Peter A Clarke

The National Institute of Standards and Technology have released an especially valuable document, the Incident Response Recommendations and Considerations for Cybersecurity Risk Management.

The abstract provides:

This publication seeks to assist organizations with incorporating cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities as described by the NIST Cybersecurity Framework (CSF) 2.0. Doing so can help organizations prepare for incident responses, reduce the number and impact of incidents that occur, and improve the efficiency and effectiveness of their incident detection, response, and recovery activities. Readers are encouraged to utilize online resources in conjunction with this document to access additional information on implementing these recommendations and considerations.

The Report provides a useful glossary for those reporting on or drafting protocols and procedures dealing with data breaches including:

• an event is any observable occurrence that involves computing assets, including physical and virtual platforms, networks, services, and cloud environments. Examples of events are user login attempts, the installation of software updates, and an application responding to a transaction request. Many events focus on security or have security implications.
• Adverse events are any events associated with a negative consequence regardless of cause, including natural disasters, power failures, or cybersecurity attacks. This guide addresses only adverse cybersecurity events. 
• A cybersecurity incident is “…an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” with such incidents including:
  • Employing a botnet to send high volumes of connection requests to an internet-facing service, making it unavailable to legitimate service users
  • Obtaining administrative credentials at a software-as-a-service provider, which puts sensitive tenant data entrusted to that provider at risk
  • Intruding upon an organization’s business network to steal credentials and use them to instruct industrial control systems to shut down or destroy critical physical components, causing a major service disruption
  • Deploying ransomware to prevent the use of computer systems and cause multiple data breaches by copying files from those systems
  • Using phishing emails to compromise user accounts and using those accounts to commit financial fraud
  • Identifying a new vulnerability in network management appliances and exploiting the vulnerability to gain unauthorized access to network communications
  • Compromising a vendor’s software, which is subsequently distributed to customers in its compromised state

Regarding incident response roles and Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) has published a review into the gathering of children’s data from services supplying them with current accounts, savings accounts, trust accounts, ISAs and prepaid cards. Given the greater concern about children’s privacy, long overdue, it is prudent to look at the review and consider what is being done in Australia.  What is clear is that failure to maintain proper standards with organisations will, if there is some data breach or other issue, result in acute embarrassment for organisations if the regulator reviews its processes and procedures.  Given the Privacy Commissioner now has powers to issue infringement notices/ compliance notices rather than going to the delay and expense of long and drawn out investigations and civil penalty proceedings this is a factor organisations should consider carefully.

Some of the findings from the review are:

• 69% of participants had policies and procedures in place to control the use of children’s data;
• only 67% of those organisations proactively monitored compliance with their policies and procedures.
• 45% of participants had limited assurance that staff are processing children’s information in line with internal or even legislative requirements.
• only 14% of participants had assigned responsibility for children’s data in policy or relevant job descriptions
• while 97% of participants provided staff with general data protection training however, only 18% of participants included content about the use of children’s personal information
• while 49% of participants say they provided children with age appropriate privacy information ess than a quarter of all participants have carried out any testing to check how easily children would understand their privacy information
• only 36% of children’s savings account products which are opened by parents but transferred to the child at 16 provided the child with privacy information during the transfer process
• When opening a child owned savings account, 83% of participants provided children with privacy information
• 5% of participants also required children to acknowledge that they have read the privacy information, usually recorded by signing the application form
• only 11% of these participants actually carried out any assessment as to whether children are competent enough to understand their notice
• 66% of participants indicated it would be the parent’s (where they are present) responsibility to ensure the child understood privacy information and no attempt would be made to confirm the child understood the privacy information
• 66% of participants reviewed the categories of information they collect on a regular basis to make sure it is limited to what is necessary
• 40% of participants collected special category data, limited to health data and will only be processed having obtained explicit consent.
• 24% of participants relied on consent obtained from the child to process their information for specific purposes. However, 42% of those participants relied on acknowledgement of information provided within privacy information or key facts documents to obtain the consent. This did not meet the requirements of the UK GDPR
• 88% of participants had no process in place to assess a child’s understanding of their data protection rights. For 34% of these participants this was because they had preset age limits which determined whether a child was able to exercise their rights or not.  n most cases this age limit was set at 13 years old although some participants had set this age as high as 16 years old.
• 20% of participants who offer products which process children’s information, but are controlled by parents, did not allow children to access their information or exercise this right at any age
• 96% of participants had an embedded process for verifying the age of children when an account is opened
• 63% of participants had a policy in place to govern communications provided to children, including marketing material. For 83% of participants the policy prohibited the provision of marketing material to children.
• 75% of participants provided communications which included general information about the service provider and also administrative account information. 29% of participants provided communications containing general organisational administrative information. 8% of participants provided marketing communications to children
• 33% of participants had a process in place to regularly update the contact information they hold
• Only 8% of participants required children to have access to their own email and/or phone to enable them to open an account, however if children did have these, then this information was recorded in the majority of cases where the child has some control over the account (current or savings accounts). 76% of participants used parents contact information such as email or phone to provide communications.
• Of the participants who do allow marketing to children, 75% of them included opt in and opt out options on the account application form.  The remaining 25% of participants sought consent from the parent only.

