Peter A Clarke

In September the Irish Data Protection Commission fined Tik Tok 345 million euros for breaching the GDPR regarding personal information of children using Tik Tok. In April the UK Information Commissioners’ Office fined Tik Tok 12.7 million pounds for misusing children’s data. In 25 March 2022 the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. In October 2021 Tik Tok reached a 92 million privacy settlement for breaching Illinois’s Biometric Privacy Act.

The genesis of this inquiry is the discovery that Tik Tok has been using tracking tools to harvest data without consent. Now the Australian Information Commissioner is inquiring into Tik Tok’s alleged practice of siphoning personal data of non users without consent.

Senator Patterson, the opposition spokesman, has been very active in scrutinising Tik Tok, not just on the privacy issues but Tik Tok’s potential national security threat given it is a company which is subject to control of the Chinese Government. It has been the subject of criticism of the information it spreads which is anti Western to say the least.

The Attorney General has been drawn to give a comment last week on this inquiry and he said:

JOURNALIST: On another matter, has TikTok breached Australia’s privacy laws by harvesting data from websites without seeking their consent?

ATTORNEY-GENERAL: The Australian Government is very concerned to protect the privacy of Australians and the privacy of Australian children. We are very pleased that the Privacy Commissioner, who is the Australian official charged under the Privacy Act with investigating privacy breaches, has commenced an investigation. I’d make the point that we’ve shown how seriously we take breaches of Australian privacy by last year legislating to increase the penalties, massively increase the penalties for breaches of privacy by corporations. And we’ve also, at the same time, legislated to give additional powers to the Privacy Commissioner. I expect that the Privacy Commissioner will be using those additional powers in this investigation. Read the rest of this entry »

Tik Tok has a truly dismal record when it comes to privacy. 

In September the Irish Data Protection Commission fined Tik Tok 345 million euros for breaching the GDPR regarding personal information of children using Tik Tok. In April the UK Information Commissioners’ Office fined Tik Tok 12.7 million pounds for misusing children’s data. In 25 March 2022 the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. In October 2021 Tik Tok reached a 92 million privacy settlement for breaching Illinois’s Biometric Privacy Act.

The genesis of this inquiry is the discovery that Tik Tok has been using tracking tools to harvest data without consent. Now the Australian Information Commissioner is inquiring into Tik Tok’s alleged practice of siphoning personal data of non users without consent.

Senator Patterson, the opposition spokesman, has been very active in scrutinising Tik Tok, not just on the privacy issues but Tik Tok’s potential national security threat given it is a company which is subject to control of the Chinese Government. It has been the subject of criticism of the information it spreads which is anti Western to say the least.

The Attorney General has been drawn to give a comment last week on this inquiry and he said:

JOURNALIST: On another matter, has TikTok breached Australia’s privacy laws by harvesting data from websites without seeking their consent?

ATTORNEY-GENERAL: The Australian Government is very concerned to protect the privacy of Australians and the privacy of Australian children. We are very pleased that the Privacy Commissioner, who is the Australian official charged under the Privacy Act with investigating privacy breaches, has commenced an investigation. I’d make the point that we’ve shown how seriously we take breaches of Australian privacy by last year legislating to increase the penalties, massively increase the penalties for breaches of privacy by corporations. And we’ve also, at the same time, legislated to give additional powers to the Privacy Commissioner. I expect that the Privacy Commissioner will be using those additional powers in this investigation. Read the rest of this entry »

St Vincent’s Health Network suffered a data breach on 19 December 2023. When first reported the details of what personal information was stolen was not known. According to the Australian as of 25 December 2023 St Vincent’s was still unable to determine what if any medical records were stolen, in St Vincent’s unable to confirm if medical records stolen. On 29 December 2023 St Vincent’s Health Australia released a statement. It provides:

Since its statement last Friday regarding the attack by cyber criminals, St Vincent’s has been working tirelessly with federal and state governments, law enforcement, and our cyber experts.

Today we again briefed our close to 30,000 team members on the latest information regarding this investigation and monitoring work.

The staff at St Vincent’s provide some of the best care in the world to our patients and residents. Our key priority in responding to this cyber criminal attack has been to preserve and protect the critical work of our staff on behalf of millions of Australians every year.

On Tuesday, 19 December, St Vincent’s began responding to a cyber security incident.

On that day, St Vincent’s immediately took steps to contain the incident, engaged external security experts CyberCX, and notified all relevant state and federal governments and their necessary agencies.

No cyber criminal activity has been detected on St Vincent’s networks since Wednesday, 20 December.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on the morning of Friday, 22 December.

St Vincent’s continues to investigate this cyber crime. Our experts are working around the clock to ascertain the contents of the data copied and stolen from us. This is a complex and highly technical activity.

Should we discover that any sensitive data has been stolen by cyber criminals, we will do all we can to contact those affected and give them information about the steps they can take to protect themselves and support them through that process.

To date, the activities of the cyber criminals have not impacted the ability of St Vincent’s to deliver the services our patients, residents, and the broader community rely on across our hospital, aged care, and virtual and home health networks. We are managing some important network disruptions as part of our remediation works.

