Peter A Clarke

Metricon Homes has been hit with a ransomware attack by Qilin. Qilin is a cyber criminal organisation that operates as a ransomware as a service whose modus operandi is to seize data and threaten to publish it on its Dedicated Leak Site (“DLS”) which is hosted on Tor. It was first detected in July 2022. It operates Agenda ransomware which supports multiple encryption modes. it targets large enterprises and its usal mode of entry is through phishing or spear phishing emails. It also has accessed exposed application such Citrix and remote destop protocol. As an aside “qilin” refers to a mythical creature in Chinese folklore, often described as a hooved, chimerical beast with a mix of dragon, deer, and ox features. It’s a symbol of good omens, prosperity, and wisdom, and is said to appear during times of peace, prosperity, or the presence of a sage or benevolent ruler. Notwithstanding the Chinese symbolism Qilin is a Russian Speaking group. It is quite effective. Cyberdaily reports that Metricon has confirmed an attack by Qinlin. Metricon has released a statement, of sorts, which says not much of anything. Definitely not best practice. Apparently other statements have been released but not accessible to the general public yet.  Cyberdaily’s description of Qinlin’s communciation is consistent with its usual practice.  

It is much too early to common on the how the breach occurred, and by the look of it Metricon will be parsimonious with information.  But given Qinlin is known for phishing and spear phishing it is a timely reminder for companies to properly train staff and IT Read the rest of this entry »

Third party access by hackers is so widespread as to almost becoming ubiquitous.  Scattered Spider is so prolific these days in hacking high value companies that it is almost ubiquitous.  Both are present in the dispute in the USA between Clorox, a large manufacturer of disinfectant/bleach and Cognizant, a large IT service provider. 

In August 2023 Clorox first disclosed to the SEC that it had suffered a data breach which would disrupt parts of its operations. The cyber attack damaged part of its IT infrastructure which led to disruption of signature products and forced it to manually process orders. A filing with the SEC a month later Clorox advised that the hack caused lower production rates and predicted that its sales would be 23 – 28% down as well as a loss of share price ranging from 35 – 75 cents, processing delays and product outages. As at November 2023 it estimated that it had suffered damages of $358 million. The cause of the data breach was access via its IT provider, Cognizant. Clorox alleges a hacker rang up staff at Cognizant and asked for Clorox’s system login and it was provided. It has issued proceedings in the California Superior Court.

Bleeping Computer reports in Hackers fooled Cognizant help desk, says Clorox in $380M cyberattack lawsuit that Clorox alleged that Cognizant fell for social engineering by a hacker without verifying the callers actual identity.  The claim alleges that Cognizant didn’t follow the proper procedures and in fact reset credentials multiple times without identity verification.  What makes this case interesting is that Cognizant is defending the claim quite aggressively and alleged that Clorox had inept internal cybersecurity and failed to mitigate the attack.  It also alleges that the scope of the engagement between Clorox and Cognizant was narrow and confined to help desk services, which Cognizant reasonably performed. As such there will be issues of contract, tort and the issue of mitigation of damages.  

While the proceeding will be conducted in California the principles that will be the subject of dispute are applicable in Australia under Australian law.  It is worth following this case closely.  

The Bleeping Computer article provides:

Clorox is suing IT giant Cognizant for gross negligence, alleging it enabled a massive August 2023 cyberattack by resetting an employee’s password for a hacker without first verifying their identity.

The incident was first made public in September 2023, reportedly carried out by hackers associated with Scattered Spider, who utilized a social engineering attack to breach the company. Read the rest of this entry »

Today the OAIC released its regulatory action priorities for 2025 – 26. In the privacy sphere the Commissioner states that it is:

Rebalancing power and information asymmetries

The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

• • the rental and property, credit reporting and data brokerage, sectors
  • advertising technology (Ad tech) such as pixel tracking
  • practices that erode information access and privacy rights in the application of artificial intelligence
  • excessive collection and retention of personal information
  • systemic failures to enable timely access to government information

Rights preservation in new and emerging technologies

The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

• • facial recognition technology and forms of biometric scanning
  • new surveillance technologies such as location data tracking in apps, cars and other devices
  • the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

It is interesting to note that the Commissioner has previously flagged a focus on data collection by cars.  The Commissioner has already taken action in relation to facial recognition technology.  

