Peter A Clarke

When writing on privacy and cyber security isseus I often feel like Cassandra, highlighting problems that are ignored.  Until now.  The ABC’s story Most Australian executives wary of announcing cyber attacks and online strategies amid increased demand for transparency is hardly news. Businesses not wanting to disclose data breaches.  Quelle surprise!

I have been writing on the poor culture of non compliance and secrecy relating to data breaches for years.  Non compliance and an attitude of impunity does not develop and exist in a vacuum. It develops when there is an ineffective,  complicated and confusing legislative regime and very timid regulation.  The practical net result has been a marked aversion to reporting data breaches, covering them up and generally doing as little as possible to comply with the Privacy Act.  And why not when governments have, until recently, shown little interest in privacy enforcement and the penalty for non compliance is almost non existent in practical terms.  In that sense the ABC article is something of a “been there, done that” to it. But it is worth highlighting the situation in the national press.  Hopefully it will act as the “before shot” which will be compared to the “after shot” when the new legislation comes into effect and proper regulation commences.

While it will take some time for the culture to change and there will be a lot of back sliding there is clearly a changed atmosphere.  The optus data breach has highlighted what poor cyber security can mean for ordinary people; stress, annoyance and the cost in time and money to avoid identity theft.

The comparison between enforcement in Australia and other developed economies is stark.  For example in the United States the  owner of the retailer Shein has been fined $1.9 million for covering up a data breach.  The breach occurred in 2018 when log in details of 39 million accounts werre stolen.  Most of the customers were not advised of the breach and Zoetop lied about the extent of the breach. Given the vagueness of the data breach notification provisions in the Privacy Act a company here wouldn’t need to cover up a breach.  It would simply say that after considering the factors there was no serious harm resulting from the breach. In any event the Commissioner thus far has proven to be a reluctant enforcer.

As a sign that things may be slowly changing for the better I received a notice from Vinomofo about a cyber attack on its site.  Interestingly it has been at least 3 years since I bought anything through Vinomofo.  Why am I still in its system?

The notice stated:

Hi Peter, 

I am writing to provide you with some important information about a recent cyber security incident at Vinomofo. 

Vinomofo experienced a cyber security incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website. Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) published its long awaited and very welcome guidance on the use of privacy enhancing technologies (“PETs”).  Properly used PETs are an invaluable part of proper data protection.  The media release provides:

The Information Commissioner’s Office (ICO) has published draft guidance on privacy-enhancing technologies (PETs) to help organisations unlock the potential of data by putting a data protection by design approach into practice. 

PETs are technologies that can help organisations share and use people’s data responsibly, lawfully, and securely, including by minimising the amount of data used and by encrypting or anonymising personal information. They are already used by financial organisations when investigating money laundering, for example, and by the healthcare sector to provide better health outcomes and services to the public. 

The draft PETs guidance explains the benefits and different types of PETs currently available, as well as how they can help organisations comply with data protection law. It is part of the ICO’s draft guidance on anonymisation and pseudonymisation, and the ICO is seeking feedback to help refine and improve the final guidance. 

By enabling organisations to share and collaboratively analyse sensitive data in a privacy-preserving manner, PETs open up unprecedented opportunities to harness the power of data through innovative and trustworthy applications. The UK and US governments have launched a set of prize challenges to unleash the potential of PETs to tackle combat global societal challenges, supported by the ICO.

John Edwards, UK Information Commissioner, said:  

“Although the use of PETs is in its early stages, it can unlock safe and lawful data sharing where people can enjoy better services and products without trading their privacy rights. In the UK, one example is the NHS building a system for linking patient data across different organisational domains. 

“Today’s draft guidance is part of my office’s strategy for the next three years, where we will be supporting the responsible use and sharing of personal information to drive innovation and economic growth. PETs have the potential to do that, so we look forward to hearing from industry and other stakeholders on how our guidance can help them achieve this.”  

The PETs draft guidance has been published ahead of the 2022 roundtable of G7 data protection and privacy authorities taking place in Bonn, Germany on 7-8 September, where the ICO will present its work on PETs to its G7 counterparts and encourage international agreement for the support of responsible and innovative use of PETs.

As part of this, the ICO will call for the development of industry-led governance, such as codes of conduct and certification schemes, to help organisations use PETs responsibly and to help PETs developers and providers to build the technology with data protection and privacy at the forefront. 

Mr Edwards said:

“It’s not just regulators that need to take action – we need the industry to step up, too. We want organisations to come to us with codes of conduct and certification schemes, for example, to show their commitment to building services or products that are designed in a privacy-friendly way and that protect people’s data.”

At 40 pages the guidance is very comprehensive.

