Peter A Clarke

Artificial intelligence has the world aflutter.  The clear benefits that have already been demonstrated ahve been accompanied by panicked calls ranging from banning it, akin to putting the toothpaste back in the tube, to heavily regulating it.  The European Union is opting for the regulation route.  The European Parliament has just passed the first regulation for use of Artificial Intelligence. It is reported by Foreign Affairs with EU Lawmakers Pass Landmark AI Regulation Bill. Australia is in the very early stages of considering regulation of Artificial Intelligence.  It is an almost foregone conclusion that there will be some form of regulation and it will impact on privacy law.

The European Parliament’s media release Read the rest of this entry »

Major data breaches result in major outlays in rectifying and remedial action, not to mention reputational damage. And the time in bringing some sort of resolution is extraordinary. As the Australian Financial Review reports in HWL Ebsworth says it has spent 5000 hours fighting hack that the firm had spent 5,000 hours and it had cost $250,000 fighting Black Cat that had breached the firms cyber defences and exfiltrated 4 tera bytes of data without its knowledge. In fact when the firm was first contacted by Black Cat on 28 April 2023 the overture was dismissed as spam.  The clearly inadequate and poor cyber security practices morphed into farce with this turn of events.

According to the report, which is based on affidavit material filed with the New South Wales Supreme Court:

• the data related to hundreds of clients
• covers a period of at least 5 years.
• the personal information includes:
  • health records
  • financial details
  • sensitive information as defined in the Privacy Act
• McGrathNicol had been paid $250,000 for their services so far with the prospect of more payments forthcoming
• law firms and businesses have been trawling through Black Cat’s data dump.

The order has not been made public.  The ineffectiveness of an order restraining  Black Cat from releasing the rest of the stolen data is obvious.  It is a criminal group located outside of Australia, most likely in Russia.  The orders against those who might use the data already released may be of more force if those individuals are in Australia.  For those acting with nefarious intent, again a contempt of court prosecution figures low amongst their concerns.  The terms of the orders against “any further broader access to or dissemination” of the data have bite as they apply to media who could report on what data was released and from where that data was collected.   And to a large extent that is the point of the injunction.  It restrains publication of the nature of the data that has been stolen and released.  Such reporting would damage HWL Ebsworth significantly but also its clients who provided that information.

How such a broad range of data from hundreds of clients could have been so effectively stolen without any alarm being sounded will no doubt be a question the Read the rest of this entry »

As they say, “you couldn’t make this up.” The Office of the Australian Information Commissioner has suffered a data breach according to the Australian’s Peak privacy agency the latest to fall victim to Russia-linked cybercrime gang through the hacking of of HWL Ebsworth’s website. The regulator has regularly engaged HWL Ebsworth to provide legal services. That entails providing information for use by the law firm. And it is at least some of the information that has been compromised. While the Commissioner cannot be blamed for providing information to its trusted legal advisor it might be interesting to know whether the Commissioner enquired of HWL Ebsworth the privacy training it did of its staff and the state of security of documents it held under its control. Normally a victim’s answers to such questions are unsatisfactory. The Commissioner is being tight lipped in its initial response. The concession was made that if personal information collected was compromised then those persons would be notified.

This must be mortifying for the Commissioner. 

At some point the Commissioner would need to provide more than guarded comments. There is a question of making the public trust the integrity Read the rest of this entry »

In late April Russian hackers successfully launched a ransomware attack against HWL Ebsworth, a national Australian law firm. On 30 April it made demand for a ransom. The ALPHV/Blackcat ransomware group posted on its website that 4 tera bytes of data had been hacked. The contents included employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map. As has become usual the firm responded to enquiries by stating that it had contacted the Australian Cyber Security Centre and will work with them. Further details were scarce. Nothing unusual in that. It has become a standard deflector shield against further enquiry.

That was in early May. But ransomware hackers don’t really care about what their victims say. Particularly hackers as effective as BlackCat. On 11 May the Australian Financial Review reported that the Ebsworth data was posted on BlackCat’s site on the dark web. The AFR also reported that clients, including the Commonwealth Bank, La Trobe Financial and ING Bank, had removed their files from the firm. Given the likely entry point for the hackers was via an email received on a staff member’s personal device this is a massive loss of billings and reputation for what was likely a preventable data breach. Human error is the cause of a vast majority of data breaches. And that human error is often caused by poor training and supervision. The fact that the firm only became aware of the hack when the hackers advised of the theft of data points to poor internal security. That 4 terabytes of data could be exfiltrated from various data banks of the firm points to no or inadequate programs to monitor and respond to unusual movements of data. Given that HWL Ebsworth is the largest firm by partner size that is quite extraordinary.

