Medibank Private’s woes continue from its data breach. APRA takes action against it requiring increase in its capital adequacy of $250 million

June 27, 2023

The consequences of a major data breach are rarely minor or quickly resolved. The cost of remediation is almost always significant. Litigation is a common offshoot. Medibank is facing a significant class action suit. Finally there are usually more than one regulator which can take action. In this case the Australian Prudential Authority has taken action against APRA forcing Medibank to increase its capital adequacy requirement to $250 million.

The APRA statement Read the rest of this entry »

Privacy Act Review Report; Chapter 10: Privacy Notices and Notifications under APP 5.2. An analysis and review. Some adjustment but mostly steady as she goes

June 25, 2023

Chapter 10 of the Attorney General’s Privacy Act Review Report considers the operation of Privacy Policies and Notice obligations when collecting personal information.

A Privacy Policy is a critically important document for compliance under the Privacy Act 1988.  Privacy policies are part of most privacy legislation across most jurisdictions.  They serve an important function of informing people how their personal information will be handled, That doesn’t mean they are free of controversy.  Privacy policies are commonly criticized for being unduly complicated, very long and often a model of opacity rather than transparency. Some organisations have excellent policies designed provide useful information.  Others are mass of legalese which defy easy understanding.

Australian Privacy Principle (“APP”) 1 requires:

  • entities to maintain a ‘clearly expressed’ and ‘up-to-date’ privacy policy that addresses the matters listed in APP 1.4.
  • per he APP Guidelines a ‘clearly expressed’ privacy policy should be:
    • ‘easy to understand (avoiding jargon, legalistic and in-house terms),
    • easy to navigate,
    • only include information that is relevant to the management of personal information by the entity’.
  • an APP entity to regularly review and update its privacy policy to ensure that it reflects the entity’s information handling practices.
  • an APP entity to take such steps as are reasonable in the circumstances to make its privacy policy available:
    • free of charge and
    • ‘in such form as is appropriate.’
  • that where an individual requests a privacy policy in a particular form, the APP entity must take reasonable steps to accommodate that request.
  • APP entities to make a privacy policy available by publication on a website.
  • where it is foreseeable that the privacy policy may be accessed by individuals with accessibility needs, or where individuals request a copy of the privacy policy in an accessible form, appropriate accessibility measures should be put in place.

APP 5 requires Read the rest of this entry »

World Economic Form releases guidelines for procurement of AI solutions by the private sector

June 23, 2023

The World Economic Forum has released Adopting AI Responsibly: Guidelines for Procurement of AI Solutions by the Private Sector. It has also launched the AI Governance Alliance for Responsible Generative AI. The Guidelines are part of a growing set of guidelines and rules. The US President released a BluePrint for an AI Bill of Rights in October last year. That is a long way from government regulation.

At this stage the talk is greater than the action. The US President met with tech leaders a few days ago and raised concerns about the risks posed by AI to Security and the Economy amongst other areas. Even though Europe has taken strong initial steps and is ahead of the United States no jurisdiction has complete fit for purpose Read the rest of this entry »

The European Agency for cybersecurity releases its good practices for chain cyber security

June 20, 2023

The EU is far ahead of Australia in regulating privacy and cyber security through both the GDPR and rules and guidances for good cyber security practices. The United States is well served by the publications of the National Institute of Science and Technology.

The European Union Agency for Cybersecurity has released Good Practices for Supply Chain Cybersecurity.  It is a long and complex document but particularly relevant given the spate of data breaches in Australia.  It is relevant to note that the document makes regular reference to NIST guidances.  I regularly post on NIST guidances.