The Executive Summary Read the rest of this entry »

What many organisations fail to appreciate is that a data breach can result in multiple regulators investigating and taking action, not just the Privacy Commissioner. In fact the Privacy Commissioner can be the least aggressive. That is particularly the case with financial institutions where there are quite specific regulations regarding maintaining accounts and security. This is highlighted by the Australian’s article Australian super funds face steep fines after massive cyber attack. Australian Super will refund its members. And the story refuses to die as new facts emerge. And 2 days after the co ordinated attack there is a separate attack on another superfund, Cbus. Cbus says that it has been hacked. Which gives rise to feverish speculation and recollection of warnings about cyber risk being dismissed.

The exposure of Super Funds to regulatory action is significant.  There is a real problem with breaches of APP 11, the requirement to maintain proper data security.  Financial services licencees have obligations under section 912A of the Corporations Act 2001. In May 2022 the Federal Court found that R I Advice, a financial Services licensee had breached its licence obligations by failing to manage cyber security risks. In that case ASIC brought the civil proceeding. APRA also has jurisdiction.  Furthermore there is likely exposure on any representations Super Funds made about the security of their deposits and claims in equity. 

In addition to regulators investigation and bringing action the various cyber security agencies and the Federal Police become involved.  It becomes a hugely Read the rest of this entry »

The Australian with Zero dollars showing on some accounts but AustralianSuper says no need to panic reports that AustralianSuper. The haul, $500,000. What is interesting about the cyber attacks is that they were co ordinated and the targets were all in Super Industry bodies. The means of entry, stolen passwords, known as credential stuffing.  They were possibly obtained from the dark web, which suggests they were acquired from a previous cyber attack.  The theft didn’t involve attacking the cyber defences themselves, but rather As usual in Australia the funds were keen to maintain silence about the breaches.  The Australian Retirement Trust denied this by saying that it notified regulators just not the public.  The spokesman was even more crafty with terminology by claiming the affected customers were notified but not all customers.  This lack of candour is not present in the USA when dealing with cyber attacks.  That is a much more mature approach.

The story is covered by the Guardian, the Australian Financial Review and Nine amongst others.

The Australian article provides:

AustralianSuper

AusSuper chief member officer Rose Kerlin said cyber criminals may have used stolen passwords to log into the accounts belonging to 600 of its members “in attempts to commit fraud”.

Four AustralianSuper customers have lost $500,000 in the cyber raids, although the fund moved to assure customers who were seeing a “$0 balance” on their profiles that they had secure accounts.

Rest Super

Rest Super chief executive Vicki Doyle said 8000 member accounts were affected.

It’s understood criminals attempted to use stolen passwords gathered from other hacks — and possibly shared on the dark web — to break into the accounts.

“Over the weekend of March 29-30, 2025, Rest became aware of some unauthorised activity on our online Member Access portal,” she said.

“No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”

Hundreds of Australian Retirement Trust members first had their accounts breached by cyber criminals about a month ago.

Australian Retirement Trust

Despite a spike of suspicious login attempts on March 8 affecting a few hundred Australian Retirement Trust customers, news about the attack – a co-ordinated hack carried out by cyber criminals on multiple funds – only emerged on Friday.

A spokesman for the fund, which manages more than $300bn in superannuation savings, told The Australian the customers were notified at the time.

He said regulatory agencies were notified soon after, and he denied the company kept news about the widespread cyber attack silent.

About another hundred customers were affected by the continued cyber attacks in the same way to that reported by AustralianSuper and Rest – referred to as “credential stuffing”. No ART account money was stolen.

Credential stuffing uses stolen passwords to gain unauthorised access to data.

Insignia Financial

Insignia Financial said it detected suspicious activity on 100 Expand Wrap Platform customers’ accounts early on Monday.