Some key issues that should be considered are:

• the definition of a PET is:

Read the rest of this entry »

The Australian mandatory data breach notification regime while 4 years old has not attracted the overt public profile as other regimes overseas and has not resulted in high profile notifications until the Optus Data Breach.  In some American states notifications must be made to authorities who publish broad details of the data breach and how many residents of the state have been affected.  As such there is a better understanding of the frequency of data breaches and Read the rest of this entry »

One of the most challenging issues for any organisation is securing information they have collected which has been provided to a third party.  It makes financial sense for data to be processed overseas and call centres for Australian companies on the subcontinent and Asia are ubiquitous.  Under the Australian Privacy Principle 8, Cross Border disclosure of personal information, organisations covered by the Privacy Act must take “reasonable steps” to ensure that personal information disclosed to overseas entities do not breach the Australian Privacy Principles. More particularly an organisation or government agency that does disclose personal information is liable for the breach of the Australian Privacy Principles by an overseas entity handling that information.

The Australian Federal Police is an APP entity under the Act.

It appears that information about agents engaged by the Australian Federal Police overseas, have been stolen from the Colombian Government in a cyber attack.  That information includes the identities of the agents. Given the murder rate in Colombia is three times that of the United States and drug cartels still operate in that part of Latin America the safety of those agents is more important that a possible breach of the Privacy Act.  There would be a real issue about Read the rest of this entry »

Loyalty and rewards programs are just sophisticated data gathering machines.  Whatever benefits clients obtain from these programs the price is the constant collection of data.  The adage applies “If you are getting something for free, you are the product.” And so it is with Woolies My Deal program.  It needs data, lots of it, to assist Woolies make offers and determine trends.

There is nothing exceptional in any of that except when there is a cyber attack.  Which has happened in a report by Guardian with Woolworths says 2.2 million MyDeal customers’ details exposed in data breach.

The Guardian article provides:

Millions of customers’ details have been exposed in a major data breach at an online shopping site owned by the retail giant Woolworths.

The company says a compromised user credential was used to get access to customer information from the MyDeal website. Read the rest of this entry »

As if to underscore the need for better cyber security and privacy reform Medibank has reportedly suffered a cyber attack yesterday according to itnews Medibank takes systems offline after ‘cyber incident’ .  In response Medibank shut down two customer facing systems.  According to the ABC the insurer says that no evidence that sensitive data had been accessed.

Interestingly the ABC reports on a surge of interest in cyber security professionals with Since the Optus data breach, Australia is desperate for cybersecurity professionals. You could become one without a university degree which is quite general.  The awareness of the need for cyber experts, actually privacy experts, has been growing for Read the rest of this entry »

At a speech at the National Press Club the Attorney General, Mark Dreyfuss, announced 3 privacy reforms before a more comprehensive amendment of the Privacy Act.  Those reforms are:

• tougher penalties,
• data retention limits and
• anti-fraud measures

Each of the above reforms are welcome.  Legislating them outside of a broader and more comprehensive amendment to the Privacy Act is not best practice by any means.  Legislating tougher penalties is long overdue but increasing penalties when the legislation is going to be amended within 12 months has little practical impact.  A case brought today would not be resolved within 12 months based on the current state of the Federal Court list.  Data retention limits is Read the rest of this entry »

Today’s Sydney Morning Herald reports on a Resolve Political Monitor poll that finds that a clear majority of voters want tougher privacy rules.  The findings themselves are hardly new.  Wherever and whenever there have been polls on privacy people consistently express concern about the lack of privacy, the use of their personal information and the need for stronger rules. The attitude and concerns of Australians and Americans do not differ markedly.  That has not resulted in governments doing all that much to improve privacy protections.

Even if the poll does not reveal anything radically new the timing is signficant after the the Optus Data Breach.

The article Read the rest of this entry »

Today the Australian Information Commissioner initiated an investigation.  In other jurisdiction this step by a regulator is quite common.  It is far less so in Australia.  It is clearly required given the size of the data breach, the likely cause and the consequential events as Optus has struggled to remediate the damage. 

The Commissioner’s statement Read the rest of this entry »

Stingtel’s woes continue.  Singtel’s Australian IT firm Dialog has announced it suffered a data breach just weeks after the Optus breach. It involved 1,000 employees and 20 customers.  As is the way of it, the media coverage has been considerable and unwelcome (to Singtel).  One of the almost inevitable effects of a data breach. 

Dialog released a statement which provided:

The Dialog Group (Dialog) today confirmed that the company has experienced a cyber security incident in which an unauthorised third party may have accessed company data, potentially affecting fewer than 20 clients and 1,000 current Dialog employees as well as former employees.

Dialog has notified the relevant authorities and is supporting those who may be impacted to protect against the risk of fraudulent activity.

On Saturday 10 September 2022, Dialog detected unauthorised access on our servers, which were then shut down as a preventative measure. Within two business days, our servers were restored and fully operational.

We contracted a leading cyber security specialist to work with our IT team to undertake a deep forensic investigation and continuous monitoring of the Dark Web. Our ongoing investigations showed no evidence of unauthorised downloading of data.

On Friday 7 October 2022 we became aware that a very small sample of Dialog’s data, including some employee personal information, was published on the Dark Web.

We are doing our utmost to address the situation and, as a precaution, we are actively engaging with potentially impacted stakeholders to share information, support and advice.

It is not a particularly statement Read the rest of this entry »