In November last year Bunnings was found to have breached the Privacy Act 1988 in its use of facial recognition technology without consent and failed to take reasonable steps to notify individuals that their personal information was being collected. There was no meek apologies from Bunnings. it came out saying it had every right to use facial recognition and that it was the most effective way to combat rising crime. It has appealed. Now the The Managing Director of Bunnings has come out in an AFR article complaining about the privacy law and wanting new laws to allow facial recognition in stores. That is very curious. To call for a change to the law while appealing a decision involving the extant law is not illegal. But it is quite arrogant. Changing the law to allow for such a carve out would significantly damage the operation of the Privacy Act.
It is becoming common practice for companies affected by the significant data breaches to seek injunctive relief. The Australian reports in Qantas goes to court over cyber attack in attempt to stop stolen data being released or used. that Qantas has obtained an interim injunction in the New South Wales Supreme Court. A copy of the orders has not been released but it is reported as intending “..to prevent the data being accessed, viewed, released, used, transmitted or published by anyone including by any third parties.” There is no identified respondent to the application. It is also covered by 9 News and Reuters. If the process follows the approach taken by the court in the HWL Ebsworth application for injunctive relief in 2024.
Interestingly the National Office of Cyber Security prepared a report on the HWL Ebsworth Cyber Security Incident titled “Lessons Learned Review”. Under the hearing “What was interesting” the report says the following about the injunction HWL Ebsworth obtained from the Supreme Court of New South Wales.
The granting of an injunction from the Supreme Court of New South Wales to HWL Ebsworth was a key point of interest during the management of the incident. The injunction was sought by HWL Ebsworth to restrain further access to or publication of information exposed during the incident, in an attempt to protect client data, and minimise ‘online rubbernecking’. Overwhelmingly, government entities viewed this enabled better support to impacted clients (including individuals) through minimising the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response.
HWL Ebsworth’s intention when seeking the injunction was never to stop its clients from accessing their own data, as several clients were granted exemptions to ensure access for this purpose could continue. However, the injunction also prevented accidental unauthorised access which would have been inevitable in the circumstances where clients of the firm were seeking their own information but would, in the process, further compromise the privacy of other matters unintentionally.
There is quite a bit of supposition in that assessment. It is not possible to know whether the injunction performed that role. There has been no reported contempt of court proceedings for breaching the injunction. It would also be quite difficult to determine whether there was a reduction in ‘online rubbernecking’ to start with and whether it was reduced. How to monitor on line rubber necking is another issue. If the data is stored on the dark web in a particular site removing the data, highly improbable, would be a better solution than working out who viewed it, even more difficult. That said injunctive relief is now part of the response in large scale data breaches.
It is clear from the assessment that the orders were almost certainly more involved and complicated than a blanket prohibition. There is reference to exemptions. That is an important issue when seeking such orders. It is important to avoid putting those who are victims who discover their personal information and in viewing it may in a position where they may be in contempt of court. Clearly not an intended consequence.
That data breaches cause damage is trite. The damage may be economic or psychological. It can also be life threatening as the Times story Revealed: Leak that risked lives of 100,000 Afghans — and £7bn cover-up makes clear. As does the BBC report Thousands of Afghans were moved to UK in secret scheme after data breach. A data breach by a British official at the Ministry of Defence in February 2022 resulted in the personal details of 19,000 people who applied to move to the UK after the Taliban took over were leaked. That prompted a resettlement scheme which has resulted in 4,500 Afghans moving to UK so far. So far, so bad.
What is very interesting to legal practitioners is that the Government sought and obtained a super injunction which involved a gag order relating to the data breach and its contents. It was the first time the Government sought a super injunction and it was the longest ever granted.That was lifted yesterday in Ministry of Defence v Global Media and Entertainment Ltd & ors [2025] EWHC 1806.
In reviewing and ultimately lifting the gag order teh court made the following points regarding the grant and Read the rest of this entry »
Implementing proper password protection is one of the foundation blocks of proper cyber security. It has been since the internet was established. But it remains a real problem with many organisations. Bleeping Computer with ‘123456′ password exposed chats for 64 million McDonald’s job chatbot applications reports on a spectacular fail with both log ins and passwords, both being 123456.