On 9 June the ABC reported that BlackCat had published published 1.45 terabytes of data on the dark web with a statement “ENJOY”. That happened after the demand for ransom payment within 10 days expired without any payment being forthcoming. As the ABC article makes clear the impact of the data breach goes beyond impact of personal information of staff and financial records.  It goes to personal information and other sensitive material belonging to clients such as government agencies and commercial institutions.  That leads to them having to take proactive measures to determine the extent of the loss of their data and what steps they need to take to advise their clients or other persons.  Law firms such as HWL Ebsworth hold masses of sensitive and personal information belonging to clients. The Tasmanian Government has reported suffering a possible data breach linked to the attack on HWL Ebsworth.

Given the nature of the data breach HWL Ebsworth’s focus is on dealing with clients whose clients or employees may have been affected rather than a broad notice to a set group of people.  That has been the tenor of its response to enquiries.  While that is understandable HWL Ebsworth has maintained a very restrained response.  As overseas experience and the Optus and Medibank data breaches attest that is not generally a good strategy.  Clearly given constraints on confidentiality apply however a broader explanation is often better than bromides, which is the nub of the response to date.  Given BlackCat has not finished with HWL Ebsworth it Read the rest of this entry »

Data breaches through the release of personal information by government and organisations is all too common. It commonly happens when documents are released without properly being reviewed and redacted. A typical example is releasing medical records which contain details of third parties. Police which collect mass of information in investigations can release information which identify witnesses. And this is what happened in the United Kingdom when the Thames Valley Police released details which led to suspected criminals learning the address of a witness. This resulted in the Information Commissioner’s Office issuing a reprimand to Thames Valley Police (TVP). This forced the witness to moved house.

As is often the case the ICO found that TVP did not have appropriate steps, such as training, in place to ensure officers were aware of guidance around disclosure and redaction. There was also insufficient oversight of the process in Read the rest of this entry »

The Verizon’s 2023 Data Breach Investigations Report finds that ransomware was tied to 16% of all data breaches. That is double compared to last year’s report and that ransomware continued to be a factor in 24% of all data breaches. Interestingly in 93% of security incidents involving ransomware, victims reported no financial losses, at least based information submitted to the FBI. The remaining 7% of victims reported a median loss of $26,000. That was double what victims reported two years prior.

The overall costs of recovering from a ransomware incident are increasing while the ransom payouts are lower. This is due to the increase of automation and efficiency of ransomware operators.

The question of paying a ransom is vexed. Ransoms are paid and more often than observers think. Sometimes the hackers abide by the agreement and provide the key which unlocks the data. Sometimes the hackers behave like the criminals they are and take the ransom and provide no key and in fact release the data they exfiltrated from the site, if that was part of the data breach. Some provide the keys but upon unlocking the owner finds the ransomware program has damaged the data. Regulators generally advise against paying ransoms but acknowledge that it is a reality.

The Australian Government is considering making ransomware payments illegal. This has been met with some push back by cyber insurers. The Australian Business Council of Australia has called for a Safe Harbour. This has been reported by the Australian Financial Review at Businesses call for ‘safe harbour’ during major cyber incidents.

The BCA Read the rest of this entry »

The Attorney General’s Report on the Privacy Act review considers the status of the of the journalistic exemption at chapter 9.  Unlike the small business exemption and the business records exemption the exemption for journalism has a strong public policy basis.  Notwithstanding the media being involved in very serious privacy breaches over the years there has always been an acknowledgment that that there should be some form of exemption.  The Report did not alter the core of the exemption but proposes bringing media organisations under the regulation of the Privacy Act regarding data security and data breach notification. 

There was never likely to be a significant change to the way in which the Privacy Act dealt with the journalism exemption.  In 2008 the Australian Law Reform Commission did not recommend a change to the exemption.  That does not mean that the current regime is without flaws and problems which will continue after the Act is amended. 

