Peter A Clarke

How a company/organisation/agency initially responds to a data breach often sets the tone on how the problem is perceived to be managed afterwards. The quality of the response is directly linked to the preparedness for such a contingency. Recent mega breaches in Australia, such as the Medibank, HWL Ebsworth and Optus data breaches, were notable for the poor intitial responses. That inevitably led to prolonged poor press, unnecessarily drawn out investigation to determine the cause of the breach and fix the problem and often litigation. Qantas’ response has been poor to date. Qantas is not an outlier.  Many companies and organisations give little thought to how they collect and store personal information.  And no thought to what might happen in the event of a data breach.  One of the causes of those inadequate responses is the overall complacency in the market. And a large part of that has been the inadequate laws, poor enforcement and lack of consequences for data breaches. The Australian has good piece dealing with this concerning state of affairs with ‘Disappointing, frustrating’: How Qantas data breach exposes deep flaws in Australia’s cyber defences. The story’s reference to work the Australian Signals Directorate does and Government spending is a distraction from the main issue; the need for companies to have proper data handling practices and security, cyber and otherwise.  

The article Read the rest of this entry »

There are three distinct issues that confront a company dealing with a data breach. The first is the legal issue, who to notify and when and what steps need to be taken to mitigate any loss. The second is the practical and technical issues; find out how the breach occurred, the extent of the damage and what repairs need to be undertaken. The final is the public engagement; notifying the public, media, advising what when wrong and what is being done to fix the problem. Australian companies are a long way back in their sophistication than their contemporaries in the United States and Europe. Given the more effective regulation overseas companies are quicker to notify regulators. In the United States there is a culture of more transparent and effective communication with the public. Not always but commonly. Australian companies tend to be dreadful at advising the public. Many put together bland boilerplate statements which mean nothing, which is their intent. That can lead to escalating problems and great mistrust. And rather than containing the fallout it increases it as more information leaks about about the data breach, much of it inconsistent with the blandly reassuring statements in the media releases.

It is good practice to have a data breach response plan which deals with each issue.  In Australia even the companies that have such a plan rarely conduct practices and simulations.  Many of their lawyers take a very rigid approach to the problem.  As a result many responses are stilted, inflexible, incredibly defensive and often counterproductive.

The ABC piece Qantas executives slow to be seen after data breach affecting up to 6 million customers summarises the problem with tardy and inadequate responses.  And so for Qantas handling has been at best mediocre. About on a par with most large Australian companies hit by a cyber attack.  The Australian also covers the response in How Qantas is managing the fallout of a cyber attack targeting the personal details of 6 million people. The article quotes a class action lawyer from Maurice Blackburn on the inadequacy of the privacy laws.  She claims that the data breaches in other parts of the world are “..not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security.” That is partly correct but mostly not.  Australian privacy legislation lags the UK and Europe and even parts of the United States of America, such as California’s Consumer Privacy Act.  It is not fit for purpose in digital age where the collection of data is easy to do and can be done at a rapid pace with an enormous volume.  But the real problem in Australia has been very lax regulation and enforcement.  That has led to a culture of complacency.  For Read the rest of this entry »

The Australian Signals Directorate (“ASD”) and Australian Cyber Security Centre (“ACSC”) has released a guidance urging organizations to enhance their cyber hygiene in response to potential global cyber threats. The guidance emphasises reviewing cybersecurity measures and implementing what is described as the Essential Eight mitigation strategies. These strategies include patching systems, enabling multi-factor authentication, and restricting administrative privileges. The guidance also highlights the importance of preparing for Distributed Denial of Service attacks, Active Directory compromises, and ransomware threats. Of particular use is the cybersecurity incident response planning guidance which was updated and published last December.

The guidance is a Read the rest of this entry »

Cyber attacks on third party providers are common. Companies regard third party providers in some countries as being an effective and, most importantly, cost effective option. Australian Privacy Principle 8 and section 16C of the Privacy Act 1988 specifically deal with data sent to third countries. Under APP 8.1, before a company discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Where it engages a contractor located overseas to perform services on its behalf, in most circumstances, the provision of personal information to that contractor is a disclosure. What is reasonable depends on the circumstances. It is an objective test.  How companies assess what is reasonable is another matter.  In my experience “reasonable” ranges from comprehensive rules about data handling and cyber security, reviews and inspections to a more general light touch, or no touch, oversight. Clearly the former approach is more in keeping with the text of APP 8.1.  If there is a data breach at a third party provider in another country demonstrating to the regulator that there was a more comprehensive system is more defensible if the regulator comes knocking.

