Peter A Clarke

The Scattered Lapsus$Hunters have followed through on their threat to publish data stolen from a range of targets of their Salesforce data breach. They published Qanta data on the dark web. It is reported widely, including by the Australian with Cyber expert warns release of Qantas data on dark web amounts to opening virtual Pandora’s box. It has also been covered by Nine News with Qantas to face scrutiny after personal data of 5.7 million customers released, minister says, the Guardian’s Hackers leak Qantas data containing 5 million customer records after ransom deadline passes and Australian Cyber Security Magazine’s Stolen Qantas Customer Records Surface on Dark Web to name but a few. The Government has predictably stated it will not negotiate with cyber criminals or pay ransoms. The thing is that its data was not stolen and it isn’t the subject of any demand. Qantas has released a statement. Maurice Blackburn has made a representative complaint to the Office of the Australian Information Commissioner alleging that Qantas has breached the Privacy Act 1988 in failing to adequately protect the personal information of its customers.

Qantas has placed significant store on the permanent injunction made by the New South Wales Supreme Court.  It will have some impact on media and those who may otherwise be inquisitive. It’s impact on cyber criminals who may wish to use personal information for social engineering or identity theft.

While Qantas is looking forward and recounting what additional security measures have been put in place the melancholy reality is that poor cyber security, in particular training, has put Qantas in this current predicament.  The sober reality is that many companies have inadequate security and woeful training of its staff and contractors.

The Qantas statement provides:

Qantas is one of a number of companies globally that has had data released by cyber criminals following a cyber incident in early July, where customer data was stolen via a third party platform. With the help of specialist cyber security experts, we are investigating what data was part of the release.   Read the rest of this entry »

Ransomware attacks can be protracted, expensive and deeply uncomfortable affairs. As Qantas is discovering with the the collective known as Scattered Lapsus$ Hunters threatening to publish data stolen from Qantas on line unless it is paid a ransom. The sum of the ransom is not disclosed. It is reported in the Australian with Cyber hackers threaten to release stolen Qantas data in ransom demand. It is also reported by the ABC with the audio story Qantas facing ransom deadline and Qantas says ‘legal protections in place’ as cyber hacking group threatens to release personal data. Qantas has gone to extraordinary lengths to get an injunction but also obtain a non publication order over its solicitors. 

That the hackers have paid no heed to the permanent injunction is hardly a surprise.  The question is whether it is more broadly effective.  It may Read the rest of this entry »

Revenge porn, the use (usually by sharing) of intimate images to harm another (often a former partner) has been chronic problem for some time. It existed in the analog era with the distribution of photos taken with film. It existed through the use of video tape (such as in Giller v Procopets). Its misuse has exploded through the digital photography and videography. The common law and equity was slow to deal with this pernicious practice. Too slow. That said, the Western Australian Supreme Court took strong action in Wilson v Ferguson. The legislature in all states enacted crimes relating revenge porn. While the (stereo)typical perpetrator is a male and often ex partner that is not an element of the offence. The ongoing saga between Mark Latham and his former partner Nathalie Matthews has thrown up another example of alleged revenge porn, this time the accussed is Nathalie Matthews. The Australia reports the story with Mark Latham’s former partner bailed after revenge porn charges. It is reported also by 9 News, the SMH and even the prefer to be serious AFR.

The underlying facts giving rise to the charges are unknown though speculation is rife that it relates to sexual encounters in Mark Latham’s parliamentary office.  He admits the encounters but denies consenting to recordings being made.

Matthews and Latham are locked in a 3 day hearing over the domestic violence application on 20 May 2025.  The prosecution of these charges will proceed independently of that application however the prosecution will no doubt complicate matters for Matthews’ legal team.

The Australian article provides:

She was arrested at Sydney Airport on Sunday morning after arriving on an international flight from Dubai, one of the cities from which she runs her e-commerce business. Read the rest of this entry »

Artificial Intelligence is the runaway train of administration, the law and most areas which use it. Its capabilities are rarely fully understood, its dangers are not considered and most users have no idea of how it works. If the use of AI causes or contributes to the misuse of personal information the aforementioned ignorance is no excuse for failing to comply with privacy legislation. The New South Wales Reconstruction Authority (the “Authority”) today announced that it has been the subject of a data breach. The data breach occurred from 12 – 15 March 2025 with names, addresses, email addresses, phone numbers and “some personal and health information.”  Names and addresses are personal information.  While the Authority stresses the contractor did not use authorised AI that does not change its liability.  Third party providers are a chronic weak link in any data security network.  They are often used because they are cost effective.  That may mean they are less invested in data security and proper training.  Organisations should include proper cyber security requirements in contracts but also insist on a right to inspect the effectiveness of cyber security.

