Peter A Clarke

Categories

  • Blogs

  • Civil Liberties & rights

  • Current Affairs

  • Data security

  • Legal blogs

  • Newspapers

  • Overseas legal sites

  • Oz Legal

  • Politics

  • Privacy sites

  • Technology

    • Qantas obtains interim injunction arising out of the data breach which affected 5.7 million customers

    July 17, 2025

    It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application.  It is also covered by 9 News and Reuters.  If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.

    Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”.  Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.  

    The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.

    HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.

    There is quite a bit of supposition in that assessment.  It is not possible to know whether the injunction performed that role.  There has been no reported contempt of court proceedings for breaching the injunction.  It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced.  How to monitor on line rubber necking is another issue.  If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult.  That said injunctive relief is now part of the response in large scale data breaches.  

    It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition.  There is reference to exemptions.  That is an important issue when seeking such orders.  It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court.  Clearly not an intended consequence.

    The Australian story Read the rest of this entry »

    Posted in General, New South Wales Supreme Court, Privacy | Post a comment »

    UK Government data breach led to risk of death to 100,000 Afghanis and an extraordinary Government response (or cover up) potentially costing 7 billion pounds

    July 16, 2025

    That data breaches cause damage is trite. The damage may be economic or psychological. It can also be life threatening as the Times story Revealed: Leak that risked lives of 100,000 Afghans — and £7bn cover-up makes clear. As does the BBC report Thousands of Afghans were moved to UK in secret scheme after data breach. A data breach by a British official at the Ministry of Defence in February 2022 resulted in the personal details of 19,000 people who applied to move to the UK after the Taliban took over were leaked. That prompted a resettlement scheme which has resulted in 4,500 Afghans moving to UK so far. So far, so bad.

    What is very interesting to legal practitioners is that the Government sought and obtained a super injunction which involved a gag order relating to the data breach and its contents.  It was the first time the Government sought a super injunction and it was the longest ever granted.That was lifted yesterday in Ministry of Defence v Global Media and Entertainment Ltd & ors [2025] EWHC 1806.   

    In reviewing and ultimately lifting the gag order teh court made the following points regarding the grant and Read the rest of this entry »

    Posted in Privacy, UK case law, UK High Court | Post a comment »

    64 million McDonald’s chatbot job applications exposed because the login was “123456” and the password was “123456”

    July 14, 2025

    Implementing proper password protection is one of the foundation blocks of proper cyber security. It has been since the internet was established. But it remains a real problem with many organisations. Bleeping Computer with ‘123456′ password exposed chats for 64 million McDonald’s job chatbot applications reports on a spectacular fail with both log ins and passwords, both being 123456.

    The Bleeping Computer article Read the rest of this entry »

    Posted in Privacy | Post a comment »

    National Institute of Science and Technology releases draft guidelines for High-Performance Computing (HPC) Security Overlap and recommendations for Key Management

    July 12, 2025

    The National Institute of Science and Technology (“NIST”) has publisheda guideline on High-Performance Computing (HPC) Security Overlay,

    Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance and

    The announcement about the HPC provides:

    High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.

    This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.

    The recommendations for best practices for key management organisations, part 2 provides:

    NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Part 2 (this document) 1) identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys; 2) identifies the security planning requirements and documentation necessary for effective institutional key management; 3) describes Key Management Specification requirements; 4) describes cryptographic Key Management Policy documentation that is needed by organizations that use cryptography; and 5) describes Key Management Practice Statement requirements. Appendices provide examples of some key management infrastructures and supplemental documentation and planning materials.

    The recommendations for Key Management part 3;  Application-Specific Key Management Guidance provides:

    IST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.

    Read the rest of this entry »

    Posted in Privacy | Post a comment »

    New South Wales audit publishes “Cyber Security insights 2025” which highlights familiar problems with cyber cyber security.

    July 11, 2025

    The New South Wales Audit Office has published its report, titled Cyber Security insights 2025, on state agencies cyber health and preparedness against a cyber attack. it is a mixed report, which is a concern given the fact that the state collects and holds a vast amount of information of people of New South Wales and encourages, if not requires, people to do business with the state on line. The Report is quite critical about aspects of preparedness.

    The ABC has done a story on the report with NSW audit finds gaps in state, local government cyber protections which provides:

    A cybercrime expert has warned of a “worrying pattern” after government agencies were found to have implemented less than a third of basic cybersecurity protections in New South Wales.

    State government agencies only met 31 per cent of mandatory requirements to protect public data, according to a report released by the Audit Office of NSW last week.