The media release Read the rest of this entry »

Tea is marketed as a dating safety app. It is used by women to do background checks on men and, anonymously, share “red flag” behaviour on men. It is a woman’s only app with 1.6 million users. It has not been without controversy. Last week it confirmed that it had been hacked and there had been “unauthorised access” to 72,000 images submitted by women. They reportedly stole 13,000 user photos and ids. Additionally there was access to 59,000 images of posts, comments and direct messages from over 2 years ago. The likely entreport for the hackers was an unsecured Firebase storage bucket used to store drivers licences, selfies and government ID verification.  

The story is reported by the BBC in Hackers steal images from women’s dating safety app that vets men. It is covered by AP in The Tea app was intended to help women date safely. Then it got hacked and NBC’s Hackers leak 13,000 user photos and IDs from the Tea app, designed as a women’s safe space. That was the initial knowledge of the hack. Bad enough. But Bleeping Computer reports in Tea app leak worsens with second database exposing user chats that the leak was much larger with 1.1 million personal messages stolen and and shared on hacking forums.

Given the purpose for which the app was set up with its very confidential communications and images of users who would prefer to remain anonymous, or at least known only within the app community, the data security was completely Read the rest of this entry »

Allianz Life is one of America’s largest insurance companies. It has suffered a data breach where a majority of its customers’ personal information was stolen. While it concedes the extent of the mistake in broad terms it refused to put a number on those affected.  CBS reports that Allianz Insurance Company of North America has 1.4 million customers.

Access came through a third party cloud based CRM system used by the company. Third party access is now a preferred means of access by many hackers. Third party providers often have less extensive protections and it is often easier to get authorisations. 

The data breach is reported by Tech Crunch with Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack. Allianz filed notice of the data breach with the Maine Attorney General.

The Tech Crunch story provides:

U.S. insurance giant Allianz Life has confirmed to TechCrunch that hackers stole the personal information of the “majority” of its customers, financial professionals, and employees during a mid-July data breach. Read the rest of this entry »

The charges against Ryan Cho, a junior doctor who worked at Austin Hospital, arising out his alleged use of video devices in staff toilets has grown from a charge of stalking and using an optical device earlier this month (see my post here) to five new offences. According to a Victoria Police media release, and reported by the ABC, last Friday Cho has now been charged with 5 further offences, most relevantly of 3 counts of producing intimate image and 1 count of using an optical surveillance device. The alleged offences are now  believed to have occurred in in more than one health facility. According to the ABC the Victoria Police allege that Cho had over 10,000 “pieces of images” and videos relating to at least 460 females.

The focus of the story is the alleged criminality of the conduct.  And why not. It is a big story and there is a strong interest by the public and public interest (2 very different concepts) in the issue.  The legislatures in Australia were very quick to respond to the practice of surreptitious filming, usually of women by men, in very private places, such as showers, toilets and change areas.  That response however was confined to criminalising such conduct. That is appropriate.  But there are limitations for the victims in this process.  In criminal cases it is the Crown, in indictable cases, or police Informant, in summary jurisdiction cases, which commence and conduct prosecutions.  It is the Crown/Informant which may enter a plea deal.  In some cases some form of monetary order may be made but it is not the same as an assessment of damages.  And it is prosecutors discretion to seek such orders.  

For years the State legislatures refused to legislate a civil right of action for interferences with privacy.  In Victoria what limited scope of action was confined to breaches by government entities under the Privacy and Data Protection Act.  It is an ineffective process and the results at the Victorian Civil and Administrative Tribunal Act has been very unsatisfactory.  On top of that its use is confined to Victorian Government, its agencies and entities or those providing services on their (as the case may be) behalf.  While the Victorian Government, like many government entities, have had major privacy fails and data breaches those incidents are only a small sub set of the total number of privacy interferences, misuse of private information and data breaches in Victoria (let alone the rest of Australia).  

Equity responded to the lack of statutory privacy protection and the inability of individuals to take action to protect their privacy with the Victorian Court of Appeal decision of Giller v Procopets [2008] VSCA 236.  It extended the claim of breach of confidence into a claim of misuse of private information, following the UK authorities.  It was and is not a good fit in many privacy related breaches.  The law developed at a glacial pace in this generally unsatisfactory environment.  That said, the High Court in Smethurst v Commissioner of Police [2020] HCA 14 came tantalisingly close to recognising a stand alone right to privacy as an actionable tort as the UK Court of Appeal did Vidal – Hall v Google Inc [2015] EWCA Civ 311. In Smethurst the Appellant deliberately did not want the High Court to continue consideration of a claim for breach of privacy.  Their Honours Keifel CJ, Bell and Keanne stated, at [48] (absent footnotes):

