the source code and a database containing personal information of 69 million members. It amazes me that 69 million people would sign up for a website where people can own, raise and play games with their virtual “pets.”
• Carolina Behavioural Health Alliance suffered a ransomware attack involving health information of 138,000 people.
• a misconfigured portal in a Phillipine government website, Proud Makatizen, resulted exposure of 620,000 files.  The files included photos of ID cards as well as private and financial information.

In Australia there were significant data breaches Read the rest of this entry »

There is a sub specialty of data breaches involving institutions of higher education.  Recently in  Australia there have been data breaches of the Australian National University, the University of Tasmania and most recently Deakin University.  Yesterday it was reported that the University of Western Australia has suffered a significant data breach involving access of personal information and grades.

Unlike the data breaches at other universities this data breach involved the theft  of laptops which held the personal information.  Failure to secure bring your own devices, be they lap tops, phones, cameras, ipads etc.. is a chronic problem.  These days large data breaches are generally caused by cyber attacks however, as this case highlights, the temptation for staff to store masses of personal information on lap tops for convenience in working offsite or even within a place of employment.  Given this is the second data breach involving data stored on computers since 2019 the University has poor data security as well as physical security practices.  If this occurred in the United Kingdom the University would be liable to receive a very significant monetary penalty.  Here Read the rest of this entry »

The impact of data breaches cannot be underestimated.  Many, if not most, businesses and organisations store their data on computers which are connected with the internet.  For the service industry that usually means personal information.  Masses of it.  And the health sector is a prime target for cyber attacks because health service providers collect a vast amount of personal information and types of information which may be used for identity theft and other forms of fraud.  Unfortunately the health sector is also prone to poor cyber security practices. This is highlighted in Cyber Incident Cost $100 Million, Tenet Healthcare Reports.  That is a significant cost but not a record by current standards. 

Tenet’s data breach is not an isolated incident by any stretch.  In June and July there have been the following breaches of health care providers:

• Avamere Health Services suffered intermittent unauthorized network access between January 19, 2022 and March 17, 2022. A total of 380,984 patient records were affected and notified. The personal information involved were names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.
• The City of Newport suffered a data breach on June 8, 2022 and June 9, 2022 involving records of city employees.
• in the Canadian province of Newfoundland and Labrador Eastern Health suffered a data breach  resulting in a privacy breach notification sent to 37,800.  That equates to one out of every 13 people in the province.

• Feelyou a journaling and social mood tracking app had a flaw whereby anyone could obtain the personal email addresses of users and link them to anonymous posts by simply accessing the app’s GraphQL application programming interface (API), which did not require any authentication to do so. This affected 70,000 personal emails.

Read the rest of this entry »

The Australian Information Commissioner (the “Commissioner”) has released a brief but quite specific and detailed guidance on the retention and deletion of personal information. It is entirely reasonable to release a guidance now given restrictions throughout the country have largely been removed and there is no longer a requirement to collect masses of personal information. 

But now organisations and agencies have an enormous amount of personal information which was collected for the purpose of complying with various Public Health Orders and which was to be used for specific, narrow and defined purposes, such as contact tracing and vaccine status.  As the guidance makes clear there is now an obligation on organisations to delete much of that personal information.  With the orders no longer in place there is a real question of whether Read the rest of this entry »