We thank the Australian Government, our state government partners, and our commercial and clinical partners, for their support.

We have also updated federal and state government authorities, including the Australiann Cyber Security Centre and the Office of the Australian Information Commissioner, as well as our key partners, and stakeholders.

The Australian Federal Police are engaged with the matter and St Vincent’s is fully supporting their criminal investigation.

We have established a dedicated support line 1300 124 507, as well as a dedicated email address stvincentscybersafety@svha.org.au, for anyone wishing to seek further information about this matter.

Media contact: Dexter Gillman 0439 393 196

Q&As

When did St Vincent’s first become aware that they were experiencing an incident?

On Tuesday, 19 December 2023, St Vincent’s Health Australia (SVHA) began responding to a cyber security incident.

SVHA immediately took steps to contain the incident, engaged external cyber security experts, and notified all relevant state and federal governments and the necessary agencies.

The investigation into this incident is ongoing.

Why did it take until Friday 22 December 2023 to tell the public?

St Vincent’s took immediate steps to contain the incident upon its discovery. We also engaged external security experts, notified all relevant state and federal governments and their necessary agencies.

Late on the evening of Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from our network. We notified regulators, governments, our staff, and the public of this information on Friday morning.

What steps did St Vincent’s take to understand the incident?

Our teams have worked tirelessly through the night, and into today to:

•    Implement enhanced monitoring of St Vincent’s networks and systems;

•    Deploy investigatory tools; and

•    Review system logs and telemetry.

At this time, no new activity by the threat actor has been detected inside St Vincent’s networks since early morning Wednesday, 20 December. Containment activities are still ongoing.

Do you know who might be behind this incident?

Not at this time.

Do you know if any information that may be sensitive (corporate or personal) may have been accessed?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

Do you have any evidence data has been removed from your network?

Late on Thursday, 21 December, St Vincent’s found evidence that cyber criminals had removed some data from a system.

St Vincent’s is working to determine what data has been removed. This is a complex and highly technical activity and we do expect it could take some time.

When will SVHA be able to say what type of data was stolen?

This is a complex and highly technical investigation, and we do expect it will take some time before we know exactly what data was taken from our systems.

How will you notify patients or staff if their data has been stolen?

Should we discover that any sensitive information has been stolen by cyber criminals, we will do all that we can to contact the impacted persons to inform them of this, give them information about the steps that they can take to protect themselves and support them through that process.

Are hospital operations impacted?

At this time, our ability to deliver the frontline services that our patients, residents, governments and the broader community rely on us for, has not been impacted. We are managing some network disruptions as part of our remediation works.

What support is available?

We have established a dedicated support line 1300 124 507 and email address stvincentscybersafety@svha.org.au for anyone with additional questions about this matter.

St Vincent’s statement when issued was quite good as far as it went.  In fact, very good by Australian standards.  It was the basis for the Australian report in St Vincent’s Health still trying to work out if personal medical records stolen in cyber attack. 

While the statement provided a good overview it continues with the unfortunate usual Australian practice of not providing, even in the most general terms, the cause of the breach.  That is can give rise to criticism.  Just ask the executive s of Medibank and Optus which was a bleeding wound that took months to be only partially staunched.  While providing too much detail is not necessary and can be  poor practice in highlighting weaknesses that may be exploited with other organisations it goes too far to fail to provide some information, even in very general terms, as to how it occurred is appropriate. Withholding information can be embarrassing if the media finds out what caused the breach.  That seems to be case here as the Australian Financial Review (the “AFR”) provides details not provided by St Vincent’s Health in Read the rest of this entry »

As per a long standing tradition I with all a very happy and holy Christmas with a one of the most wonderful odes to Christmas, Yes Virginia there is a Santa Claus. As a piece of prose it is superlative writing.  An economy of words which captures  the message of hope and optimism.  There is a wonderful story behind it with an 8 year old seeking advice and Virginia going on to live a wonderfully productive life.

I wish you all a wonderful Christmas and hope you approach 2024 with all the hope and optimism of the Yes Virginia editorial from all those years ago.

The letter provides:

Dear Editor,

I am 8 years old. Some of my little friends say that there is no Santa Claus. Papa says “If you see it in the Sun, it is so.” Please tell me the truth, is there a Santa Claus?

Virginia,

Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds.

All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

Yes, Virginia, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy.

Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove?

Nobody sees Santa Claus, but that is no sign that there is no Santa Claus The most real things in the world are those that neither children nor men can see.

Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.

Is it all real? Ah, Virginia, in all this world there is nothing else as real and abiding.

No Santa Claus? Thank God he lives and he lives forever. A thousand years from now, maybe 10 times 10,000 years from now, he will continue to make glad the hearts of children.

Written by Francis P. Church in 1897

.