    In total, 27 of these agencies reported 152 “significant, high, and extreme” cybersecurity threats in 2024.

    According to the report, 28 of the threats had remedies “that were either largely or completely ineffective”.

    Additionally, 60 risks lacked specified timelines to reduce them to an acceptable level.

    Professor of cybercrime at the University of NSW Richard Buckland said the report’s findings showed entities were increasingly at risk.

    He said that if effective, a cyber attack could “paralyse a section of society or the government”.

    “This has been a pattern, a worrying pattern,” he said.

    The report found a blind spot was the use of external contractors for some cybersecurity measures, for which the NSW government has no way of measuring if they were up-to-scratch. 

    Professor Buckland said he understood the desire to outsource but warned it came with its own risks.

    “We saw the big Microsoft blackout last year; that was really a third party used by multiple people, CrowdStrike, going wrong, so it is a big risk,”

    he said.

    “It’s harder to monitor, to control, so external people helping you is a double-edged sword, especially if you don’t have external capability to jump in when something goes wrong.”

    It comes after Qantas reported a major cyber attack in which it said a “significant” portion of its six million customers’ data was stolen and that a “potential cyber criminal” had made contact with the airline.

    Less than 70pc of council staff cyber-trained

    In 2020, the personal information of more than 180,000 people was compromised by hackers who managed to access information held by Service NSW.

    Responding to the attack cost the state government more than $30 million, the audit office reported.

    Professor Buckland said the report pointed out the “same problem” every year and government agencies were “just not adequately defended”. 

    “They [the audit office] must be tearing their hair out wondering what they can do to bring about change.”

     

    The report also found local councils were lagging in their defence against nefarious online actors, with only 69 per cent training staff in cyber awareness.

    It said one council suffered a ransomware attack that targeted local government records, employee financial data and systems responsible for monitoring water quality.

    Councils in NSW are not mandated to implement Cyber Security NSW’s policies, but the agency recommends they adopt safeguards.

    “In a way they’re [local councils] less capable, have less staff and less budget to deal with this, so I feel very sorry for them,”

    Professor Buckland said.

    “We’ve seen worldwide a big rise in targeted attacks against municipalities — the equivalent of councils in America — against libraries, schools, smaller and less well-funded data-rich organisations.”

    Reacting to the report, Premier Chris Minns on Monday said the government had to find $90 million to “plug gaps” in cybersecurity funding.

    “It is a concern. I’m going to be honest, I would like to see us meet all the criteria immediately that the auditor-general identified,” he said.

    “That’s not possible though; most of the funding for cybersecurity in NSW had been cut or put on a funding cliff by the previous government.”

    He warned it will cost a lot more to make all government agencies safe.

    “Some of these organised crime gangs, usually located offshore, are pretty sophisticated, and we obviously have to be on our guard,” the premier said.

     

    The highlights of the report Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Doctor charged after camera found in staff bathroom at Austin hospital

    Cameras placed in toilets or showers has been a feature of privacy intrusive behaviour for almost as long as there have been working photographic equipment. In May the ABC reported in Women filmed in bathroom without their consent, former housemate to be sentenced over violation as did the Guardian in Every time I took a shower I thought: is he watching me?’ – the terrifying rise of secret cameras. Yesterday the ABC reports in Junior doctor charged after camera found in staff bathroom at Melbourne hospital that a trainee surgeon has been charged with stalking and using an optical device after a camera was found in a staff toilet at the Austin Hospital in Melbourne.    

    In Australia the common law has not responded to privacy protections and only tentatively in equity.  The preference of legislatures was to criminalise such intrusive behaviour but shy away from providing civil remedies. That was an inadequate response.  That significant gap in the law has been filled by the enactment of a statutory tort of serious invasion of privacy on 10 December 2024, taking effect on 10 June 2025. Behaviour as described in the ABC articles would provide a strong basis for issuing proceedings allegation a serious invasion of privacy.

    The earlier ABC article provides:

    When Sarah* moved into her first Sydney share house, the Canadian expat thought it was a “completely safe, normal environment”.

    Months after moving out, she would find out it was the backdrop of a horrific violation of privacy and trust, perpetrated by her former male housemate. Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Qantas data breach saga continues apace..moving to commentary

    July 10, 2025

    The Qantas data breach saga is following a predictable trajectory largely due to a poor initial response to the data breach. The coverage has moved, having begun that transition yesterday, from the data breach itself to the impact on the customers, continuing problems with communication and possible compensation. As the story has developed victims or just upset customers coming forward to provide colour and put Qantas in an even poorer light.   The stories are widespread including the Australian’s Qantas cyber incident: frequent flyers, customers await update on stolen data with the SMH’s Qantas hack will haunt affected customers for a long time, experts warn and Qantas hack victims could get compensation, say experts and ABC’s Qantas data breach: questions remain. And as with data breaches where there are internal issues, and a poorly management data breach response, the leaks come thick and fast. As Crikey demonstrates with ‘This isn’t a one-off glitch’: Qantas pilots blast airline over data hack of 6 million customers. 