Some of the findings included:
  • between 39 %  and 62 %  of organisations were affected by a third-party cyber incident.
  • supply chain compromises were the second most prevalent initial infection vector identified in 2021. and accounted for 17 % of the intrusions
  • in 2021, 66 % of the supply chain attacks the suppliers did not know, or were not transparent about, how they were compromised
  • Around 62 % of the attacks on customers took advantage of their trust in their supplier. In 62 % of the cases, malware was the attack technique employed. When considering targeted assets, in 66 % of the incidents, attackers focused on the suppliers’ code in order to further compromise targeted customers.
  • 86 % of the surveyed organisations implement information and communication technology / operational technology (ICT/OT) supply chain cybersecurity policies.
  • 47 % allocate budget for ICT/OT supply chain cybersecurity.
  • 76 % do not have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
  • 61 % require security certification from suppliers, 43% use security rating services and 37% demonstrate due diligence or risk assessments. Only 9 % of the surveyed organisations indicate that they do not evaluate their supply chain security risks in any way.
  • 52 % have a rigid patching policy, in which only 0 to 20 % of their assets are not covered. On the other hand, 13.5 % have no visibility over the patching of 50 % or more of their information assets.
  • 46 % patch critical vulnerabilities within less than 1 month, while another 46 % patch critical vulnerabilities within 6 months or less.
  • only 24 % of the surveyed organisations have dedicated roles and responsibilities for ICT/OT supply chain cybersecurity.
  • 59 % of the surveyed organisations that have TRM policies in place also have a dedicated budget or budget line for supply chain security
  • regarding cybersecurity risk mitigation techniques:
    •   61 % of the surveyed organisations preferred security certificates,
    • 43% preferred  security risk rating services
    • 37% used due diligence or risk assessments
    • 9 % did not evaluate their supply chain security risks in any way.
The Report summarised the situation as:
  1. Although organisations understand the significance of supply chain security, they do not allocate the necessary resources for ICT/OT supply chain cybersecurity.
  2. Even when they invest in ICT/OT supply chain cybersecurity projects, the majority do it without clear governance corporate structures which ideally should take into account the costs and benefits of implementing ICT/OT supply chain cybersecurity practices and controls.
  3. Organisations with formalised ICT/OT supply chain cybersecurity corporate procedures are the minority of the surveyed sample.
  4. Banking is the sector with most established ICT/OT supply chain cybersecurity policies and dedicated budget and FTEs
  5. Classification of a supply chain incident as such is cumbersome due the lack of concrete criteria.
  6. Certifications are the most preferred way for organisations to follow suppliers’ cybersecurity practices; however, they are accompanied by high costs, especially for non-cybersecurity relevant vendors.
  7. The surveyed organisations agree that common cybersecurity requirements for products and services would be beneficial for the market.
  8. There is room to improve the visibility of the organisations over their information assets.
  9. The majority of surveyed organisations do not have a vulnerability management system which covers all organisational assets.
  10. Vulnerability management and testing of products contribute to better ICT/OT supply chain cybersecurity posture.
Supply chain cybersecurity is enhanced Read the rest of this entry »

The continuing ripples from the HWL Ebsworth data breach; NAB bank data leaked online

Large data breaches are rarely resolved quickly. That is why I am so surprised that organisations with the means and structures are so complacent with their data security. The focus is minimal compliance rather than security that is fit for purpose. The HWL data breach will be a long and excruciating process. The latest development is that data belonging to NAB have been found on line. See the Australian’s story NAB the latest to be confirmed as victim of HWL Ebsworth hack, with bank data leaking online . Beyond the revelation that the NAB has been affected the article itself is something of a reheating of earlier reporting. 

NAB has been motivated to issue a statement which provides:

“We are aware that HWL Ebsworth, a law firm engaged by NAB for some legal services, has been impacted by a cyber-attack. NAB’s systems were not impacted and remain secure. We are working with HWLE as they continue to get more information in relation to the content of these matters.”

There will be more statements like this from affected HWL Ebsworth clients (or ex clients). 

Based on the limited information provided to date it appears that the transfer of documentation from clients to the firm was not through access provided to the firm, as often happens with third party services providers working with an entity.  In those circumstances the danger is the initial hack will give rise to another hack as permissions and authorisations are stolen and used to access the other organisation.  Here HWL Ebsworth and its clients probably adopted the more traditional, and logical, means of transfer of documents.  The clients provided Read the rest of this entry »

Hacker gang Clop publishing names on dark web shows that Black Cat’s tormenting of HWL Ebsworth follows a depressingly predictable pattern

June 18, 2023

it is usual practice for hacker gangs to publish names and other data taken from an organisation if a ransom is not paid. Sometimes it is done even without a demand for ransom. It is a malicious act but that is what criminal gangs do. So it is hardly extraordinary that Black Cat has done that with the data stolen from HWL Ebsworth. In that case it has published only a third of the data stolen. That is possibly because Black Cat retains hope that a ransom will be paid for the balance of the documents or that it wants to extend the pain it wants to inflict upon HWL Ebsworth. Another well practised option is to negotiate with organisations and agencies affected by the data breach. Alternatively it could sell the remaining data to interested players. It is impossible to say and Black Cat is not in the business of advertising its moves so it is a matter of wait for the next move. And it will come.