The Chief Justice of the Victorian Supreme Court has published a notice to the profession regarding the conduct of applications to set aside statutory demand. The Notice sets down a very specific timetable which must be followed. There will be consequences for failing to comply. The second feature of the Notice is a requirement to keep affidavits concise and exhibits “..limited to those documents which are critical to the grounds relied upon by the plaintiff and the real issues in dispute.”
Some points that practitioners must consider:
the court will fix a date for final hearing in the timetabling orders;
first, the Notice to the Profession must be served on the defendant (Paragraph 4.1). That is a new development;
“as soon as practicable” after filing (Paragraph 5.2), the Court will make timetabling orders in the form of Annexure A to the Notice which requires:
seven days after filing of the Originating Process the plaintiff to file ,the plaintiff file an affidavit of service of the Originating Process, supporting affidavit, and a copy of the Notice to Profession
14 days after filing of the Originating Process] the defendant file and serve:
an affidavit of service of the statutory demand; and
any affidavit on which it intends to rely in opposition to the application; and
14 days after filing of the Originating Process] the defendant advise chambers that the defendant disputes jurisdiction
21 days after filing the Originating Process] the plaintiff must:
file and serve any affidavit on which it intends to rely upon in reply;
file and serve an outline of submissions not exceeding 6 pages and a list of authorities identifying pin-point references; and
email the Chambers of the judicial officer a bundle of authorities that the plaintiff relies upon in pdf text-searchable format, with cases arranged in alphabetical order and with an electronic bookmark for each case
28 days after filing of the Originating Processthe defendant will:
file and serve an outline of submissions not exceeding 6 pages and a list of authorities identifying pin-point references; and
email the Chambers a bundle of authorities that the defendant relies upon which are not already included in the plaintiff’s bundle.
submissions must identify why or why not there is a genuine dispute/offsetting claim/some other matter with reference to the affidavit material;
in advance of any non compliance with the timetable/exercise of liberty the parties have to confer regarding the amendments and email the Court to “explain the reason that a variation is sought and provide consent or competing draft minutes of order addressing a revised timetable which maintain the final hearing date and ensures that the last document is filed no later than 72 hours before the final hearing;”
evidence or submissions filed out of time will not be considered at the final hearing without a summons for leave supported by an affidavit explaining non-compliance (Paragraph 8.3).
in the event of non-compliance the Court may, of its own motion, make a self-executing or ‘unless’ order disposing of the proceeding;
the Court will aim to schedule the final hearing to be held within 6 weeks of filing, listed for half a day (Paragraph 8.1); and
within 3 days of the hearing the practitioners briefed to appear at the final hearing are to confer with a view to resolving the dispute or narrowing the issues. The plaintiff must email the Court on behalf of the parties a “joint statement” of the remaining issues in dispute.
High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.
This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.
The recommendations for best practices for key management organisations, part 2 provides:
NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Part 2 (this document) 1) identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys; 2) identifies the security planning requirements and documentation necessary for effective institutional key management; 3) describes Key Management Specification requirements; 4) describes cryptographic Key Management Policy documentation that is needed by organizations that use cryptography; and 5) describes Key Management Practice Statement requirements. Appendices provide examples of some key management infrastructures and supplemental documentation and planning materials.
The recommendations for Key Management part 3; Application-Specific Key Management Guidance provides:
IST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
The New South Wales Audit Office has published its report, titled Cyber Security insights 2025, on state agencies cyber health and preparedness against a cyber attack. it is a mixed report, which is a concern given the fact that the state collects and holds a vast amount of information of people of New South Wales and encourages, if not requires, people to do business with the state on line. The Report is quite critical about aspects of preparedness.
A cybercrime expert has warned of a “worrying pattern” after government agencies were found to have implemented less than a third of basic cybersecurity protections in New South Wales.
State government agencies only met 31 per cent of mandatory requirements to protect public data, according to a report released by the Audit Office of NSW last week.