What systems were involved at the at the Manila call centre where Qantas stored personal information of 6 million customers will be the subject of close inspection given Qantas has been hit by a cyber attack which resulted in the personal information of 6 million customers being affected. Qantas believes a “significant” amount of the data has been stolen. In its statement it confirms that the attack on its call centre was detected on 30 June 2025. It does not say when the data breach started and how the hackers gained access though subsequent reporting suggesting the vishing was involved.  The data stolen involved names, email addresses, phone numbers, dates of birth and Frequent Flyer numbers. As usual Qantas tried to make it a good news story by saying that credit card and other financial information and passport details were not affected. But the information stolen is a start in identity theft and opportunities for phishing.

Some of the commentary has been quite confused.  And wrong.  The Australian’s Albanese must step up to protect Aussies after Qantas hack seems to argue that as the Government has a major role in dealing with this breach its  “laissez – faire attitude” emboldens criminals.  It goes so far as to say “A test of his leadership will be how his government responds to the Qantas hack.”  As much as government after government deserves censure for neglecting this area of law that contention is just not correct.  That analysis is a symptom of the incoherence in the regulation of privacy laws and a general lack of understanding of where the respective responsibities lie. 

The prime responsibility falls on the companies holding data, in this case, Qantas.  They have the same responsibility as if the data was held in their offices in paper form.  This responsibility pre dates the internet.  Making it partly the Government’s responsibility, even obliquely, muddies the waters.  If Qantas left the doors to its offices open and thieves stole box loads of documents the Government would not be held to account for this reckless behaviour.  

The second level of responsibility lies with the regulator, the Privacy Commissioner (though the ACCC and ASIC sometimes seek to take action).  If a company fails to properly protect personal information then the Privacy Commissioner should take strong action, especially civil penalty proceedings. Individuals affected by the breach should also be able to bring action.  That action should be very public so that the market will know what to expect if it ignores its obligations.  If no, or inadequate, action is taken the market will notice and act accordingly. For many years the regulator has not been armed with sufficient powers to take strong action.  But even when those powers were provided, especially since March 2014 when the Commissioner could bring civil penalty actions, the regulator was timid at best.  Sometimes the Commissioner has Read the rest of this entry »

Health services, especially hospitals, are a prime target for cyber attackers.  The defences are usually weak and the responses confused. The target of the attack is personal information but ransomware is a common method of extorting payment.  But ransomware attacks can have dramatic consequences.  The National Health Service in England has linked a ransomware attack in June 2024 on pathology laboratory services provider Synnovis as a contributing factor to the death of a patient. One of the contributing factors that led to the patient’s death was a long wait for a blood test result due to the cyberattack.

A Russian-speaking ransomware group Qilin claimed responsibility for the attack, which triggered a nationwide shortage of type O-negative blood. The attack disrupted Synnovis’ ability to perform a host of services, including blood testing, leading to the cancellation or postponement of 10,152 acute outpatient appointments and 1,710 elective procedures at the most affected NHS trusts – London’s King’s College Hospital and Guy’s and St. Thomas hospitals. It has been reported by the BBC in Ransomware attack contributed to patient’s death.

This is not the first fatality linked to a ransomware attack. In 2020 a patient in Germany died died during a cyber attack of a hospital in Dusseldorf. Wired has an excellent article regarding that very tragic event.

The BBC article Read the rest of this entry »

There is a continuous changes to privacy related legislation in the Europe and many states of the United States of America. The UK has just made its changes to such legislation, on 19 June to be exact, after passing both the House of Commons and the House of Lords on 11 June 2025. Australia completed the first tranche of privacy reforms on 10 December 2025.  

The amendments to the UK GDPR and Data Protection Act 2018 include:

• providing a revised legal definition of ‘recognised legitimate interests’,  which are more narrow and public sector focused and sets out a list of bases for processing personal data.  The Secretary of Sate can amend the list.
• clearer provisions regarding the meaning of legitimate interest with references to direct marketing,  transmission of personal data for internal administration purposes, and what processing is necessary to ensure the security of network and information systems.
• providing the Secretary of State with power to designate additional special categories of personal data and additional processing categories under special category data.
• a revised scientific research definition.
• an expanded provision on the meaning of further processing and what constitutes compatible processing.
• narrowing the prohibition on automated decision-making.
• providing specific provisions regarding children’s “higher protection matters”, with a need to take account of the same when providing information society services that are likely to be accessed by children.
• codifying the data protection test for assessing adequacy of third countries or international organisations
• specifying that exporters of personal data should act reasonably and proportionately when making transfers subject to appropriate safeguards.
• codifying the existing ICO guidance that organisations need to conduct reasonable and proportionate searches when responding to data subject access requests.
• adjusting transparency requirements when it is impossible or involves disproportionate effort to inform data subjects of further processing for research purposes.
• provisions establishing smart data schemes and digital verification services.
•  provisions relating to:
  • online safety research and data retention,
  • national security,
  • intelligence service and law enforcement use of data,
  • National Underground Asset
  • Births and Deaths registers,
  • information standards for health and social care,
  • smart meters; and
  • overseas trust services.

