Peter A Clarke

Universities are prime targets for data breaches. They offer so many opportunities for entrance, often through stolen or easily discerned authorisations. They also have legacy issues with ill fitting computer systems cobbled together with mergers and patch ups. The latest victim is the University of Western Australia whose data breach has been reported by the ABC in University of Western Australia suffers major data breach, staff and students locked out.  The method of attack was through unauthorised access to password information.  The UWA’s response was to lock out and reset passwords of students, staff and visitors.  At this stage the UWA admits to no data being stolen or ransomware being installed.  

The data breach has also been reported by News.com.au, iTnews and cyber daily.

The statement from UWA is cryptic to say the least. It provides:

The ABC article Read the rest of this entry »

Given the scope and sensitivity of the personal information lost in the Genea data breach it is hardly surprising that a number of firms, 3 at last count, are considering class actions. This looming herd/charge of class actions is covered by Nine with ‘Reopened those wounds’: IVF patients to sue clinic over data breach and the Sydney Morning Herald with ‘Emotionally devastating’: Victims of IVF data breach seeking class action. It is always difficult to predict what will or won’t be pleaded in class actions but the issues that are clearly relevant revolve around obligation to keep confidential material safe and secure and what steps were taken to keep the personal information secure. There may be issues relating to misrepresentations and perhaps breach of contract.  

The SMH article provide:

Read the rest of this entry »

It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

The statement from the Information Commissioner provides:

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. Read the rest of this entry »

Google has suffered a data breach by the notorious Shinyhunters, which it classified as UNC6040. It is reported by Bleeping Computer with Google confirms data breach exposed potential Google Ads customers’ info and Google suffers data breach in ongoing Salesforce data theft attacks. What is interesting is that the hackers targeted employees in voice phishing, known as vishing. An attack via social engineering. Much like the now infamous Qantas data breach. 

The Google suffers data breach article provides:

Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group.

In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked.

In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen.

“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations,” reads Google’s update. Read the rest of this entry »

The National Institute of Science and Technology’s guidelines and other publications are used as best practice standards for industry. It’s publications and standards are referenced by privacy regulators. For good reason. It has just released the Cybersecurity and Privacy of Genomic Data.

The Project Overview Read the rest of this entry »

The city of Hamilton in the United States was hit by a ransomware attack in February 2025. The cost of the ransomware attack is $18.3 million. The attack disabled nearly 80% of the city’s network. So far, not so unusual. Where this story falls into the category of salutory lesson is that Hamilton’s insurance declined cover. The reason for that was that Hamilton failed to implement multi factor authentication for on line services at the time of the attack. Data breach reports that ransomware is a growing problem with On the Rise: Ransomware Victims, Breaches, Infostealers.

Cyber insurance has become an important part of the protections organisations use to deal with the consequences of a data breach.  Insurance policies almost always have terms requiring implementation of processes, provision of hardware and other things related to providing protection against threat.  Hamilton didn’t have a basic level of Read the rest of this entry »

De identification of personal information is critically important where data is being used for research. It has also been the subject of great scrutiny by regulators. The Victorian Information Commissioner produced a paper on the limits of de identification after it found that Public Transport Victoria breached myki users privacy by releasing data which exposed myki users’ travel history which the PTV claimed to have de identified. Academics from Melbourne University proved it wrong as they were able to identify the travel history of themselves and others. Apart from being a breach of the Privacy and Data Protection Act Victoria it was embarrassing given the negative publicity. The Federal Office of the Information Commissioner released general advice about de identification. On 19 September 2024 Crikey published Australia’s biggest medical imaging lab is training AI on its scan data. Patients have no idea.  The nub of the article is that I-MED “handed over” scans of thousands of patients to a start up company, Harrison.ai, which will use that data to train artificial intelligence.  It posed the question of how the data could e legally used and disclosed to Harrison.ai.  It made a number of valid points about the generally cavalier manner health organisations treat personal information.  The Privacy Commissioner responded with an investigation.  The Privacy Commissioner has closed an investigation regarding the transfer of data and issued a report. 