Itgovernance has provided its annual report of annual data breaches this year.  Some of the grim statistics this year are:

Number of incidents in 2023: 1,404

Number of breached records in 2023: 5,951,612,884

Biggest data breach of 2023 so far: DarkBeam (3.8 billion breached records)

Biggest data breach in the UK: DarkBeam (3.8 billion breached records)

Integrity 360 has listed the Top Reported Cyber Security Incidents of 2023 covering much the same ground but delving into particular data breaches such as DarkBeam and UK Electoral Commission which involved personal information of 40 million people.

Webber Insurance Services provides a list of reported data breaches in Australia.  The data breaches identified in 2023 highlight the increasing number of attacks and growing magnitude.  In November alone there was a data breach at 

• Australian Clinical Labs

• NDIA
• TissuPath
• Alfred Health

The challenge in privacy and cyber security is identifying and dealing with the constantly evolving threats.  Hackers are versatile while organisations and people are less so.  The difference is successful cyber attacks with the damage they cause.  Hackers are very good readers of psychology.  They are good are taking advantage of peoples’ habits.  They have moved into using QR codes to get access.  That is clever.  Many are now accustomed to using QR codes to sign in, order or obtain goods or services. The Federal Trade Commission has issued a warning about QR Codes to steal personal information.

The media release provides:

QR codes seem to be everywhere. You may have scanned one to see the menu at a restaurant or pay for public parking. And you may have used one on your phone to get into a concert or sporting event, or to board a flight. There are countless other ways to use them, which explains their popularity. Unfortunately, scammers hide harmful links in QR codes to steal personal information. Here’s what to know. Read the rest of this entry »

It never ceases to amaze me how few businesses, and government agencies, encrypt their data. Given it is feasible the refusal to do so, particularly by organisations that collect and store masses of data is a major failure of cyber security. Apple released a report, titled The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase, in support of its push for end to end encryption.  The release provides:

The report itself makes Read the rest of this entry »

Optus may have had an annus horribilis as far as data breaches go but Telstra has had anything but a good record in terms of protecting privacy. The latest iteration is Telstra being fined by ACMA for privacy and safety breaches. It has also issued an infringement notice and entered into an enforceable undertaking.  This fine is on top of a $2.5 million fine in 2021 for breach of IPND rules.

Telstra’s media release provides:

Telstra has paid a $306,360 infringement notice issued by the Australian Communications and Media Authority (ACMA) for failing to provide accurate details of thousands of customers to the Integrated Public Number Database (IPND).

The IPND is used by Triple Zero to help locate people in an emergency, for the Emergency Alert Service to warn Australians of emergencies like flood or bushfire, and to assist law enforcement activities. Read the rest of this entry »

On November 29, 2023, the Attorney General, the Minister for Justice, and the Minister for the Prevention of Domestic and Family Violence announced that the Information Privacy and Other Legislation Amendment Act 2023 was passed by the Queensland Parliament, creating, among other things, a mandatory data breach notification scheme (MDBN Scheme).

The press release, found here,provides:

Queensland government agencies will be subject to new requirements for managing personal information, and a mandatory data breach scheme will be established, after the Information Privacy and Other Legislation Amendment Act 2023 was passed by parliament today. 

The information privacy reforms are currently expected to begin on 1 July 2025, with the commencement of the mandatory data breach notification scheme as it applies to local governments not commencing until 1 July 2026.

The legislation improves privacy protections available to individuals while the mandatory data breach notification scheme will strengthen and regulate the response to data breaches by government agencies.

It will require agencies to notify affected individuals and the Office of the Information Commissioner of eligible data breaches that could result in serious harm. Read the rest of this entry »

Government departments and agencies are notorious for sending without thinking and causing a privacy breach. Often times it is a list of individuals. The UK Information Commissioner in Charnwood Borough Council disclosed the new address of a domestic abuse victim. To her ex partner! It arose from an administrative bungle, with a letter being sent to the previous address of the victim, which she shared with her ex and at which he still resided. The ex read the letter. The UK Information Commissioner reprimanded the Council for this breach.

The ICO’s media release provides:

The Information Commissioner’s Office (ICO) has issued a reprimand to Charnwood Borough Council after it disclosed the new address of a domestic abuse victim to her ex-partner.

The ICO has called on other organisations to learn lessons from the incident to ensure they are not at risk of making the same mistake.

They should make sure:

• • Alerts are put on files if staff need to be especially vigilant when someone is a vulnerable service user
  • A proper process is in place for address changes
  • Data protection training is carried out, including refresher training.

In this case, the council’s process for updating addresses was not clear. A letter detailing the new address of the victim was sent to the previous address she shared with her ex-partner. The letter was later confirmed to have been opened and read by the ex-partner. Read the rest of this entry »

The DP World data breach caused major disruption at Australian ports around 13 November 2023 . There was no mention of personal information being accessed. Now the ABC reports in DP World Australia confirms employee data was stolen during cyber attack, warns of further freight delays ahead of Christmas rush that the personal information had been accessed.There is nothing on its website.  This knkowledge would have been in DP World’s possession for some time.  Often these late announcements immediately proceed an organisation finally notifying staff whose personal information was accessed.  It follows a poor practice play book.

The article Read the rest of this entry »