The BBC reports in Hacker gang Clop publishes victim names on dark web on another instance of he odious practice of publishing names on the dark web as a result of a mass hack. It is a slightly different approach, posting names rather than a document drop per se. Publish the names before public disclosure of the stolen data. Clop found a zero day vulnerability on the MOVEit site.  Because MOVEit is a platform designed to transfer data between organisations Clop had access to masses of data stored on MOVEit’s platform which it stole. The data belonged to a number of organsiations and institutions.  Bleeping Computer covers the story well with Clop ransomware gang starts extorting MOVEit data-theft victims

There is a strong similarity between the HWL Ebsworth and the MOVEit data breaches.  In both cases the value to the hackers of the data stolen is that it comes from a range of entities rather than the data belonging to the entity breached.  In HWL Ebsworth’s case Black Cat downloaded data belonging to clients and other entities from 2,000 data sites within the firm’s system.  In MOVEit’s case Clop stole data from its platform.  The intent is the same, using Read the rest of this entry »

HWL Ebsworth data breach reveals potential loss of government information, including Defence data.

June 17, 2023

The HWL Ebsworth data breach saga is following a familiar trajectory involving a significant loss of data; announcement of the data breach, statements about working with the Australian Cyber Security Centre and other authorities, details slip out about how much material was lost, indications in a general statement about what personal information is involved (so far that includes dates of birth, drivers licences and names) and steps taken to remedy the breaches. That is a fairly familiar trajectory. This data breach has other features which makes it a less standard data breach; the focus is not on data generated by the firm but rather that collected from clients or otherwise related to the provision of legal services, that the sensitivity of the information is, seemingly, more related to government information rather than personal information and that third parties, especially government departments, are becoming very active to work out the extent to which the data breach affects them directly. The Australian reports in Data on secret missile testing site, attack helicopters and police operations stolen by hackers that the hackers have stolen files relating to military testing, police intelligence and government procurement. That data is of great interest to state players such as Russia and China and pretty much anyone else in the Indo Pacific region. It is hardly controversial that Australia’s friends collect data about the Australian government. That has always been part of the unspoken role of overseas embassies.

The Office of Australian Information Commissioner released a belated statement on the data breach, and reported here, providing:

On 8 May 2023, HWL Ebsworth reported a data breach to the Office of the Australian Information Commissioner (OAIC) in the OAIC’s capacity as regulator of the Notifiable Data Breaches scheme.

HWL Ebsworth provides legal services to a range of Commonwealth clients, including the OAIC.

On Saturday 10 June, HWL Ebsworth advised the OAIC that a document or documents relating to a limited number of OAIC files were included in the breach experienced by HWL Ebsworth.

HWL Ebsworth is currently providing further information to the OAIC about those documents. The OAIC will review those documents to see whether they contain personal information, and, consistent with requirements under the Notifiable Data Breaches scheme, will notify affected individuals where necessary.

The OAIC’s systems have not been compromised.

The statement begs more questions than it answers. The data breach was reported in early May and the Australian Financial Review has been covering the story regularly. It is difficult to understand how in the 5,000 hours HWL Ebsworth claims it has spent on the data breach could not have notified the Commissioner earlier than 10 June. And it could have gone into specifics more than “a document or documents” about a “limited number of OAIC files” . The statement leaves open the conclusion that HWL Ebsworth has not completed its task vis a vis the OAIC files. That is extraordinary. It has been 6 weeks since the firm was advised about the data breach. The opaqueness of the statement makes it almost meaningless except if the intention is to make a statement.

