Survey finds 51% of respondents want stronger privacy laws. This tallies with overseas polls on privacy and data collection

October 4, 2022

The Guardian has published an Essential Poll finding that 51% of respondents support restrictions on amount of personal information private companies can collect.  That tallies with a Pew Research Center finding in November 2019 that Americans were concerned about data collection. The Australian Information Commissioner also published a survey of Australian Community Attitudes to Privacy in 2020. EPIC also described a similar outcome from a poll by Morning Consult in 2021.

These findings are all consistent and hardly secret.  Similar polls have had similar findings for more than a decade.  It is governmental inertia that prevents anything from being done about the problem.

The Guardian article Read the rest of this entry »

Optus Data breach with Optus dragged to covering more costs and it becoming a mini political battle ground

October 2, 2022

Optus is very slowly applying the basic principles of a data breach response plan.  But grudgingly and so reluctantly that the benefits of having a plan are lost. It refused to provide any help initially to those affected, merely suggesting they get assistance from services it helpfully listed in its original letter.  That never works.  So it engaged Equifax to help “most affected customers.”  Still miserly.  It wasn’t candid about what personal information was compromised.  It failed to say that some Medicare numbers were part of the hacker’s haul.  That brought on a savage response from the Home Affairs Minister.

With Operation Guardian, the taskforce an investigation by the Australian Federal Police to find the hacker, the focus has shifted ever so slightly away from the incredibly poor response to the data breach. On 30 September Optus and the Australian Federal Police and other agencies and organisations issued a joint media release about the Optus data breach which states

The AFP and state and territory police have set up Operation Guardian to supercharge the protection of more than 10,000 customers whose identification credentials have been unlawfully released online under the Optus data breach.

Customers affected by the breach will receive multi-jurisdictional and multi-layered protection from identity crime and financial fraud. The 10,000 individuals, who potentially had 100 points of identification released online, will be prioritised. Read the rest of this entry »

Somebody in government realises that the Australian data breach notification regime is “bloody useless”. Hardly a revelation.

Politics and cyber security continue to occupy the same field in the Optus Data Breach now saga.  In ‘Bloody useless’: Companies could be forced to report data breaches after hacks the Home Minister Clare O’Neil has expressed exasperation about the weakness, if not uselessness, of the data breach notification regime.  It has hardly been a secret.  Right at the outset the weaknesses of the data breach notification scheme were obvious.  It has hardly been a surprise. I have been writing on this for ages. 

The story Read the rest of this entry »

Post optus data breach discovery of the problems with privacy…which has been known about for decades

September 29, 2022

Writing about privacy and the deficiencies in the the law is to feel like Cassandra.  Cassandra a Trojan priestess of Greek mythology who was given the gift of prophecy, but was also cursed by the god Apollo so that her true prophecies would not be believed.

With the Optus data breach suddenly people have discovered the problems I have been writing about for years.  As if it is a sudden discovery.  That is typified with an ABC article What does the Optus data breach reveal about corporate governance problems around cyber security?, the Australian Financial review with Customer data should not be a corporate asset: Dreyfus and the Read the rest of this entry »

Chilean Court system suffers a ransomware attack

The Chilean judicial system has suffered a ransomware attack requiring it to take 150 computers off line to stop the spread of a virus as reported in Chilean Court System Hit With Ransomware Attack.  The trojan program entered the system via a phishing email.  A typical entreport for ransomware software.

It provides:

The Chilean judicial system yanked 150 computers offline to stop the spread of a virus that maliciously encrypts files even as authorities stressed that court proceedings were mostly unaffected.

The event is the latest cyber disruption affecting the South American country. The nation’s consumer protection agency was hit by a ransomware attack that started on Aug. 25 (see: Chile Consumer Protection Agency Hit by Ransomware Attack) and just days ago, hundreds of thousands of emails hacked from the military’s Joint Chiefs of Staff were published online. Read the rest of this entry »

Optus Data Breach, enter the theorists

As a practitioner in the privacy area I find it fascinating to see how a sophisticated telco has pretty much done everything wrong in responding to the data breach.  Its original notification was poorly drafted and vague.  Getting a CEO to front the media is a real gamble which did not pay off.  Optus is stubbornly refusing to give any insight into what actually happened.  It is possible to provide a broad outline without compromising work being undertaken or any commercial in confidence information (which is difficult to see applying).  Optus was less than candid about what data was compromised, failing to mention that Medicare numbers were included in the personal information stolen.  Optus has been slow in advising its customers what they can do.  It has been incredibly miserly in providing assistance through the use of credit reporting.  It has grudgingly agreed to pay for the replacement of drivers licences.  If it had a data breach response plan, which is doubtful, it was probably drafted by Telstra.  It has failed to take control and get ahead of the news cycle and in the process has been attacked from all sides.  Much of that is self inflicted though there is an element of opportunism in some of the political attacks.

As an example of Optus’s dreadful communications has been its late and seemingly reluctant advice that Medicare numbers had been compromised.  It provided a statement only yesterday.  It said:

Of the 9.8 million customer records exposed, we have identified 14,900 valid Medicare ID numbers that have not expired. All of the customers who have a Medicare card that is not expired will be contacted within 24 hours. There are a further 22,000 expired Medicare card numbers exposed. Out of an abundance of caution we they will also be contacted directly over the next couple of days.

