Peter A Clarke

It doesn’t rain for Optus. It poors. Optus announced on 22 September 2022 that it suffered a major data breach. On 21 April 2023 Slate and Gordon filed a class action in the Federal Court of Australia with PETER JULIAN ROBERTSON & ANOR v SINGTEL OPTUS PTY LIMITED ACN 052 833 208 & ORS. It is scheduled to have a case management hearing on 15 August 2025. In June 2025 Optus paid $100 million penalty for unconscionable conduct.

The Australian Information Commissioner has announced that it has filed civil penalty proceedings against Singtel Optus Limited and Optus Systems Pty Ltd arising out of the 2022 data breach. The reference is AUSTRALIAN INFORMATION COMMISSIONER v SINGTEL OPTUS PTY LIMITED (ACN 052 833 208) & ANOR with Court number VID 1019/2025. The Information Commissioner is represented by the Australian Government Solicitor. Previously it was represented by HWL Ebsworth. A concise statement and Originating Application were filed last Friday, 8 August 2025. The First Case Management Hearing will be head before Justice Beach this Friday, 15 August 2025. That day will be a very busy day for Optus.

A key issue is the reasonableness of Its cybersecurity having regard to its size and the nature of the data it possessed.

The statement from the Information Commissioner provides:

The Australian Information Commissioner (AIC) has filed civil penalty proceedings in the Federal Court against Singtel Optus Pty Limited and Optus Systems Pty Limited (together, Optus), following an investigation in relation to the data breach made public by Optus on 22 September 2022.

The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. Read the rest of this entry »

Google has suffered a data breach by the notorious Shinyhunters, which it classified as UNC6040. It is reported by Bleeping Computer with Google confirms data breach exposed potential Google Ads customers’ info and Google suffers data breach in ongoing Salesforce data theft attacks. What is interesting is that the hackers targeted employees in voice phishing, known as vishing. An attack via social engineering. Much like the now infamous Qantas data breach. 

The Google suffers data breach article provides:

Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group.

In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked.

In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen.

“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations,” reads Google’s update. Read the rest of this entry »

The National Institute of Science and Technology’s guidelines and other publications are used as best practice standards for industry. It’s publications and standards are referenced by privacy regulators. For good reason. It has just released the Cybersecurity and Privacy of Genomic Data.

The Project Overview Read the rest of this entry »

The city of Hamilton in the United States was hit by a ransomware attack in February 2025. The cost of the ransomware attack is $18.3 million. The attack disabled nearly 80% of the city’s network. So far, not so unusual. Where this story falls into the category of salutory lesson is that Hamilton’s insurance declined cover. The reason for that was that Hamilton failed to implement multi factor authentication for on line services at the time of the attack. Data breach reports that ransomware is a growing problem with On the Rise: Ransomware Victims, Breaches, Infostealers.

Cyber insurance has become an important part of the protections organisations use to deal with the consequences of a data breach.  Insurance policies almost always have terms requiring implementation of processes, provision of hardware and other things related to providing protection against threat.  Hamilton didn’t have a basic level of Read the rest of this entry »

De identification of personal information is critically important where data is being used for research. It has also been the subject of great scrutiny by regulators. The Victorian Information Commissioner produced a paper on the limits of de identification after it found that Public Transport Victoria breached myki users privacy by releasing data which exposed myki users’ travel history which the PTV claimed to have de identified. Academics from Melbourne University proved it wrong as they were able to identify the travel history of themselves and others. Apart from being a breach of the Privacy and Data Protection Act Victoria it was embarrassing given the negative publicity. The Federal Office of the Information Commissioner released general advice about de identification. On 19 September 2024 Crikey published Australia’s biggest medical imaging lab is training AI on its scan data. Patients have no idea.  The nub of the article is that I-MED “handed over” scans of thousands of patients to a start up company, Harrison.ai, which will use that data to train artificial intelligence.  It posed the question of how the data could e legally used and disclosed to Harrison.ai.  It made a number of valid points about the generally cavalier manner health organisations treat personal information.  The Privacy Commissioner responded with an investigation.  The Privacy Commissioner has closed an investigation regarding the transfer of data and issued a report. 