“At this stage there has been no financial impact to customers,” MLC Expand CEO Liz McCarthy said.

“Our Cyber Security team are actively working to apply additional monitoring and mitigations to protect customer accounts. As a precaution we have taken steps to restrict some activities on the Expand Platform.

“Some customers will receive communications prompting them to reset their passwords when they next login to their accounts.

Hostplus

Hostplus chief executive David Elia said the fund was investigating how its members were affected, but said “we can confirm that no Hostplus member losses have occurred”.

“We had seen various attempts to hack into members accounts but none have succeeded to date,” he said.

“We are of course continuing to monitor the situation and are remaining vigilant.”

Political response

Prime Minister Anthony Albanese sought to downplay the major cyber attack, saying they occur every six minutes.

Opposition home affairs spokesman James Paterson accused Mr Albanese of failing to take the superannuation account breaches seriously.

“The Prime Minister clearly doesn’t understand how serious this is when he described it as just ‘a regular issue’,” Senator Paterson said.

National cyber security

National Cyber Security Co-ordinator Lieutenant General Michelle McGuinness said she was aware “cyber criminals are targeting individual account holders of a number of superannuation funds”.

“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice,” she said.

“If you have been impacted or are concerned you may have been impacted, follow the advice provided by your super fund.”

A task force has this week been examining the breach, Home Affairs’ National Cyber Security chief is co-ordinating involvement of government agencies, including the Australian Securities and Investments Commission and Prudential Regulation Authority, plus major super funds.

The agencies are sharing information to investigate the incident.

Cyber CX chief strategy officer Alastair MacGibbon said there was a “very low chance” of catching the culprits behind the cyber raids.

He said the raids on superannuation accounts appeared to be fraud rather than a cyber intrusion, and should be a wake-up call for financial institutions to implement robust multi-factor authentication.

He said it looked like a case of “credential stuffing”, which involves using stolen usernames and passwords that are already circulating on the dark web.

“While it looks big, it’s not a cyber incident, per se. It’s fraud,” Mr MacGibbon said.

“No one has hacked anything. It’s putting usernames and passwords in, which is different from compromising some common thread between all of the superannuation companies.”

He said superannuation companies, like other financial institutions, needed to secure customers’ accounts with third-party multi-factor authentication systems.

Many super funds, including AustralianSuper and Australian Retirement Trust, have opt-in multi-factor authentication systems in place.

Mr MacGibbon said systems that used SMS messages were not sufficient, because phone SIM numbers could be transferred by fraudsters.

Association of Superannuation Funds of Australia said in a statement it was “aware that last weekend hackers attempted to get through the cyber-defences of a number of superannuation funds”.

“While the majority of the attempts were repelled, unfortunately a number of members were affected. Funds are contacting all affected members to let them know and are helping any whose data has been compromised,” the statement says.

The Australian reports in Griffith University subject to privacy, discrimination claims on how personal information can be casually misused as part of another process. On this occasion an academic forwarded a copy of a letter of censure addressed to a Mr Stella at his home address to third parties unconnected to the process. Worse. The letter was sent to people who complained about Stella which resulted in the letter being sent. That is a clear breach of privacy. The personal information was collected for the purpose of processing Stella’s application and administration of his attendance at the university. There was good reasons for that information being disclosed to others. The award of $10,000 is quite modest.

The article Read the rest of this entry »

As I have posted previously on 10 December 2024 the Privacy and Other Legislation Amendment Bill 2024 (Cth), received Royal Assent. Under the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act), it introduces several significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), many of which came into effect immediately upon assent. Others come into effect later.

The changes:

•  Statutory Cause of Action for Serious Invasions of Privacy: Comes into effect on a  10 June 2025.

Under the tort Individuals can take legal action against organisations or individuals for serious invasions of privacy. The two bases are intrusions into personal seclusion or misuse of personal information.  It is quite a complex tort.  The limitations period is 1 year from date the intrusion occurred or was discovered.

• Automated Decision-Making: Comes into effect on 10 December 2026
  

New transparency obligations require organisations to update their privacy policies to disclose when decisions are made using automated processes.

• Doxxing Offence: Came into effect on 11 December 2024. 

It is illegal to share someone’s personal information with the intent to harm. This offence is punishable by up to 7 years’ imprisonment.

• Children’s Online Privacy Code: Code to be developed and registered by 10 December 2026
  

The Office of the Australian Information Commissioner (OAIC) is required to develop a code addressing online privacy for children. There will be a consultation period of 60 days.