Please be assured that people cannot access your Medicare details with just your Medicare number. If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia.

Our call centres will not have further information to assist on this matter. We are in contact with Services Australia and we will be letting all affected customers know the guidance on the steps they can take.

Medicare numbers being stolen causes the public incredible concern.  But the reality is Read the rest of this entry »

UK Information Commissioner advises that TikTok could face a 27 million pound fine for failing to protect children’s privacy

September 28, 2022

The Federal Trade Commissioner has been taking action against companies for misusing the personal information of children.  The UK Information Commisioner’s Office has also taken action on that front, against TikTok.  It has issued a notice of intent against TikTok for failing to protection children’s privacy.  The statement Read the rest of this entry »

Optus data breach, the remediation and no shortage of continuing recrimination

Data breaches in other jurisdictions rarely have governments drawn into both the circumstances of the data breaches and steps being taken to remedy them.  Usually regulators are the limit of governmental involvement. There have been exceptions.  The Cambridge Analytica scandal involving Facebook attracted widespread condemnation from political parties across multiple jurisdictions. But the Federal and now State Government’s involvement in the Optus Data Breach both as critics and active participants is unusual.  Probably because it is such a massive data breach and it involves a major telco.  Whether this is a good practice will be seen. The initial and ultimate responsibility for cyber security and remedying a data breach is the organisation itself.  The Federal Government has a critical role in ensuring there is the appropriate level of regulation and a regulator which is willing and able to enforce the laws.

The Australian reports in Scramble to save millions of Optus customers that Australians are in the dark about the security of their personal information and that governments and banks are working to protect them  It reheats a story first run by the Guardian that Optus resisted any legislative change to the privacy laws. 

The article Read the rest of this entry »

Optus data breach, politics starts intruding with scalp hunting season opening…to the detriment of fixing the problem.

September 27, 2022

At the end of this debacle it is likely that there will be changes of personnel at Optus.  And that would not just be the Chief Executive feeling some pressure to find greener pastures.  The head of IT, the in house media unit, the privacy officer, the head of the in house legal team and probably anyone who had any role in installing and operating cyber security should all be put under some scrutiny.  All of them would have some role in preventing the data breach and then remediating the damage.  The latter has just been dreadful.  But calling for the head of the Chief Executive at the moment is counterproductive and is a reversion to form in this field, short term hits which distracts from the boring hard graft of fixing the problem.  It takes months and sometimes longer to resolve the problem, technical, reputational and legal.  And lots and lots of money.  Losing a chief executive or any other high level manager for that matter gives politicians something to crow about, some customers some satisfaction and the media plenty of ink to spill upon.  But it is most likely counterproductive for the company and the victims of the hack.

Both the Government and the Opposition have increasingly wielded the knife in the public discourse.  The Opposition Cyber Security Spokesman has been frenetically releasing posts attacking the Government’s response and  telling it to make cyber security a priority. The data breach is primarily Optus’s problem to fix.  Clearly Government resources are being put to use in fixing that problem however it is bad policy for the government to step into Optus’s shoes or even have that option. In the Age’s Optus boss digs in over cyberattack as government fury grows it is clear that responding to the data breach is not confined to the lost personal information.  The Government has moved from being a party that can assist to a more adversarial role, at least Read the rest of this entry »

Optus data breach, Federal Government continues criticism of Optus through other ministers

Optus continues to be the target of criticism, if not direct political attack, from Federal Government ministers, the Attorney General Mark Dreyfus and Defence Minister Richard Marles states that the data breach should never have occurred as reported in the Australian’s ‘Data breach should never have happened’: Dreyfus, which provides:

Attorney-General Mark Dreyfus has doubled down on the government’s criticism of Optus in allowing the massive breach of customer data.

“Australians expect that when they hand over their personal data, every effort will be made to keep it safe from harm,” he said.

“We know that millions of Australians have been impacted by the Optus data breach, and it is a data breach that should never have happened.

“It involves the release of Australian citizens’ names, date of birth, phone numbers, email addresses, residential addresses and, for some customers, passport numbers and driver’s license numbers being apparently for sale on the dark web.”

Mr Dreyfus said the government was concerned by reports that personal information from the Optus data breach also included Medicare numbers.

“Medicare numbers were never notified as forming part of the breach,” he said.

“I can say that Optus has a clear obligation to notify affected customers, affected individuals, which of course includes both past customers of Optus and present customers of Optus.

“Optus has a clear obligation to notify both the affected individuals and the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. Consumers have also got a right to know exactly what individual personal information has been compromised in Optus’s communications to them.”

Acting Prime Minister Richard Marles said the breach was “a wake-up call for corporate Australia”.

“I know now that cyber security is right there in the top echelon of issues … and we need to be doing everything we can to make sure protections are in place,” he said.

Yesterday the Home Affairs Minister, Clare O’Neil was making her displeasure with Optus known in her interview with Rafael Epstein in Read the rest of this entry »