The key elements of the report are:

• paragraph 4.2 which sets out the usual two steps of de identification being the removal of personal identifiers and removing or altering other information which may allow a person to be identified;
• paragraph 5.1 the process adopted by I- MED which involved
  • segregating the patient data from the underlying dataset,
  • scanning the records with text recognition software,
  • using two hashing techniques (for unique identifiers such as patient ID numbers, and names, addresses and phone numbers),
  • time-shifting dates (to a random date within a specified number of years),
  • aggregating certain fields into large cohorts to avoid identification of outliers, and
  • redacting any text that appears within or within 10% from the boundary of an image scan.
• paragraph 6.1 the appropriate de identification practices identified by NIST being:
  • utilising of the 5-Safes Principles,
  • ensuring separation of the Annalise.ai and I-MED environments,
  • utilising a ‘Data Use Agreement Model’,
  • imposing prescriptive de-identification standards,
  • removing or transforming all direct identifiers, and
  • utilising top and bottom coding and aggregation of outliers.
• paragraph 6.2 while some personal information was provided to Annalise.ai and therefore shared in error due to failures in the de identification process it was remedied.

it is interesting to note that there were data breaches but not notified to the Privacy Commissioner until after she commenced her preliminary investigation.  That is Read the rest of this entry »

As is commonly the case data breaches have serious consequences. So it is with Tea. It suffered a very significant data breach involving very sensitive information. Thousands of images, posts and comments have been stolen. The BBC reports in Dating safety app Tea suspends messaging after hack that Tea has turned off messaging on the app. Given the nature of the app that is significant.  It suggests a lack of certainty that the threat has been removed.  The story also suggests that Tea is well behind on identifying the extent of the hack.  When a company says Read the rest of this entry »

The first reported threat to use the statutory tort of serious invasion of privacy has been made by Sam and Brittan Groth relating to 2 Herald Sun articles. The nub of the articles, as far as the Groths are concerned, relates to how and when Sam Groth began his relationship with Brittany Groth. The story is covered by the Guardian in Victorian Liberal deputy Sam Groth and wife threaten defamation and privacy action over News Corp stories and the Age with Liberal deputy Sam Groth to test new privacy laws over ‘malicious gossip’.The Age story goes into much more detail about the nature of the allegations contained in the Herald Sun article.  The Age also provides a quasi guide to the elements of a statutory tort of invasion of privacy.  It is incomplete and in part misleading.  It states that journalists have a defence.  It is more than that.  It is an exemption.  In these circumstances it revolves around the scope and operation of section 15 of Schedule 2 of the Privacy Act 1988.

Under Section 15(1) the tort does not apply to an invasion of privacy where that invasion “.. involves the collection, preparation for publication or publication of journalistic material” by a journalist or an employer of a journalist.  A journalist is defined in section 15(2) as being someone who:

  (a)   works in a professional capacity as a journalist; and

  (b)   is subject to:

  (i)   standards of professional conduct that apply to journalists; or

  (ii)   a code of practice that applies to journalists.

Section 15(3) defines journalistic material as being Read the rest of this entry »

Metricon Homes has been hit with a ransomware attack by Qilin. Qilin is a cyber criminal organisation that operates as a ransomware as a service whose modus operandi is to seize data and threaten to publish it on its Dedicated Leak Site (“DLS”) which is hosted on Tor. It was first detected in July 2022. It operates Agenda ransomware which supports multiple encryption modes. it targets large enterprises and its usal mode of entry is through phishing or spear phishing emails. It also has accessed exposed application such Citrix and remote destop protocol. As an aside “qilin” refers to a mythical creature in Chinese folklore, often described as a hooved, chimerical beast with a mix of dragon, deer, and ox features. It’s a symbol of good omens, prosperity, and wisdom, and is said to appear during times of peace, prosperity, or the presence of a sage or benevolent ruler. Notwithstanding the Chinese symbolism Qilin is a Russian Speaking group. It is quite effective. Cyberdaily reports that Metricon has confirmed an attack by Qinlin. Metricon has released a statement, of sorts, which says not much of anything. Definitely not best practice. Apparently other statements have been released but not accessible to the general public yet.  Cyberdaily’s description of Qinlin’s communciation is consistent with its usual practice.  

