Peter A Clarke

The UK National Cyber Security Centre has published a guidance on dealing with attacks on business emails. known as a business email compromise (“BEC”).

BEC involves criminal access to a work email account in order to trick someone into transferring money or stealing valuable or sensitive data. The usual method of entry is by using targeted phishing emails to an individual within an organization.  Standard email spam filters generally do not detect them, especially if they come from a legitimate email account that has already been hacked.

The guidance recommends organizations take steps to make them less prone to BEC attacks including:

• reducing the digital footprint of senior staff and executives;
• help staff and users to identify and detect phishing emails;
• implementing two-step verification for accounts; and
• applying the principle of least privilege.

These are quite standard issues for privacy professionals but quiet often unknown to organisations.

The press release provides:

Business email compromise (BEC) occurs when a criminal accesses a work email account in order to trick someone into transferring money, or to steal valuable (or sensitive) data. For this reason, BEC attacks are often directed at senior staff, or those that can authorise financial transactions.

Unfortunately, BEC attacks (which are a type of phishing attack) are on the increase. A recent government report on cyber attacks revealed that in 2023, 84% of businesses and 83% of charities have experienced a phishing attack in the past 12 months.

The goods news is that the NCSC has recently published new guidance on BEC that includes practical steps that will reduce the likelihood of your organisation suffering from a BEC attack. It is specifically aimed at smaller organisations who might not have the resources (or expertise) to implement the NCSC’s existing guidance on phishing attacks in full. Read the rest of this entry »

It is hardly a surprise that MediSecure would make a notification under the mandatory data breach notification provisions of the Privacy Act 1988. It is a very significant data breach involving very sensitive information. Today the Information Commissioner’s Office has announced a preliminary inquiry.

It is interesting that the Privacy Commissioner has used this statement to call for reform of Privacy laws.  That is topical given the Government has announced that it will introduce a Bill into Parliament in August.  By making something more than an anodyne statement the Privacy Commissioner has done something quite new.

The statement provides:

The Office of the Australian Information Commissioner (OAIC) has been notified of the data breach involving MediSecure.

The National Cyber Security Coordinator is working with agencies across the Australian Government, states and territories to coordinate a whole-of-government response to this incident. The OAIC is actively engaging and collaborating with other agencies in this process, with a particular focus on the privacy of individuals and their personal information. Read the rest of this entry »

The Health Industry is a keen target for cyber attacks. Hospitals, medical surgeries and health industry organisations collect vast amounts of personal and financial information on the one hand. On the other, the industry is notoriously prone to attack. In the United States Singing River Health System has been hacked with the records of 895,000 stolen while an attack on Ascension has resulted in Ambulances being diverted and EHRs taken off line. But it is Australia where one of the most significant attacks in the health industry has occurred. There has been a data breach at Medisecure, a company which provides electronic prescriptions and monitoring. There is good coverage by the Australian Financial Review which puts this attack in the context of large scale data breaches in Australia in the last year or so.

Given that Medisecure, a name that is deeply ironical today, is the only accredited electronic provider of prescription this is a potentially disastrous development. 

As per usual in the Australian environment MediSecure has released a very brief (non) statement which provides:

MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.

While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.

MediSecure takes its legal and ethical obligations seriously and appreciate this information will be of concern. MediSecure is actively assisting the the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.

MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.

While most of the statement is pap what is relevant is that the breach came through a third party vendor.  That is a common entrepot for major data breaches.  Many organisations have not properly grappled with ensuring that third party operators which authorisations and access rights to their Read the rest of this entry »

The Attorney General has announced the appointment of Elizabeth Tydd as Information Commissioner. It is an internal appointment, uplifting Tydd from Freedom of Information Commissioner to the top job. It is too early to say whether that is an inspired choice or not.  It is probably a safe choice.  But there is a very good argument to be made for the regulator to have an outsider to take the helm and adopt a more assertive stance, such as Sims did at the ACCC.  Australian Information Commissioners have been worthy, decent and quite conservative.  Compared to regulators in the UK, Europe and the US the Information Commissioner’s work rate is low.

The Government’s announcement Read the rest of this entry »

Innovation Aus reports, in Privacy bill to come before Parliament in August, that the long mooted, eagerly awaited and desperately needed amendments to the Privacy Act will be introduced into Federal Parliament At the recent Privacy By Design awards the Attorney General speak generally about the need for reform but gave no specifics.

The Innovation Article provides:

Legislation for a long-awaited overhaul of Australia’s outdated privacy laws will be introduced to Parliament in less than four months, rounding out a policy reform process that has been more than four years in the making.

Prime Minister Anthony Albanese announced the timeline last Wednesday, although limited his comments to the introduction of anti-doxxing laws — a recent focus for the federal government.

On Thursday, Attorney-General Mark Dreyfus said that legislation to “overhaul the Privacy Act and protect Australians from doxxing” would be introduced by the government in August.

He reiterated that the current privacy regime is “woefully outdated and unfit for the digital age”, with “speed of innovation and the rise of artificial intelligence” only making the need for legislative change more important.

A spokesperson for Mr Dreyfus on Monday confirmed to InnovationAus.com that the legislation will address the entirety of the government’s response to the Privacy Act Review.

The legislation will institute all proposals that the government agreed to in its response to the review in September 2023, but it is not yet clear how many of the in-principle proposals will be included.