Read the rest of this entry »

After 5 years the Australian Competition and Consumer Commission (“ACCC”) has released it’s 10th and final report of the Digital Platform Services Inquiry.

The ACCC’s media release provides:

Without sufficient laws in place, Australian consumers and businesses continue to encounter a significant number of harmful practices across a range of digital platform services, the ACCC’s tenth and final report of the ACCC’s Digital Platform Services Inquiry has found.

“Digital platform services are critically important to Australian consumers and businesses and are major drivers of productivity growth in our economy,” ACCC Chair Gina Cass-Gottlieb said.

“While these services have brought many benefits, they have also created harms that our current competition and consumer laws cannot adequately address. This is why we continue to recommend that targeted regulation of digital platform services is needed to increase competition and innovation, and protect consumers in digital markets.”

The report, which concludes the ACCC’s five year inquiry, has reiterated support for measures including an economy wide unfair trading practices prohibition, an external dispute resolution body for digital platform services, and a new digital competition regime.

Continued risk of widespread harms to Australian consumers and small businesses

The ACCC’s final report found that there continues to be significant risk of consumer and competition harms on digital platforms.

Consumers continue to face unfair trading practices in digital markets including manipulative design practices, such as user interfaces that direct consumers to more expensive subscriptions or purchase options. Read the rest of this entry »

The Australian Competition and Consumer Commission has fined the National Australia Bank (“NAB”) $751,200 for breaches of the Consumer Data Right Rules. The Rules are relatively recent legislative provisions which are designed to be a secure, safe and easy to use means of sharing data with an accredited provider via Consumer Data Right. Through the CDR Rules data should be securely transferred from an existing provider.

The ACCC media release provides:

National Australia Bank Limited (NAB) has paid penalties totalling $751,200 after the ACCC issued it with four infringement notices for alleged contraventions of the Consumer Data Right (CDR) Rules.

The infringement notices relate to alleged failures by NAB to disclose, or accurately disclose, credit limit data in response to four separate requests made by different CDR accredited providers on behalf of consumers.

The CDR is an economy-wide data sharing program that empowers Australians to leverage the data businesses hold about them for their own benefit. Read the rest of this entry »

It was not all that long ago that data breaches involved personal information of thousands of people. That quickly escalated to hundreds of thousands with the occasional big breach hitting the million mark. Now data breaches involving tens of millions and beyond are quite common. Hackers previously attacked one site at the time and exfiltrated data, often to the dark web, Now multiple co ordinated attacks are becoming standard practice. Such as with the hacking of multiple superannuation sites in Australia. The ABC, amongst others, reports that 16 billion logins for sites such as Google and Facebook have been leaked and compiled on line.  Bleeping Computer in No, the 16 billion credentials leak is not a new data breach has concluded that the publication of this vast trove of data was in fact a compilation of previously stolen credentials by infostealers. In a sense it doesn’t matter.  The data was stolen and whether that occurred very recently or over a longer period the fact that data remains at large is hugely embarrassing on an ongoing basis for those who held the logins and a problem for those who used those log ins.  It highlights the need to have proper data security to start with. 

The ABC article provides:

Billions of login credentials have been leaked and compiled into datasets online, giving criminals “unprecedented access” to accounts, according to new research from a cybersecurity publication.

The research from Cybernews revealed that a total of 16 billion credentials were compromised, including user passwords for Google, Facebook and Apple.

The report said the 30 exposed datasets each contained a vast amount of login information and the leaked information did not span from a single source, such as one breach targeting a company. Read the rest of this entry »

Since the Genomic testing company 23andMe filed for bankruptcy (and even before then) it has been consistently in the news. There was profound concern about genetic data of millions of people being potentially sold to third parties in any liquidation. The initial calls for customers to retrieve their data escalated to litigation against 23andMe. As it turned out the co founder and former CEO has purchased nearly all of the company assets for $305 million through a non profit TTAM Research Institute. The problems with 23andMe predate its financial woes. The UK Information Commissioner’s Office has recently issued a fine of $305 million pounds against the company for filing to implement appropriate security measures following a cyber attack in 2023. The ICO and the Canadian Privacy Commissioner undertook a combined investigation into 23andMe’s systems.  