Many organisations have quite good outward looking cyber security, providing a hard shell against cyber attacks. A cyber wall surrounding a site so to speak. Unfortunately that is all too often the limit of the defences. Those defences are lineffective when hackers acquire valid authentications from an employee, as appears to be the case here, and enter the system.  Many organisations have very poor systems established for monitoring suspicious network activity or internal protections such as silos of information requiring separate authentication. In the case of the HWL Ebsworth data breach apparently Black Cat accessed the drives of 2,000 employees and copied what was there. How that could happen without raising any sort of alarm is a concern.

There are programs which can identify involving abnormal access patterns, database activities, file changes, and other out-of-the-ordinary actions. Those are indicia of Read the rest of this entry »

The HWL Ebsworth data breach; the ripple effect. Its government clients set up working groups to sort through the rubble and work out what happens next

June 16, 2023

.

With large organisations/firms/government data that are comrpromised often belong to third parties such as clients or other organisations. With law firms that involves information provided necessary to permit advice work or litigation. And so it is with the HWL Ebsworth data breach. Which has led to the inevitable round two of the data breach, the clients of the firm doing damage assessments of what has happened to their data. The Australian reports in Fears government data has been stolen by cyber criminals grow as law firm’s clients are revealed that government departments have set up committees to determine the extent of the damage. And not before time.  Black Cat has not released 2/3rds of the data it exfiltrated. That is likely to happen at the most inopportune time given HWL Ebsworth has stated it will not pay a ransom. 

The Australian article provides:

The Albanese government has established a crisis group to examine what commonwealth data has been stolen by Russian-linked hackers who infiltrated the systems of HWL Ebsworth, the giant law firm that has tens of millions of dollars of contracts across at least 40 government departments and agencies. Read the rest of this entry »

European Lawmakers pass AI regulation bill

June 15, 2023

Artificial intelligence has the world aflutter.  The clear benefits that have already been demonstrated ahve been accompanied by panicked calls ranging from banning it, akin to putting the toothpaste back in the tube, to heavily regulating it.  The European Union is opting for the regulation route.  The European Parliament has just passed the first regulation for use of Artificial Intelligence. It is reported by Foreign Affairs with EU Lawmakers Pass Landmark AI Regulation Bill. Australia is in the very early stages of considering regulation of Artificial Intelligence.  It is an almost foregone conclusion that there will be some form of regulation and it will impact on privacy law.

The European Parliament’s media release Read the rest of this entry »

HWL Ebsworth obtain a continuing indefinite injunction regarding data breach and say it has spent 5,000 hours and cost $250,000 fighting the hackers

Major data breaches result in major outlays in rectifying and remedial action, not to mention reputational damage. And the time in bringing some sort of resolution is extraordinary. As the Australian Financial Review reports in HWL Ebsworth says it has spent 5000 hours fighting hack that the firm had spent 5,000 hours and it had cost $250,000 fighting Black Cat that had breached the firms cyber defences and exfiltrated 4 tera bytes of data without its knowledge. In fact when the firm was first contacted by Black Cat on 28 April 2023 the overture was dismissed as spam.  The clearly inadequate and poor cyber security practices morphed into farce with this turn of events.

According to the report, which is based on affidavit material filed with the New South Wales Supreme Court:

  • the data related to hundreds of clients
  • covers a period of at least 5 years.
  • the personal information includes:
    • health records
    • financial details
    • sensitive information as defined in the Privacy Act
  • McGrathNicol had been paid $250,000 for their services so far with the prospect of more payments forthcoming
  • law firms and businesses have been trawling through Black Cat’s data dump.

The order has not been made public.  The ineffectiveness of an order restraining  Black Cat from releasing the rest of the stolen data is obvious.  It is a criminal group located outside of Australia, most likely in Russia.  The orders against those who might use the data already released may be of more force if those individuals are in Australia.  For those acting with nefarious intent, again a contempt of court prosecution figures low amongst their concerns.  The terms of the orders against “any further broader access to or dissemination” of the data have bite as they apply to media who could report on what data was released and from where that data was collected.   And to a large extent that is the point of the injunction.  It restrains publication of the nature of the data that has been stolen and released.  Such reporting would damage HWL Ebsworth significantly but also its clients who provided that information.

How such a broad range of data from hundreds of clients could have been so effectively stolen without any alarm being sounded will no doubt be a question the Read the rest of this entry »