This episode highlights the need to determine whether the AI used is properly integrated and compatiable with existing systems and whether there are appropriate security measures and there is a proper assessment of risk.

Some of the factors organisations needs to consider are:

• Security – In this regard an organisation needs to consider the model type.   The starting prefrence shoudl be a “Closed Model”. This is different to an “Open Model” such as standard ChatGPT.   “Closed Models” generally do not allow prompts and results to train the underlying model, and do not retain any data. This deals with unapproved disclosure of confidential or personal information. Such as in this case.  Any AI system should comply with local and international data sovereignty laws. That would mean data remaining within Australian borders. It is critical to know the frequency, and how, the underlying Large Language Model (LLM) is trained and updated. It is critical to ensure that these underlying updates are secure and trustworthy, or otherwise subject to sufficient controls.

• Quality of data and training – In addition to quality in, quality out for data it is important to have quality training. It is necessary to look at models that have invested in industry-specific pre-training to achieve optimal results. .

• Quality Assurance – If an organisation uses AI to make decisions it is critical to have quality assurance. That involves using statistical methods, such as precision and recall.  There should be Regular testing and validation.

• Tracking  – It is important to trace work products and decisions.  That should involve having methods to monitor and document where AI has been involved in the development of work products. That could involve logs of AI interactions or tagging outputs generated by AI systems.

Clearly the Authority will have to review how its third party providers use their AI.  There was a failure to properly monitor and proscribe practices involving the personal information collected by the Authority and used by third parties.

The data breach has been reported by the ABC with Read the rest of this entry »

The Legal Practice Board of Western Australia suffered a data breach on 21 May 2025. It claimed the incident was swiftly contained and it implemented changes to avoid a reoccurrence. In the subsequent 5 months it discovered that additional data was accessed by the cyber hacker in addition to that determined in May. Unfortunately that involved health, identity and financial information. Unusually for updates the Legal Practice Board has advised there is low risk of misuse of data because it believes the third party no longer has the Board data.  That is far from the norm.  Usually hackers hold onto stolen data unless they are convinced to destroy it or hand it back.  In the context of ransomware attacks that invariably happens after payment of the ransom.  Unfortunately the Legal Board will not share the basis for the belief.  The Board also claims an injunction will prevent any access or sharing of data.  That is more assertion than evidence.  Injunctions are now becoming quite a standard form response to cyber atacks.  Whether that slows the publication of data on the dark web or the sale of personal information is yet to be seen. 

It is ironic that the statutory body responsible for standards and discipline of the legal profession in Western Australia has had its cyber security been found wanting.  Even more interesting that it took 5 months to discover that more information was stolen than was previously thought.  There is a problem there, either in the nature of the remediation, the resources provided for it or the process for notifying victims.  

The Legal Pratice Board’s recent media release and the history of this data breach provides:

Read the rest of this entry »

Protection of children’s privacy has been the subject of increasing focus by regulators worldwide. In Australia under the Privacy and Other Legislation Amendment Act 2024 the Office of the Australian Information Commissioner (OAIC) must develop a Children’s Online Privacy Code by 10 December 2026. The Code will specify how online services accessed by children must comply with the Australian Privacy Principles impose additional requirements provided they are not inconsistent with the existing principles. Legislation protecting children’s privacy has been in place in the United States for some time with legislation including the Children’s Online Privacy Protection Rule (“COPPA”). Recently the Federal Trade Commission (“FTC”) has taken action against Disney and Apitor, a robot toy maker, regarding unlawful collection of their personal information.

Complaint against Disney

Disney has entered into a settlement with the FTC to settle allegations that it enabled the unlawful collection of Children’s personal information in breach of COPPA.  The breach was Read the rest of this entry »

The SBS has published a very interesting piece on the Gena data breach and medical privacy in general with ‘Really angry’: Isabel is one of hundreds considering class action against this IVF provider. The Story reports that Phi Finney McDonald are investigating whether to undertake a class action.