In total, 27 of these agencies reported 152 “significant, high, and extreme” cybersecurity threats in 2024.
According to the report, 28 of the threats had remedies “that were either largely or completely ineffective”.
Additionally, 60 risks lacked specified timelines to reduce them to an acceptable level.
Professor of cybercrime at the University of NSW Richard Buckland said the report’s findings showed entities were increasingly at risk.
He said that if effective, a cyber attack could “paralyse a section of society or the government”.
“This has been a pattern, a worrying pattern,” he said.
The report found a blind spot was the use of external contractors for some cybersecurity measures, for which the NSW government has no way of measuring if they were up-to-scratch.
Professor Buckland said he understood the desire to outsource but warned it came with its own risks.
“We saw the big Microsoft blackout last year; that was really a third party used by multiple people, CrowdStrike, going wrong, so it is a big risk,”
he said.
“It’s harder to monitor, to control, so external people helping you is a double-edged sword, especially if you don’t have external capability to jump in when something goes wrong.”
It comes after Qantas reported a major cyber attack in which it said a “significant” portion of its six million customers’ data was stolen and that a “potential cyber criminal” had made contact with the airline.
Responding to the attack cost the state government more than $30 million, the audit office reported.
Professor Buckland said the report pointed out the “same problem” every year and government agencies were “just not adequately defended”.
“They [the audit office] must be tearing their hair out wondering what they can do to bring about change.”
The report also found local councils were lagging in their defence against nefarious online actors, with only 69 per cent training staff in cyber awareness.
It said one council suffered a ransomware attack that targeted local government records, employee financial data and systems responsible for monitoring water quality.
Councils in NSW are not mandated to implement Cyber Security NSW’s policies, but the agency recommends they adopt safeguards.
“In a way they’re [local councils] less capable, have less staff and less budget to deal with this, so I feel very sorry for them,”
Professor Buckland said.
“We’ve seen worldwide a big rise in targeted attacks against municipalities — the equivalent of councils in America — against libraries, schools, smaller and less well-funded data-rich organisations.”
Reacting to the report, Premier Chris Minns on Monday said the government had to find $90 million to “plug gaps” in cybersecurity funding.
“It is a concern. I’m going to be honest, I would like to see us meet all the criteria immediately that the auditor-general identified,” he said.
“That’s not possible though; most of the funding for cybersecurity in NSW had been cut or put on a funding cliff by the previous government.”
He warned it will cost a lot more to make all government agencies safe.
“Some of these organised crime gangs, usually located offshore, are pretty sophisticated, and we obviously have to be on our guard,” the premier said.
In Australia the common law has not responded to privacy protections and only tentatively in equity. The preference of legislatures was to criminalise such intrusive behaviour but shy away from providing civil remedies. That was an inadequate response. That significant gap in the law has been filled by the enactment of a statutory tort of serious invasion of privacy on 10 December 2024, taking effect on 10 June 2025. Behaviour as described in the ABC articles would provide a strong basis for issuing proceedings allegation a serious invasion of privacy.
The earlier ABC article provides:
When Sarah* moved into her first Sydney share house, the Canadian expat thought it was a “completely safe, normal environment”.
Months after moving out, she would find out it was the backdrop of a horrific violation of privacy and trust, perpetrated by her former male housemate.Read the rest of this entry »
The coverage demonstrates how important it is for companies to move quickly and transparently to respond to a data breach. It also highlights the poor understanding of privacy law based on some of th claims made. The Qantas data breach saga is a lesson in how not to respond to a data breach.
The SMH’s Qantas hack victims could get compensation ay experts highlights the sketch understanding of how civil penalty proceedings operate and what options are available for seeking compensation. The story accurately sets out the maximum penalty the Federal Court could impose if a civil penalty action were brought under section 13H of the Privacy Act 1988. But that does not equate to compensation to consumers. It is a penalty. Whether the Privacy Commissioner distributes whatever penalty imposed if unknowable. Given that, Dr Srivastava’s quoted statement as to how the Privacy Commissioner operates is confusing. A more likely route for compensation would be a class action alleging various common law causes of action and potentially statutory claims. It is possible but difficult to consider using the new statutory tort of serious interference with privacy. It would be necessary to show that Qantas’ conduct was reckless. provides:
Qantas customers affected by the data hack could ultimately be entitled to compensation if the airline were found to have breached passenger privacy, experts say.