In the main the responses ranged from strongest supporters of retaining the exemption, primarily media companies,  to those who wanted reform but were not prepared to remove the exemption.  The rationale for the exemption is that it recognises the important and beneficial role of journalistic output in Australian society.  That is made clear from the Explanatory Memorandum which provides that it is to balance ‘the public interest in providing adequate safeguards for the handling of personal information and the public interest in allowing a free flow of information to the public through the media.’

The exemption is set out in section 7B(4) of the Privacy Act.  It provides:

(4)  An act done, or practice engaged in, by a media organisation is exempt for the purposes of paragraph 7(1)(ee) if the act is done, or the practice is engaged in:

(a)     by the organisation in the course of journalism; and

(b)     at a time when the organisation is publicly committed to observe standards that:

(i)      deal with privacy in the context of the activities of a media organisation (whether or not the standards also deal with other matters); and

 (ii)    have been published in writing by the organisation or a person or body representing a class of media organisations.

A media organisation may publish such standards itself, or be a member of an industry body which has a published code of conduct containing privacy standards.

The Report noted Read the rest of this entry »

At the moment it is all about Artificial Intelligence and the threat it poses.  There are issues but the concerns are at the moment more hypothetical than actual but the benefits are real.  Regulation is required.  

What is missing from the discussion about technology, certainly involving privacy and cyber security, is the likely impact of quantum computers.  Quantum computers have the potential of upending encrypted networks if they can find the key within a reasonable time.  This issue is highlighted by The Times article Quantum computers that will decode your private app.  The quantum computer threat is not immediate but not far away.  

Meanwhile at the other end government’s loathing of encryption, as discussed in And in Banning encryption is foolish and illiberal can be equally damaging to viable privacy protection. In the United Kingdom, as here, there is an obsessive anti encryption lobby.  Encryption is critical for trusted communications which are vital for effective and efficient business transactions.  Banning encrypted communications or creating back doors, damages trust in communications.  In an information orientated, service dominated economy the harm far outweighs the concerns that criminals use encrypted communications.  Law enforcement has long dealt with and found ways around codes of silence and attempts to avoid surveillance.  They have successfully done done as well.  It is a matter of same problem, different tools. 

The Quantum Computer article provides:

Matt Hancock, be warned. It is not just fellow MPs and ghost writers who might leak your WhatsApp messages. You should start fretting about foreign intelligence agencies too.

Quantum computers that can crack internet encryption may be closer than we think, security experts say. If so, that means that anything sent securely today might be stored to be decrypted when such systems arrive — possibly within a decade. Read the rest of this entry »

There is sometimes fear and often plenty of pain going to the dentist. For patients of Managed Care of North America (MCNA) Dental that experience got a lot worse. According to Bleeping Computer a massive data breach has affected 8.9 million patients.  Medical/Dental insurance companies are prime targets for hackers as they contain huge troves of personal information including payment details.  That was the case with this attack.  Names, addresses, social security numbers and other forms of personal information were accessed. 

The Notice of Data Breach provides:

What happened?

On March 6, 2023, MCNA became aware of certain activity in our computer system that happened without our permission. We quickly took steps to stop that activity. We began an investigation right away. A special team was hired to help us. We learned a criminal was able to see and take copies of some information in our computer system between February 26, 2023 and March 7, 2023.

What information may have been involved?

Here is the kind of information that was seen and taken: Read the rest of this entry »

The Information Commissioner’s Office (the “ICO”) has issued the Ministry of Justice a formal reprimand after confidential waste documents were left in an unsecured area. The focus of recent reporting about data breaches has been on the large scale hacks of databases.  However data breaches involving documents left n public places or sent to parties not entitled to them can be as equally damaging.  In this reported data breach (at an unnamed prison facility) the damage is serious as it revealed personal information about prison staff and inmates. 

The press release provides:

The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.

Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.

During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.

The ICO investigation uncovered a lack of robust policies at the prison including:

• • no pre-agreed areas for staff to leave confidential waste in a secure place;
  • staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents;
  • inaccurate records of the number of staff who had completed data protection training; and
  • a general lack of staff understanding of the risks to personal data and the need to report data breaches.

The reprimand details a number of required or recommended actions including:

• • a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation; and
  • the creation of a separate data breach reporting policy for staff.

The MoJ is also required to provide the ICO with a progress report by the end of October 2023.

The reprimand relevantly Read the rest of this entry »