The government is expected to continue to consult on proposed reforms until the laws are introduced, although it has not been determined if draft exposure legislation will be released before the bill is tabled. Read the rest of this entry »

Location data is very valuable when combined with other data.  It is important in its own right.  The data relates in individuals so is privacy intrusive if provided to third parties without consent.  The sharing without consent was a practice by large US carriers.  Until now.  The Federal Communications Commission (“FCC”) has fined the largest carries in the USA for sharing location data. The fines were:

• Sprint $12 million 
• T-Mobile $80 million
•  AT&T  $57 million, and
• Verizon  $47 million

The FCC media release provides:

WASHINGTON, April 29, 2024—Today, the Federal Communications Commission fined the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.  Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively.  AT&T is fined more than $57 million, and Verizon is fined almost $47 million.

“Our communications providers have access to some of the most sensitive information about us.  These carriers failed to protect the information entrusted to them. Here, we are talking about some of the most sensitive data in their possession: customers’ real-time location information, revealing where they go and who they are,” said FCC Chairwoman Jessica Rosenworcel.  “As we resolve these cases – which were first proposed by the last Administration – the Commission remains committed to holding all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data.” Read the rest of this entry »

Qantas has suffered a data breach involving its mobile phone app. Apps are notoriously vulnerable, usually because organisations commonly sacrifice building in proper security in the rush to release a shiny new app. The data breach involving the Qantas app was that frequent flyers using the app could access other people’s accounts. A possible cause of the data breach is a fault occurring because of recent system changes.

The Australian covers the Read the rest of this entry »

Data breaches come in a variety of forms. The theft of personal information through cyber attacks by criminal gangs are widely reported but are less frequent than other, more prosaic, data breaches. Such as the recent breach of data by Hungry Jacks of its staffs personal information. This involved someone in the chain’s training and communication section sending out a spreadsheet containing staff personal information; names, email addresses, job titles etc. The story is reported in the Sydney Morning Herald’s Personal data of ‘thousands’ of Hungry Jack’s staff exposed in internal leak. This is a depressingly familiar breach. And almost de rigeour for government agencies.  It bespeaks poor privacy training and data handling by staff.  For staff to attach a document containing personal information and sending it widely typically involves a poor review of the document itself and woeful Read the rest of this entry »

The ongoing political, legal and policy controversy following the Supreme Court decision in  Dobbs v. Jackson Women’s Health Organization (“Dobbs”) to overturn Roe v Wade continues to reverberate.  Including in the area of privacy law.  It should be noted that Roe v Wade was in essence a privacy decision.  The majority opinion written by Justice Harry A. Blackmun, the Court held that a set of Texas statutes criminalizing abortion in most instances violated a constitutional right to privacy, which it found to be implicit in the liberty guarantee of the due process clause of the Fourteenth Amendment (“…nor shall any state deprive any person of life, liberty, or property, without due process of law”).   Roe was a controversial decision politically, and increasingly so, but also a decision that attracted significant debate within the legal community.  The pillars of a constitutional right to privacy are enumerated provision of the Bill of Rights.  

The response to Dobbs at the Federal level by the Executive has been to strengthen the privacy controls on the collection, use and sharing of health information. Yesterday the White House announced, through the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) a Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy.

Under the Rule there will be a prohibition on Read the rest of this entry »

The APRA will apply to businesses:

• subject to the authority of the Federal Trade Commission (“FTC”),
• common carriers, and
• nonprofits
• businesses that process covered data⁵ on behalf of or at the direction of Covered Entitie

APRA will:

• impose obligations to minimize processing of covered data and apply reasonable data security measures.
•  impose heightened obligations on high-impact social media companies and large data holders.
• create uniform data privacy rights including the right to:
  • opt out of targeted advertising
  • view, correct, export or delete their data.
  • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
• impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
• impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
  • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
  • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
• require large data holders to

Read the rest of this entry »

There are mandatory data breach notification laws in all 50 states of the United States of America. There has been occasional attempts to enact comprehensive privacy legislation at a Federal level. There is the 1974 Privacy Act which established a Code of Fair Information Practice on federal agencies. The result has been limited and generally sector specific legislation at the Federal level. There may be a change on the horizon with a bill being introduced for an American Privacy Rights Act 2024 (“APRA”) by House of Representatives members Cathy McMorris Rodgers (R-WA) and Senator Maria Cantwell (D-WA)

The APRA will apply to businesses:

• subject to the authority of the Federal Trade Commission (“FTC”),
• common carriers, and
• nonprofits
• businesses that process covered data⁵ on behalf of or at the direction of Covered Entitie

APRA will:

• impose obligations to minimize processing of covered data and apply reasonable data security measures.
•  impose heightened obligations on high-impact social media companies and large data holders.
• create uniform data privacy rights including the right to:
  • opt out of targeted advertising
  • view, correct, export or delete their data.
  • increased transparency by mandating the inclusion of specific information on data processing, retention, transfers to third parties, security practices, and consumers’ rights in their public facing privacy policies.
• impose on Covered Entities and Service Providers, the APRA would impose additional obligations on high-impact social media companies and large data holders.
• impose heightened transparency obligations on “large data holders,” defined as Covered Entities or Service Providers that had a gross revenue of at least USD 250 million in the most recent calendar year and collected, processed, retained or transferred:
  • the covered data of over 5 million individuals; 15 million portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 35 million connected devices that identify, or are linked or reasonably linkable to one or more individuals; or
  • the sensitive data of over 200 thousand individuals; 300 thousand portable devices that identify, or are linked or reasonably linkable to one or more individuals; and 700 thousand connected devices that identify, or are linked or reasonably linkable to one or more individuals.
• require large data holders to

Read the rest of this entry »