Peter A Clarke

The US Supreme Court on Monday agreed to hear argument about the constitutionality of section 230 of the Communication Decency Act.  The case on appeal, Gonzalez v Google is by an unsuccessful applicant from a decision of the 9th US Court of Appeal.

Section 230 has provided to Social Media sites and has come under growing criticism with the growing power of and some say, aggression of content Read the rest of this entry »

Telstra has suffered a data breach involving personal information of 30,000 current and former staff.  The cause was fairly typical of such data breaches, through a third party provider.  The provider operated the Telstra rewards program.  The story gets full coverage on Telstra staff suffer data breach as names and email addresses uploaded to dark web forum. 

Just to put matters into perspective, over approximately the same period:

• Mexico has had a hack of military records and the president’s health information;
• in a spectacular but all too familiar fail by educational institutions Wymondham High Academy sent an email to all pupils attaching confidential details of of every student that has been referred to support with anxiety.  In other words that person’s mental health details. The email was intended for staff members.  A good question is why all staff members should receive that information to start with.
• TD Bank, one of the largest banks in America by deposits, disclosed a data breach when a former employee stole personal information for the purposes of financial fraud.
• Live support was hacked to spread malware in a supply chain attack.
• A ransomware gang published data stolen from the Los Angelese Unified School District in September. 

The Guardian has published an Essential Poll finding that 51% of respondents support restrictions on amount of personal information private companies can collect.  That tallies with a Pew Research Center finding in November 2019 that Americans were concerned about data collection. The Australian Information Commissioner also published a survey of Australian Community Attitudes to Privacy in 2020. EPIC also described a similar outcome from a poll by Morning Consult in 2021.

These findings are all consistent and hardly secret.  Similar polls have had similar findings for more than a decade.  It is governmental inertia that prevents anything from being done about the problem.

The Guardian article Read the rest of this entry »

Optus is very slowly applying the basic principles of a data breach response plan.  But grudgingly and so reluctantly that the benefits of having a plan are lost. It refused to provide any help initially to those affected, merely suggesting they get assistance from services it helpfully listed in its original letter.  That never works.  So it engaged Equifax to help “most affected customers.”  Still miserly.  It wasn’t candid about what personal information was compromised.  It failed to say that some Medicare numbers were part of the hacker’s haul.  That brought on a savage response from the Home Affairs Minister.

With Operation Guardian, the taskforce an investigation by the Australian Federal Police to find the hacker, the focus has shifted ever so slightly away from the incredibly poor response to the data breach. On 30 September Optus and the Australian Federal Police and other agencies and organisations issued a joint media release about the Optus data breach which states

The AFP and state and territory police have set up Operation Guardian to supercharge the protection of more than 10,000 customers whose identification credentials have been unlawfully released online under the Optus data breach.

Customers affected by the breach will receive multi-jurisdictional and multi-layered protection from identity crime and financial fraud. The 10,000 individuals, who potentially had 100 points of identification released online, will be prioritised. Read the rest of this entry »

Politics and cyber security continue to occupy the same field in the Optus Data Breach now saga.  In ‘Bloody useless’: Companies could be forced to report data breaches after hacks the Home Minister Clare O’Neil has expressed exasperation about the weakness, if not uselessness, of the data breach notification regime.  It has hardly been a secret.  Right at the outset the weaknesses of the data breach notification scheme were obvious.  It has hardly been a surprise. I have been writing on this for ages. 

The story Read the rest of this entry »

Writing about privacy and the deficiencies in the the law is to feel like Cassandra.  Cassandra a Trojan priestess of Greek mythology who was given the gift of prophecy, but was also cursed by the god Apollo so that her true prophecies would not be believed.

With the Optus data breach suddenly people have discovered the problems I have been writing about for years.  As if it is a sudden discovery.  That is typified with an ABC article What does the Optus data breach reveal about corporate governance problems around cyber security?, the Australian Financial review with Customer data should not be a corporate asset: Dreyfus and the Read the rest of this entry »

The Chilean judicial system has suffered a ransomware attack requiring it to take 150 computers off line to stop the spread of a virus as reported in Chilean Court System Hit With Ransomware Attack.  The trojan program entered the system via a phishing email.  A typical entreport for ransomware software.

It provides:

The Chilean judicial system yanked 150 computers offline to stop the spread of a virus that maliciously encrypts files even as authorities stressed that court proceedings were mostly unaffected.

The event is the latest cyber disruption affecting the South American country. The nation’s consumer protection agency was hit by a ransomware attack that started on Aug. 25 (see: Chile Consumer Protection Agency Hit by Ransomware Attack) and just days ago, hundreds of thousands of emails hacked from the military’s Joint Chiefs of Staff were published online. Read the rest of this entry »

As a practitioner in the privacy area I find it fascinating to see how a sophisticated telco has pretty much done everything wrong in responding to the data breach.  Its original notification was poorly drafted and vague.  Getting a CEO to front the media is a real gamble which did not pay off.  Optus is stubbornly refusing to give any insight into what actually happened.  It is possible to provide a broad outline without compromising work being undertaken or any commercial in confidence information (which is difficult to see applying).  Optus was less than candid about what data was compromised, failing to mention that Medicare numbers were included in the personal information stolen.  Optus has been slow in advising its customers what they can do.  It has been incredibly miserly in providing assistance through the use of credit reporting.  It has grudgingly agreed to pay for the replacement of drivers licences.  If it had a data breach response plan, which is doubtful, it was probably drafted by Telstra.  It has failed to take control and get ahead of the news cycle and in the process has been attacked from all sides.  Much of that is self inflicted though there is an element of opportunism in some of the political attacks.

As an example of Optus’s dreadful communications has been its late and seemingly reluctant advice that Medicare numbers had been compromised.  It provided a statement only yesterday.  It said:

Of the 9.8 million customer records exposed, we have identified 14,900 valid Medicare ID numbers that have not expired. All of the customers who have a Medicare card that is not expired will be contacted within 24 hours. There are a further 22,000 expired Medicare card numbers exposed. Out of an abundance of caution we they will also be contacted directly over the next couple of days.

Please be assured that people cannot access your Medicare details with just your Medicare number. If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia.

Our call centres will not have further information to assist on this matter. We are in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take.

Medicare numbers being stolen causes the public incredible concern.  But the reality is Read the rest of this entry »

The Federal Trade Commissioner has been taking action against companies for misusing the personal information of children.  The UK Information Commisioner’s Office has also taken action on that front, against TikTok.  It has issued a notice of intent against TikTok for failing to protection children’s privacy.  The statement Read the rest of this entry »

Data breaches in other jurisdictions rarely have governments drawn into both the circumstances of the data breaches and steps being taken to remedy them.  Usually regulators are the limit of governmental involvement. There have been exceptions.  The Cambridge Analytica scandal involving Facebook attracted widespread condemnation from political parties across multiple jurisdictions. But the Federal and now State Government’s involvement in the Optus Data Breach both as critics and active participants is unusual.  Probably because it is such a massive data breach and it involves a major telco.  Whether this is a good practice will be seen. The initial and ultimate responsibility for cyber security and remedying a data breach is the organisation itself.  The Federal Government has a critical role in ensuring there is the appropriate level of regulation and a regulator which is willing and able to enforce the laws.

The Australian reports in Scramble to save millions of Optus customers that Australians are in the dark about the security of their personal information and that governments and banks are working to protect them  It reheats a story first run by the Guardian that Optus resisted any legislative change to the privacy laws. 

The article Read the rest of this entry »