    The coverage demonstrates how important it is for companies to move quickly and transparently to respond to a data breach.   It also highlights the poor understanding of privacy law based on some of th claims made. The Qantas data breach saga is a lesson in how not to respond to a data breach.

    The SMH’s Qantas hack victims could get compensation ay experts highlights the sketch understanding of how civil penalty proceedings operate and what options are available for seeking compensation.  The story accurately sets out the maximum penalty the Federal Court could impose if a civil penalty action were brought under section 13H of the Privacy Act 1988.  But that does not equate to compensation to consumers.  It is a penalty.  Whether the Privacy Commissioner distributes whatever penalty imposed if unknowable.  Given that, Dr Srivastava’s quoted statement as to how the Privacy Commissioner operates is confusing.  A more likely route for compensation would be a class action alleging various common law causes of action and potentially statutory claims.  It is possible but difficult to consider using the new statutory tort of serious interference with privacy.  It would be necessary to show that Qantas’ conduct was reckless.  provides:

    Qantas customers affected by the data hack could ultimately be entitled to compensation if the airline were found to have breached passenger privacy, experts say.

    A week after Qantas disclosed the loss of data of up to six million customers, consumer law experts say the airline could ultimately face penalties, if a series of conditions are met.

    Qantas detected unusual activity on a “third-party platform” used by the airline’s contact centre in Manila early last week, prompting an investigation, which determined customer names, email addresses, phone numbers and birthdates, as well as frequent flyer numbers had been accessed, through a third-party vendor to Qantas.

    The airline disclosed the breach, which has been suspected to be the work of a criminal cybergang called Scattered Spider.

    On Monday, Qantas said “a potential cybercriminal has made contact” with the airline, saying it was “working to validate” the communication. Cybersecurity officials fear the data could ultimately be used as ransom.

    The uncertainty over the status of customer data highlights the volume of data held by Qantas.

    Maurice Blackburn class action lawyer Lizzie O’Shea, who specialises in privacy issues, said: “Qantas is a holder of a very significant amount of consumer information, involving huge amounts of data that are used for all sorts of purposes, including profiling consumer behaviour.”

    Australian privacy law requires an entity to take reasonable steps to protect customers’ information from misuse and unauthorised access.

    The use of the data “may not meet the standards of what most people expect for the way the data is collected and how it’s used,” O’Shea says.

    There is no “social license for companies to collect huge amounts of data”, especially as polls show the public continues to show a preference for stronger data protections, she says.

    “For that reason, these kinds of data breaches are hugely illuminating for the public. They act as a lightning rod for consumer frustrations, which are usually accompanied by a call for governments to enact stronger privacy laws.”

    It’s understood that following the high-profile and damaging hacks of Medibank Private and Optus in 2022, Qantas purged old customer data.

    Monash Business School Department of business law academic Dr Aashish Srivastava said: “Under the Privacy Act, if there is a data breach and the customer complains to the Office of the Australian Information Commissioner, and after an investigation the OAIC finds there were privacy breaches by Qantas, as part of that, the OAIC can give the consumer some kind of remedy for any loss or damage suffered as a result of the privacy breach.”

    Under the Privacy Act, the watchdog can impose a range of civil penalties, from a maximum of $2.5 million for an individual and up to $50 million for a company. Optus and Medibank were the target of class actions following their damaging losses of customer data during separate hacks. The privacy watchdog also took civil action against Medibank.

    The watchdog conducted a routine review of Qantas’ frequent flyer data management in 2017, finding that while all “personal information is stored in Australia, Qantas frequent flyer use several offshore customer service centres”.

    At the time, Qantas conducted “overseas contract staff background checks” and put provisions in employee contracts “related to the handling of personal information”, the OAIC said.

    The watchdog in 2019 recommended in the assessment that the Qantas frequent flyer program “develops and implements a privacy management plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations”.

    The Notifiable Data Breaches scheme requires companies to notify the Office of the Australian Information Commissioner and customers “at risk of serious harm from … a data breach”.

    Cybersecurity expert Lani Refiti, from national security firm Azcende, said that if a ransom were sought at this point, Qantas’ corporate and government-led cyber response team would have to be in discussions with the attackers.