The media release provides:

We have fined genetic testing company 23andMe £2.31 million for failing to implement appropriate security measures to protect the personal information of UK users, following a large-scale cyber attack in 2023.

The penalty follows a joint investigation conducted by the ICO and the Office of the Privacy Commissioner of Canada.

What happened

Between April and September 2023, a hacker carried out a credential stuffing attack on 23andMe’s platform, exploiting reused login credentials that were stolen from previous unrelated data breaches.

This resulted in the unauthorised access to personal information belonging to 155,592 UK residents, potentially revealing names, birth years, self-reported city or postcode-level location, profile images, race, ethnicity, family trees and health reports. The type and amount of personal information accessed varied depending on the information included in a customer’s account.

Our investigation found that 23andMe did not have additional verification steps for users to access and download their raw genetic data.

John Edwards, UK Information Commissioner, said:

“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.

“We carried out this investigation in collaboration with our Canadian counterparts, and it highlights the power of international cooperation in holding global companies to account. Data protection doesn’t stop at borders, and neither do we when it comes to protecting the rights of UK residents.”

Philippe Dufresne, Privacy Commissioner of Canada, said:

“Strong data protection must be a priority for organisations, especially those that are holding sensitive personal information. With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organisation that is not taking steps to prioritise data protection and address these threats is increasingly vulnerable.

“Joint investigations like this one demonstrate how regulatory collaboration can more effectively address issues of global significance. By leveraging our combined powers, resources, and expertise, we are able to maximise our impact and better protect and promote the fundamental right to privacy of individuals across jurisdictions.”

Summary of the contraventions

The joint investigation into 23andMe revealed serious security failings at the time of the 2023 data breach. The company breached UK data protection law by failing to implement appropriate authentication and verification measures, such as mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. It also failed to implement appropriate controls over access to raw genetic data and did not have effective systems in place to monitor, detect, or respond to cyber threats targeting its customers’ sensitive information.

23andMe’s response to the unfolding incident was inadequate. The hacker began their credential stuffing attack in April 2023, before carrying out their first period of intense credential stuffing activity in May 2023. In August 2023, a claim of data theft affecting over 10 million users was dismissed as a hoax, despite 23andMe having conducted isolated investigations into unauthorised activity on its platform in July 2023. Another wave of credential stuffing followed in September 2023, but the company did not start a full investigation until October 2023, when a 23andMe employee discovered that the stolen data had been advertised for sale on Reddit. Only then did 23andMe confirm that a breach had occurred.

By the end of 2024, the security improvements made by 23andMe were sufficient to bring an end to the breaches identified in our provisional decision.

You can read the full details of the incident in our monetary penalty notice.

Impact on consumers

The combination of personal information that could be found in 23andMe accounts, such as post codes, race, ethnic origin, familial connections, and health data could potentially be exploited by malicious actors for financial gain, surveillance or discrimination. The ICO received 12 complaints from consumers. Some of the people affected by the breach told us the following:

“I expected rigorous privacy controls to be in place due to the nature of the information collected. Unlike usernames, passwords and e-mail addresses, you can’t change your genetic makeup when a data breach occurs.”

“Disgusted that my DNA data could be out there in the wild and been exposed to bad actors. Extremely anxious about what this could mean to my personal, financial and family safety in the future. Anxious about my 23andme connections, who may have been impacted and what this may mean further down the line for me.”

Legal requirements and our guidance

The law requires organisations to take proactive steps to protect themselves against cyber attacks. Our guidance recommends using two-factor or multi-factor authentication wherever possible, particularly when sensitive personal information is being collected or processed. In addition, organisations should regularly scan for vulnerabilities and instal the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations. Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Advice for the public

The responsibility to keep people’s information secure lies first and foremost with companies that collect and use personal information, and they have a legal duty to take this responsibility seriously.

But there are also steps people can take to protect their personal information, for example: use strong, unique passwords for each account; enable multi-factor authentication wherever possible; and remain vigilant against phishing emails or messages that reference personal or genetic information.

The regulatory structure applying in the United Kingdom differs from Australia, sometimes quite significantly.  That said, both have similar approaches when it comes to reviewing and, where appropriate, penalising breaches of security.  It is therefore relevant to consider Penalty Notices issued by the ICO.  The ICO has had longer and more comprehensive history in issuing Penalty Notices and a developed methodology. The number of Enforceable Undertakings in Australia has been relatively modest and are not nearly as comprehensive as the United Kingdom and the United States of America. That is likely to change over time with the increased powers and size of penalties under the Privacy Act 1988. 

The Penalty Notice is 153 pages long.  It is one of the most detailed written assessment of the failures but also, very helpfully, what is best practice.  It is a very useful resource.  The relevant takeaways Read the rest of this entry »