A week after Qantas disclosed the loss of data of up to six million customers, consumer law experts say the airline could ultimately face penalties, if a series of conditions are met.
Qantas detected unusual activity on a “third-party platform” used by the airline’s contact centre in Manila early last week, prompting an investigation, which determined customer names, email addresses, phone numbers and birthdates, as well as frequent flyer numbers had been accessed, through a third-party vendor to Qantas.
On Monday, Qantas said “a potential cybercriminal has made contact” with the airline, saying it was “working to validate” the communication. Cybersecurity officials fear the data could ultimately be used as ransom.
The uncertainty over the status of customer data highlights the volume of data held by Qantas.
Maurice Blackburn class action lawyer Lizzie O’Shea, who specialises in privacy issues, said: “Qantas is a holder of a very significant amount of consumer information, involving huge amounts of data that are used for all sorts of purposes, including profiling consumer behaviour.”
Australian privacy law requires an entity to take reasonable steps to protect customers’ information from misuse and unauthorised access.
The use of the data “may not meet the standards of what most people expect for the way the data is collected and how it’s used,” O’Shea says.
There is no “social license for companies to collect huge amounts of data”, especially as polls show the public continues to show a preference for stronger data protections, she says.
“For that reason, these kinds of data breaches are hugely illuminating for the public. They act as a lightning rod for consumer frustrations, which are usually accompanied by a call for governments to enact stronger privacy laws.”
It’s understood that following the high-profile and damaging hacks of Medibank Private and Optus in 2022, Qantas purged old customer data.
Monash Business School Department of business law academic Dr Aashish Srivastava said: “Under the Privacy Act, if there is a data breach and the customer complains to the Office of the Australian Information Commissioner, and after an investigation the OAIC finds there were privacy breaches by Qantas, as part of that, the OAIC can give the consumer some kind of remedy for any loss or damage suffered as a result of the privacy breach.”
Under the Privacy Act, the watchdog can impose a range of civil penalties, from a maximum of $2.5 million for an individual and up to $50 million for a company. Optus and Medibank were the target of class actions following their damaging losses of customer data during separate hacks. The privacy watchdog also took civil action against Medibank.
The watchdog conducted a routine review of Qantas’ frequent flyer data management in 2017, finding that while all “personal information is stored in Australia, Qantas frequent flyer use several offshore customer service centres”.
At the time, Qantas conducted “overseas contract staff background checks” and put provisions in employee contracts “related to the handling of personal information”, the OAIC said.
The watchdog in 2019 recommended in the assessment that the Qantas frequent flyer program “develops and implements a privacy management plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations”.
The Notifiable Data Breaches scheme requires companies to notify the Office of the Australian Information Commissioner and customers “at risk of serious harm from … a data breach”.
Cybersecurity expert Lani Refiti, from national security firm Azcende, said that if a ransom were sought at this point, Qantas’ corporate and government-led cyber response team would have to be in discussions with the attackers.
Qantas is investigating after it was contacted by a suspected cyber criminal days after a major hack.
Qantas has finally posted details of compromised personal information by way of an update today. Nine days after first detecting the intrusion. The stolen data related to 5.7 million customers. Of that number:
4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
1.2 million customer records contained name and email address.
2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
Date of birth – 1.1 million
Phone number (mobile, landline and/or business) – 900,000
Gender – 400,000. This is separate to other gender identifiers like name and salutation.
Meal preferences – 10,000
So the majority of the stolen records were limtied to names, email addresses and Frequent flying points. Plenty to undertake some phishing and a good start for identity theft. Those 1.7 million customers whose residential addresses, data of birth and phone number are in a more vulnerable situation. Those data points are very useful for a range of illegal activities, especially identity theft.
Qantas has finally provided some advice and pointed to IDcare as providing assistance. It is fairly rudimentary but better than the non responsiveness of earlier days.