• Overseas Dataflows, Whitelist Powers: Came into effect on 11 December 2024.
  

The Minister has powers to ‘whitelist’ countries that provide substantially similar privacy protections, to assist entities disclosing personal information overseas.

•  Civil Penalty and Powers to Issue Infringement and Compliance Notices: Came into effect on 11 December 2024.

The Privacy Commissioner now has the powers to issue infringement notices and compliance notices for Read the rest of this entry »

23andMe is, or more accurately was, a personal genomics company. It collected genetic information. That is very sensitive. It suffered a data breach in October 2023 when hackers exploited an old password resutling in them gaining access to 6.9 million people. It became the subject of litigation and in June 2024 investigation by the Canadian Privacy Commissioner and the UK Information Commissioner. Early in March the ICO released a notice of intent to fine 23andMe with a 4.59 million fine. 23andMe has just filed for Chapter 11 bankruptcy protection. At minimum that means a restructure. It may continue operating after the restructure. That has raised serious security concerns about the genetic data it holds. The New York Attorney General has urged customers to contact the company to delete their data. In What users need to know about privacy and data after 23andMe’s bankruptcy filing the Conversation sets out the privacy and data management issues from this . That does not alter 23andME’s obligations to protection personal information.

The Conversation’s piece Read the rest of this entry »

T Mobile suffered a massive data breach in 2021. Ultimately T Mobile advised that personal information relating to 76 million customers had been accessed. It has been reported by MSN with T-Mobile prepares $350 million payments for data breach settlement.

The settlement highlights that data breaches can be a extremely costly experience for organisations.  The settlement sum is only one component of the costs.  There are costs associated with dealing with the regulator.  Sometimes more than one regulator.  There are usually heavy costs bringing in additional IT experts.  Hackers often leave chaos behind, particularly in ransomware attacks.  There may need to be rebuilding of the website, its programs and storage areas. In that context it remains concerning that so few mid sized companies put the necessary time and effort required to reduce the Read the rest of this entry »

The California Consumer Privacy Act 2018 (“CCPA”) has the most comprehensive privacy protections of all state based privacy legislation in the USA. It took effect on 1 January 2020. Recently the Agency brought action against Honda for breaches of the CCPA. That has resulted in a settlement and a fine of $232,500.

The CCPA grants California consumers the right to:

• know that personal information is collected, used, shared or sold;
• delete personal information held by businesses
• opt out of sale of personal information
• non discrimination in terms of price of service.

Under the CCPA businesses must, inter alia:

• provide notice to consumers before data collection;
• create procedures to respond to requests from consumers to opt out, know and delete
• respond to requests to from consumers to know, delete and opt out
• disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information

According to the final order the breaches related to:

• Excessive Personal Information. “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit.”
• Lack of Symmetrical Choices. “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
• Difficult to Appoint Authorized Agents. “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights.”
• Lack of Contracts. “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Excessive Personal Information. Honda required matching more than two data points (sometimes requiring up to eight data points) provided by the Read the rest of this entry »

The Nine papers group has suffered a data breach involving exposure of its subscribers information, some 16,000 in all (so far). That is particularly embarrassing for a news outlet that usually enjoys breathless reporting of privacy fails of businesses. Here the reporting was by News.com with ‘Juicy customer data’ belonging to thousands of Aussies leaked from Nine, the ABC with Nine newspapers subscribers have data exposed online in breach and the Australian Financial Review with Nine audits external data security after breach exposes 16,000 readers. The Australian, a competitor in the market, gleefully reports on the breach with Sydney Morning Herald, The Age and Financial Review readers exposed in data breach.

The breach was the exposure of names, postal addresses and email addresses of 16,000 subscribers.  The information was held by a third party supplier.  The cyber attack was of the that supplier.  While Nine is keen to state that there was no breach of its (excellent) cyber security structure that does not alter the fact that a third party supplier’s cyber protection was not adequate.  This is a very common situation.  Large organisations using third party contractors or suppliers is seen as efficient and cost effective.  Part of that work usually involves the contractor or suplplier holding the organisations store of personal information or having authorisation to access to the organisation’s homepage.  Hackers recognise that many third party suppliers has less effective cyber protection and vulnerable.  To avoid this form of attack organisations should do what they can to require third party contractors and suppliers to have satisfactory and complementary cyber protection and systems in place. Unfortunately that is a conversation that is not had enough.

The ABC story Read the rest of this entry »