The key elements of the report are:

• paragraph 4.2 which sets out the usual two steps of de identification being the removal of personal identifiers and removing or altering other information which may allow a person to be identified;
• paragraph 5.1 the process adopted by I- MED which involved
  • segregating the patient data from the underlying dataset,
  • scanning the records with text recognition software,
  • using two hashing techniques (for unique identifiers such as patient ID numbers, and names, addresses and phone numbers),
  • time-shifting dates (to a random date within a specified number of years),
  • aggregating certain fields into large cohorts to avoid identification of outliers, and
  • redacting any text that appears within or within 10% from the boundary of an image scan.
• paragraph 6.1 the appropriate de identification practices identified by NIST being:
  • utilising of the 5-Safes Principles,
  • ensuring separation of the Annalise.ai and I-MED environments,
  • utilising a ‘Data Use Agreement Model’,
  • imposing prescriptive de-identification standards,
  • removing or transforming all direct identifiers, and
  • utilising top and bottom coding and aggregation of outliers.
• paragraph 6.2 while some personal information was provided to Annalise.ai and therefore shared in error due to failures in the de identification process it was remedied.

it is interesting to note that there were data breaches but not notified to the Privacy Commissioner until after she commenced her preliminary investigation.  That is Read the rest of this entry »

As is commonly the case data breaches have serious consequences. So it is with Tea. It suffered a very significant data breach involving very sensitive information. Thousands of images, posts and comments have been stolen. The BBC reports in Dating safety app Tea suspends messaging after hack that Tea has turned off messaging on the app. Given the nature of the app that is significant.  It suggests a lack of certainty that the threat has been removed.  The story also suggests that Tea is well behind on identifying the extent of the hack.  When a company says Read the rest of this entry »

The first reported threat to use the statutory tort of serious invasion of privacy has been made by Sam and Brittan Groth relating to 2 Herald Sun articles. The nub of the articles, as far as the Groths are concerned, relates to how and when Sam Groth began his relationship with Brittany Groth. The story is covered by the Guardian in Victorian Liberal deputy Sam Groth and wife threaten defamation and privacy action over News Corp stories and the Age with Liberal deputy Sam Groth to test new privacy laws over ‘malicious gossip’.The Age story goes into much more detail about the nature of the allegations contained in the Herald Sun article.  The Age also provides a quasi guide to the elements of a statutory tort of invasion of privacy.  It is incomplete and in part misleading.  It states that journalists have a defence.  It is more than that.  It is an exemption.  In these circumstances it revolves around the scope and operation of section 15 of Schedule 2 of the Privacy Act 1988.

Under Section 15(1) the tort does not apply to an invasion of privacy where that invasion “.. involves the collection, preparation for publication or publication of journalistic material” by a journalist or an employer of a journalist.  A journalist is defined in section 15(2) as being someone who:

  (a)   works in a professional capacity as a journalist; and

  (b)   is subject to:

  (i)   standards of professional conduct that apply to journalists; or

  (ii)   a code of practice that applies to journalists.

Section 15(3) defines journalistic material as being Read the rest of this entry »

Metricon Homes has been hit with a ransomware attack by Qilin. Qilin is a cyber criminal organisation that operates as a ransomware as a service whose modus operandi is to seize data and threaten to publish it on its Dedicated Leak Site (“DLS”) which is hosted on Tor. It was first detected in July 2022. It operates Agenda ransomware which supports multiple encryption modes. it targets large enterprises and its usal mode of entry is through phishing or spear phishing emails. It also has accessed exposed application such Citrix and remote destop protocol. As an aside “qilin” refers to a mythical creature in Chinese folklore, often described as a hooved, chimerical beast with a mix of dragon, deer, and ox features. It’s a symbol of good omens, prosperity, and wisdom, and is said to appear during times of peace, prosperity, or the presence of a sage or benevolent ruler. Notwithstanding the Chinese symbolism Qilin is a Russian Speaking group. It is quite effective. Cyberdaily reports that Metricon has confirmed an attack by Qinlin. Metricon has released a statement, of sorts, which says not much of anything. Definitely not best practice. Apparently other statements have been released but not accessible to the general public yet.  Cyberdaily’s description of Qinlin’s communciation is consistent with its usual practice.  

It is much too early to common on the how the breach occurred, and by the look of it Metricon will be parsimonious with information.  But given Qinlin is known for phishing and spear phishing it is a timely reminder for companies to properly train staff and IT Read the rest of this entry »