The story highlights the chronic problem of organisations holding personal information much longer than is reasonable.  The health sector is particularly prone to this data hoarding.  There have been cases where the medical practices of patients who have died.  The deceased have no privacy protections but there is no basis for holding onto such records.  It is a systemic problem.  Because the cost of storing digitised personal records is inexpensive and becoming less and less expensive there is little urgency or financial need to purge data bases.  The Genea and Optus data breach reveal that such poor data handling results in personal information being taken which should not have been in the possession of the organisations to start with.  

The Genea data breach also highlights how a poor data breach response plan can aggravate a damaging situation.  Genea initially treated its patients and ex patients poorly,  has been very closed mouthed about the data breach generally and took an inordinate amount of time to properly notify those patients affected.  

The article provides:

Read the rest of this entry »

First it was Bunnings and now KMart have breached the Privacy Act 1988 in the use of facial recognition technology. Today the Privacy Commissioner published the results of a Commissioner instigated Investigation that found K Mart Australia breached Australian Privacy Principles in the collection of personal and sensitive information through facial recognition technology in the period June 2022 to July 2022. The story is covered by Information Age’s article Kmart facial recognition broke privacy laws, regulator finds. It is also covered by the ABC, the Australian Financial Review, Read the rest of this entry »

AI has a voracious appetite for data. The implications of for privacy protection is obvious. What is less known about, or at least discussed, is the danger to privacy from AI agents. This is explained clearly, and concerningly, by the President of the Signal Foundation, Meredith Whittaker in this week’s Economist by Invitation piece AI agents are coming for your privacy, warns Meredith Whittaker. A key concern is that operating systems are integrating AI agents into the core of their platforms so they are mandatory.  It is a particularly apt article for a delicate time in the development of AI technology.  The development of AI cannot be at the expense of privacy.  More to the point, AI can be developed with privacy protections built in.  Not as an afterthought.

The article provides:

SOON WE WILL all have robot butlers, an army of AI agents anticipating our needs and fulfilling our desires. At least, this is the tech promise of the moment. From booking a restaurant to asking your crush on a date, we’ll be able to put our brain in a jar while a bundle of AI systems does our living for us. Why waste time on wooing when you can leave it to your botservant to turn on the charm? In pursuit of this future, the companies that dominate this market are busy injecting AI agents into the nervous system of the digital world. But as in fairy tales, so in life: relying on magical fixes leads to trouble. Read the rest of this entry »

Ransomware is a chronic and growing problem in cybersecurity. It is important that organisations have an understanding of the threat but more importantly properly prepare against an attack. On both counts Australian companies are generally underprepared. The National Institute of Science and Technology (NIST) publishes excellent guides and reports. It’s report 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile, is particularly timely. It is a crucial document that can help organizations bolster their defenses against ransomware threats.

The Abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the This Cybersecurity Framework (CSF) 2.0 Community Profile identifies the security objectives from the NIST CSF 0 that support governing management of, identifying, protecting against, detecting, responding to, and recovering from ransomware events.   The Profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of This Profile can be leveraged in developing a ransomware countermeasure

The Report starts with a very good description of the challenge Ransomware poses when it stated:

Ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. Ransomware can also be used to steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware events target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The methods ransomware uses to gain access to an organization’s information and systems are common to cyberattacks more broadly, but they are aimed at forcing a ransom to be paid. Techniques used to promulgate ransomware will continue to change as attackers constantly look for new ways to pressure their victims.

Ransomware attacks differ from other cybersecurity events where access may be surreptitiously gained to information such as intellectual property, credit card data, or personally identifiable information and later exfiltrated for monetization. Instead, ransomware threatens an immediate impact on business operations. During a ransomware event, organizations may be afforded little time to mitigate or remediate impact, restore systems, or communicate via necessary business, partner, and public relations channels. For this reason, it is especially critical that organizations be prepared. That includes educating users of cyber systems, response teams, and business decision makers about the importance of – and processes and procedures for – preventing and handling potential compromises before they occur.

Fortunately, organizations can follow recommended steps to prepare for and reduce the potential for successful ransomware attacks. This includes the following: establish, communicate and monitor ransomware risk strategy, expectations and policy; identify and protect critical data, systems, and devices; detect ransomware events as early as possible (preferably before the ransomware is deployed); and prepare to respond to and recover from any ransomware events that do occur. There are many resources available to assist organizations in these efforts. They include information from the National Institute of Standards and Technology (NIST), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS).

The Report provides Read the rest of this entry »