The plaintiffs’ principal claim to an injunction is based upon the Court’s auxiliary jurisdiction in equity. This would ordinarily require that it be granted in aid of some legal right or interest or title to property. The plaintiffs make no claim to the property in the AFP’s USB stick. They do not claim a right to privacy which is actionable for breach. They do not ask this Court to continue the debate, left open by Gummow and Hayne JJ in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd, as to whether the courts should recognise such a tort. The plaintiffs nevertheless contend that an injunction should be granted to reverse or protect them from the effects of the trespass committed as a result of the Second Warrant being invalid. Those effects are that the information may be used to further the investigation as to whether offences against s 79(3) of the Crimes Act have been committed and, if charges are laid, as evidence of the commission of those offences.

(Emphasis added)

The reason for the Appellants reluctance in pressing the question of privacy and “continuing the debate” (which the High Court was most definitely interested in having) is because the media was at 2020, just as it is today, very hostile to the idea of a tort of privacy.  It wanted the relief sought and a finding against the Commissioner of Police but on a more confined basis.  That was a great opportunity wasted but fortunately the legislative has finally enacted a statutory tort of serious invasion of privacy.  As to whether the tort the High Court may have found was a superior form of protection to what has been enacted is something we will never know.  T

he Federal Government enacted a statutory tort of serious invasion of privacy which came into effect on 10 June 2025. 

With the operation of the statutory tort of serious invasion of privacy the gap in the civil law has been closed.  It is able to provide some measure of justice and compensation for victims of the behaviour as alleged in this case.  

The elements of a statutory tort of serious invasion of privacy are set out in section 7(1) of Schedule 2 of the Privacy Act 1988 and they are:

(1)       An individual (the plaintiff ) has a cause of action in tort against another person (the defendant ) if:

(a)     the defendant invaded the plaintiff’s privacy by doing one or both of the following:

(i)      intruding upon the plaintiff’s seclusion;

(ii)     misusing information that relates to the plaintiff; and Read the rest of this entry »

Terry Gene Bollea (known professionally as Hulk Hogan) was  a major celebrity in the curious world of American wrestling and subsequently as a big media personality.  Always good copy.

For lawyers he is at least as well known as winning a very significant privacy case in in 2016,  Hulk Hogan v Gawker case where he defeated Gawker Media ( citation Gawker Media, LLC v. Bollea, 129 So.3d 1196 (Fla. 2d DCA 2014); 170 So.3d 125 (Fla. 2d DCA 2015).  The case demonstrated that not everything a media company does is protected under the First Amendment.  Gawker Media was an online gossip tabloid which specialised in salacious coverage of celebrities private lives. I covered the verdict with posts in March 2016 here and here.

In a trial in Florida in 2016 Hogan won a privacy claim against Gawker which claimed protection under the First Amendment.

It was and remains a very significant case and one which has influenced in jurisprudence in the United States of America,

The facts in brief summary are:

• In 2006, Bollea was videotaped while having sex with Heather Clem, his friend’s wife.  he claimed the videotaping was undertaken without his knowledge or consent. On The Howard Stern Show, Bollea told Stern that he had slept with Heather with Bubba Clem’s (Heather Clem’s husband) blessing and his encouragement because he was so burnt-out from the trauma of his coming divorce that he finally gave in to the “relentless” come-ons from Heather who “kept going down that road.” 
• On October 4, 2012, Gawker editor A. J. Daulerio published a two-minute extract from the 30-minute video, including 10 seconds of explicit sexual activity
• Bollea originally sued Gawker for copyright infringement in the United States District Court for the Middle District of Florida, seeking a temporary injunction. U.S. District Judge James D. Whittemore denied Bollea’s motion, ruling that the validity of the copyright was in question, and that given the degree to which Bollea had already put his own private life into the public arena, the publication of the video might be protected by fair use.
• Bollea withdrew his case in the US district court and sued Gawker in Florida state court.
• Bollea’s request for an injunction was granted by Judge Pamela Campbell in 2013. Gawker announced that it would not comply with the part of the court order requiring the removal of the post and associated commentary because it deemed the order “risible and contemptuous of centuries of First Amendment jurisprudence.” Gawker removed the video itself, but linked readers to another site hosting the video.
• The injunction was stayed on appeal, and was denied in 2014 by the appeals court, which ruled that under the circumstances it was an unconstitutional prior restraint on speech under the First Amendment.
• The trial in 2016 ran for two weeks. Gawker argued that Bollea made his sex life a public matter, although on cross-examination, when asked by Bollea’s lawyer whether a depiction of his genitalia had any “news value”, former Gawker editor AJ Daulerio responded “no”. Bollea said that comments made in interviews were done in his professional wrestling character, an on-air persona different from his own.
• On March 18, 2016, the jury delivered a verdict in favor of Bollea. The jury awarded him $115 million in compensatory damages, which included $60 million for emotional distress. The jury awarded Bollea an additional $25 million in punitive damages on March 21.
• On June 9, 2016, Gawker filed a motion for a stay of execution of judgment pending appeal. In the motion and accompanying affidavits from Gawker Media personnel, the company stated that it could not afford to pay the $140.1 million judgment or the $50 million appeal bond.
• On June 10, 2016, Gawker filed for Chapter 11 bankruptcy protection and put itself up for sale.
• Univision Communications bought Gawker Media’s assets for $135 million at a bankruptcy auction on August 16, 2016 which included six Gawker websites—Deadspin, Gizmodo, Jalopnik, Jezebel, Kotaku, and Lifehacker.
• On November 2, 2016, Gawker Media and Bollea reached a $31 million settlement. As a result of the settlement, Gawker forwent its appeal and three articles from gawker.com were taken down, including the one involving Bollea.

Schedule 2 of the Privacy Act 1988 contains the provisions giving effect to the statutory tort of serious invasion of privacy.  How relevant is the Hulk Hogan case to the consideration of Australia’s statutory tort?  On its face little.  An issue in the Hulk Hogan case was whether the material published by Gawker Media had news value.  And the witness for Gawker said “no.”  Under section 15(1) of Schedule 2 the statutory tort does not apply “..to the extent that the invasion of privacy involves the collection, preparation for publication or publication of journalistic material” while section 15(1A) provides that “..This Schedule does not Read the rest of this entry »

From 27 December 2025 in Australia there will be mandatory age verification on search engines used in Australia, such as Google. The failure to do so will result in fines of almost $50 million per breach. Those under the age of 18 search engines will filter out pornography, high impact violence and other content. As to how successful is yet to be seen. Filters have a dismal history on the internet. They have been too light touch, too heavy handed or had a poor interpretation of what pornography or high impact violence is. The amendments have largely been implemented without much notice. The Government has legislated age restriction on the use of social media with Part 4A of the Online Safety Act 2021.

In the UK, effective 25 July 2025  sites and apps must implement “age – gating” methods to protect children from accessing harmful content. The regulator is, with no doubt unintended Orwellian undertones, the Office of Communications (Ofcom). The age-gating methods are required to identify which users are children and then prevent them from accessing pornography, as well as self-harm, suicide, and eating disorder content amongst others.

The age verification requirements are Read the rest of this entry »

Data protection laws are undertaking some refining in the UK with the Data (Use and Access) Act 2025 (DUAA) The DUAA received Royal Assent on June 19, 2025. On July 21, 2025, the Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025 were published. The DUAA reforms how the UK manages non-personal and personal data. The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR).  The aim is to change data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst it still protecting people and their rights.  

The UK legislation is significantly more prescriptive than the Privacy Act 1988.  That is not surprising given it was based on the GDPR.  It is also structured very differently. It is useful to be aware of changes to UK legislation as Australian legislation can be influenced by the UK legislation over time.

The Long title to the Bill states:

A bill to make provision about access to customer data and business data; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about the recording and sharing, and keeping of registers, of information relating to apparatus in streets; to make provision about the keeping and maintenance of registers of births and deaths; to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about privacy and electronic communications; to establish the Information Commission; to make provision about information standards for health and social care; to make provision about the grant of smart meter communication licences; to make provision about the disclosure of information to improve public service delivery; to make provision about the retention of information by providers of internet services in connection with investigations into child deaths; to make provision about providing information for purposes related to the carrying out of independent research into online safety matters; to make provision about the retention of biometric data; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the creation and solicitation of purported intimate images and for connected purposes.

The Government states Read the rest of this entry »

The UK Information Commissioner has responded to the growing concern about the development and use of AI and biometrics and its impact on privacy. He has released an AI and biometrics strategy.

The strategy, Read the rest of this entry »