Peter A Clarke

Certain industries attract hackers because their businesses are data troves of the best sort of personal information; names, dates of birth, banking and credit card information.  Banks, insurance companies, law firms, hospitals and other health providers are top of the list.  And airlines.  It is therefore hardly surprising that Cathay Pacific has been the subject of a successful data hack resulting in the records of 9.4 million passengers being compromised.  That includes 860,000 passport numbers being compromised.  The media coverage has been universally negative (here, here and here for example).  Particularly so given Cathay was aware of suspicious activity in March and Read the rest of this entry »

There are behmoths in each of the cyber platforms; Google for search engines, Facebook for social media and Apple for music and mp3 players.  There are others in each sphere but those three companies dominate their particular areas.  Of the two Apple has been more consistent in protecting privacy and maintaining data security than Google and Facebook.  Google is the least interested.

Apple has been a long standing dispute with the FBI over its refusal to help the FBI to access data on iphones.

It is relevant then to read Tim Cook raise the alarm about the danger of personal information being “weaponised” through better and better alogorithms and ubiquitous data collection.  At a privacy conference organised by the European Union he endorsed a comprehensive privacy law Read the rest of this entry »

The Age reports on yet another depressing and altogether avoidable data breach.  The accessing of medical conditions, photographs, names and identifying data of year 7 – 12 students at Manor Lakes P -12 College in Wyndham Vale in Melbourne.

The Education Department has adopted a standard straight bat response of “human error” and not due to a vulnerability in the school and IT systems. The excuse is, it could be a lot worse (as in a systemic fault involving a costly fix).  What is not, and won’t be, disclosed as to how the breach occurred, what remedial action is taken and what punishment is administered.  Without consequences, there is little incentive to take real and decisive steps to minimise poor data practices. Unfortunately the regulators at both the state and Federal level Read the rest of this entry »

Senator Fifield in his capacity as Minister for Communications finds himself in the middle of one of the most exciting, dynamic, disruptive, confounding yet critical areas of public policy in Australia, or any other advanced economy; what to do with the internet if anything.  He recently gave a speech at the Sydney Institute titled The Internet – not an ungoverned space.  It is a broad ranging fly over of the issues associated with the internet; privacy, cyber bullying, copyright infringements (ie piracy), illegal wagering, fake news and the dominant role of the the big players on the digital platforms (Google, Facebook, Apple and Twitter in no particular order).  It hints at the likelihood of government involving itself in regulation of the internet, or at least its activities.  It is a speech written from within the bowels of the Department; safe, few rhetorical flourishes, quoting facts at a reasonable clip without being too dense, informative but not inspirational and hinting at but not committing to further action.  And it has plenty of wriggle room in the event that action is not taken.  It is useful as Read the rest of this entry »

Alphabet attracts an enormous amount of  suspicion by civil society groups, commentators and an increasing number of governments; it is too big, it stifles development by swallowing up nascent competitors, its algorithms discriminate against some businesses and people, it is too willing to compromise its stated principles with dictatorships, to wit China, and it is secretive.   There is a reasonable amount of truth to all of that.  What Google does try to convince users that it is security conscious.  That claim has taken a massive hit with reports that it has been subject to a data breach courtesy of a bug which exposed personal information of hundreds of thousands of users.  Worse, Google didn’t disclose this breach after discovering the problem.  Why, because it didn’t want the regulators to review its activities and the ask the difficult questions.  Also it didn’t want the reputational hit.  That is a common reaction by organisations who have inadequate data protection and poor privacy culture.  It is all too common a response in Australia.

As result of this data breach Google is shutting down Google+.  This of course will not end Googles woes.  It is just the start.

This sad and sorry saga is Read the rest of this entry »

Commonly a data breach affecting an organisation attracts the attention of multiple authorities in the United States and the United Kingdom.  A data breach in the United States can attract investigation from the Federal Trade Commission, for misleading representations as to privacy, and the Securities Exchange Commission, for breach of fiduciary duty.  And as Tesco Bank well truly understands poor data security can result in an investigation and fine from the Financial Conduct Authority (“FCA”) as well as an investigation by the Information Commissioner.  Tesco has been fined £16.4 million by the FCA for failing to exercise due care and diligence in protecting its personal current account holders accounts.  A cyber attack resulted in the theft of £2.2 million, which has been refunded. Such a fine is well in excess of what the ICO could impose at the time of the breach.  In addition to the swingeing fine the reputational damage to Tesco is significant as regulators are not wont to keep a low profile when they collect a big scalp.  And the FCA didn’t keep things quiet here, with Read the rest of this entry »

As Bupa has discovered, data breaches caused by employee misbehaviour can be as devastating for an organisation as a cyber attack.  A rogue Bupa employee accessed and sold onto the dark web personal information of Bupa’s customers.  When it was discovered by a third party the Information Commissioner investigated and found systemic failures and non compliance with data security.  That is a common outcome.  The breach is generally bad however the investigation usually turns up more than just one problem with an organisation’s data security.  As was the case with Bupa.  There were systemic failures on Read the rest of this entry »

Apps are notorious for their poor security. App developers spend most of their time designing and writing code for an app which will attract a quick and widespread pick up.  The focus is working out what tool will be popular and useful then working frantically to release it to the market.  Data security is generally generic and an afterthought.  There is little money in security.  Until things go wrong.

Apps in politics and with civil society actions are becoming part of the woodwork.  Communicating and mobilising via an app is considerably cheaper than a phone tree and more accessible for younger activists than email.  And political parties are keen to appear connected to younger voters and members.  Which is what the conservatives attempted with its app for a recent conference starting last Sunday

Of course the problems with data security apply.  As the UK conservative party found when its conference app failed, revealing MPs phone numbers and other personal information as reported by the BBC and the Guardian.   The design failure was quite stark, by pressing the attendees button and typing in the MP’s email address, which is hardly secret.  Once done the app revealed the MPs personal information.  A big mistake.  The chairman of the conference is under pressure to resign. Read the rest of this entry »

First the breach, then the disastrous publicity and just when things seem to be getting better the enforcement action.  That is the way of it with UK and US privacy breaches.  Equifax’s travails have followed this path.

In 2017 Equifax suffered a data breach through a cyber attack.  The impact was, even by modern standards, massive with personal information of 146 million people being compromised.  That involved 200,000 credit card numbers and expiration dates and government issued documentation such as drivers’ licences and passports. A total of 15 million UK citizen’s personal information was compromised, giving the Commissioner jurisdiction.

The cost of the breach has been enormous, running to $275 million as at March this year.

The Equifax data breach is a “how not to” store information, set up proper data security and respond to the data breach.  As the UK Information Commissioner found Read the rest of this entry »

The ABC in Perpetrators using drones to stalk victims in new age of technology fuelled harassment  again highlights what has long been known about the potential of drones for being an effective privacy invasive tool. It also goes on to set out the range of ways new technology is being used to interfere with privacy and harrass.  All the while the law lags.

In the United States there have been specific state laws to Read the rest of this entry »