It is much too early to common on the how the breach occurred, and by the look of it Metricon will be parsimonious with information.  But given Qinlin is known for phishing and spear phishing it is a timely reminder for companies to properly train staff and IT Read the rest of this entry »

Third party access by hackers is so widespread as to almost becoming ubiquitous.  Scattered Spider is so prolific these days in hacking high value companies that it is almost ubiquitous.  Both are present in the dispute in the USA between Clorox, a large manufacturer of disinfectant/bleach and Cognizant, a large IT service provider. 

In August 2023 Clorox first disclosed to the SEC that it had suffered a data breach which would disrupt parts of its operations. The cyber attack damaged part of its IT infrastructure which led to disruption of signature products and forced it to manually process orders. A filing with the SEC a month later Clorox advised that the hack caused lower production rates and predicted that its sales would be 23 – 28% down as well as a loss of share price ranging from 35 – 75 cents, processing delays and product outages. As at November 2023 it estimated that it had suffered damages of $358 million. The cause of the data breach was access via its IT provider, Cognizant. Clorox alleges a hacker rang up staff at Cognizant and asked for Clorox’s system login and it was provided. It has issued proceedings in the California Superior Court.

Bleeping Computer reports in Hackers fooled Cognizant help desk, says Clorox in $380M cyberattack lawsuit that Clorox alleged that Cognizant fell for social engineering by a hacker without verifying the callers actual identity.  The claim alleges that Cognizant didn’t follow the proper procedures and in fact reset credentials multiple times without identity verification.  What makes this case interesting is that Cognizant is defending the claim quite aggressively and alleged that Clorox had inept internal cybersecurity and failed to mitigate the attack.  It also alleges that the scope of the engagement between Clorox and Cognizant was narrow and confined to help desk services, which Cognizant reasonably performed. As such there will be issues of contract, tort and the issue of mitigation of damages.  

While the proceeding will be conducted in California the principles that will be the subject of dispute are applicable in Australia under Australian law.  It is worth following this case closely.  

The Bleeping Computer article provides:

Clorox is suing IT giant Cognizant for gross negligence, alleging it enabled a massive August 2023 cyberattack by resetting an employee’s password for a hacker without first verifying their identity.

The incident was first made public in September 2023, reportedly carried out by hackers associated with Scattered Spider, who utilized a social engineering attack to breach the company. Read the rest of this entry »

Today the OAIC released its regulatory action priorities for 2025 – 26. In the privacy sphere the Commissioner states that it is:

Rebalancing power and information asymmetries

The OAIC will focus on sectors and technologies that compromise rights and create power and information imbalances including:

• • the rental and property, credit reporting and data brokerage, sectors
  • advertising technology (Ad tech) such as pixel tracking
  • practices that erode information access and privacy rights in the application of artificial intelligence
  • excessive collection and retention of personal information
  • systemic failures to enable timely access to government information

Rights preservation in new and emerging technologies

The OAIC will protect and uphold privacy and information access rights when dealing with new and emerging technologies with high impact, including:

• • facial recognition technology and forms of biometric scanning
  • new surveillance technologies such as location data tracking in apps, cars and other devices
  • the preservation of both privacy and information access rights in government use of artificial intelligence and automated decision making.

It is interesting to note that the Commissioner has previously flagged a focus on data collection by cars.  The Commissioner has already taken action in relation to facial recognition technology.  

The media release Read the rest of this entry »