    Qantas is investigating after it was contacted by a suspected cyber criminal days after a major hack.

    Read the rest of this entry »

    Posted in Privacy | 1 Comment »

    The Qantas saga continues with Qantas providing details of what was stolen while customer anger grows

    July 9, 2025

    Qantas has finally posted details of compromised personal information by way of an update today. Nine days after first detecting the intrusion. The stolen data related to 5.7 million customers.  Of that number:

    • 4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
      • 1.2 million customer records contained name and email address.
      • 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
    • Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
      • Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
      • Date of birth – 1.1 million
      • Phone number (mobile, landline and/or business) – 900,000
      • Gender – 400,000. This is separate to other gender identifiers like name and salutation.
      • Meal preferences – 10,000

    So the majority of the stolen records were limtied to names, email addresses and Frequent flying points.  Plenty to undertake some phishing and a good start for identity theft. Those 1.7 million customers whose residential addresses, data of birth and phone number are in a more vulnerable situation.  Those data points are very useful for a range of illegal activities, especially identity theft. 

    Qantas has finally provided some advice and pointed to IDcare as providing assistance.  It is fairly rudimentary but better than the non responsiveness of earlier days.

    This has prompted another round of media coverage with the Australian’s Qantas reveals extent of personal details stored on database that was subject to cyber attack and Major update after 5.7 million Qantas customers affected by widespread cyber attack. And some prognosticating with Qantas cyber hack highlights danger of storing huge banks of customer data, says legal expert. Of particular Read the rest of this entry »

    Posted in Privacy | Post a comment »

    Another jurisdiction implements children’s online privacy code, this time Nebraska’s Age Appropriate Design Code

    July 8, 2025

    The protection of children’s privacy on line is a key area of regulation and development worldwide. The US State of Nebraska has from 30 May 2025 implemented an age-appropriate design code law. The Code mandates online service providers prioritize children’s privacy and safety through proactive design principles. Effective January 1, 2026, the Code imposes stringent requirements on covered entities, including data minimisation, default privacy settings, and restrictions on targeted advertising to minors. Enforcement by the Nebraska Attorney General begins on July 1, 2026, with penalties up to $50,000 per violation.

    The Code requries collection and use of the minimal personal data necessary to deliver the specific services a minor knowingly engages with. Data use beyond this purpose is prohibited unless explicitly consented to by the minor or their parent.

    There is an obligation for online services to have default settings which offer the highest level of privacy protection for minors including:

    • limiting communication between minors and other users;
    • preventing unauthorised access to minors’ personal data;
    • restricting precise geolocation tracking;
    • allowing the minor to control all design features unnecessary to operate the services requested by the minor;
    • permitting the minor to control personalised recommendation systems by allowing opt-in to chronological feeds or prevent certain types of content from being recommended; and
    • controlling the use of in-game purchases by allowing opt-outs or the option to limit such purchases.

    These settings apply to ‘covered design features.’.

    Under the Code there Read the rest of this entry »

    Posted in Privacy | Post a comment »

    The Qantas saga continues..with possible contact by cyber hacker

    The media report (in the Australian amongst others) that a/the cyber hacker has approached Qantas and it and the Australian Federal Police are determining whether the approach is by the cyber hacker. As per usual with Qantas has stated there has been an approach but said nothing else. It is consistent with approaches taken by many Australian companies affected by data breaches but not consistent with best practice in the United States where there is more candour which, usually, results in more sympathy. It is a different story when it comes to paying to remove ransomware. In that regard non disclosure is universal. Given that the Australian Federal Police are trying to determine whether the approach is from the hacker or just an opportunist there won’t be any payment of ransom.

    There is some confusion about what to do regarding ransoms.  It is not illegal to pay a ransom.  It may be illegal not to report such a payment.  Whether such a payment is reportable depends on the circumstances and applying them to the legislation.  It can be quite a technical exercise.

    Under Part 3 of the Cyber Security Act 2024 , which took effect on 30 May 2025, entities covered by the legislation must provide notification of ransom payments that have been made in certain circumstances. The legislation sets out the process in detail.  It is important to appreciate that some assessment is required to determine whether an entity is obliged to make a report or not.

    Entities covered by the legislation are those:

    1. responsible for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) ; or
    2.  carrying on business in Australia with an annual turnover exceeding $3 million.  The coverage is set out in the Cyber Security (Ransomware Payment Reporting) Rules 2025.

    An entity must Read the rest of this entry »

    Posted in Privacy | Post a comment »

    « Previous Entries
    Next Entries »