September 27, 2022
The Optus Hacker has upended the script. Traditionally a hacker steals data or locks up the data of a hapless organisation and demands payment for return/non publication of the data or the key to the locked data. And that is how it was playing out until today. After the release of personal information relating to 10,000 individuals with a demand that if a ransom of $1.5million is not paid then a further release of information would be forthcoming the hacker changed his (and it almost is a man) mind and deleted links to the released personal information and apologised for attempting to sell the data. In addition to the personal data of customers the hacker had email addresses from the defence and prime minister’s office.
The Guardian cover this extraordinary twist in Read the rest of this entry »
Posted in Privacy
|
Post a comment »
The question of whether the hackers who stole personal information of almost 10 million current and former Optus customers were criminals motivated by money or state based operatives has been resolved. It was criminals. The hackers have released personal information of 10,000 individuals and have promised to release details of 10,000 more people each day for the next four days until the hackers demands have been met. It is reported in the Australian at Details of 10,000 Optus customers released. It Read the rest of this entry »
Posted in Privacy
|
Post a comment »
September 26, 2022
Optus’s woes continues. This time the Minister for Home Affairs has taken issue with Optus over its cyber security and response to the data breach in a none too subtle answer to a Dorothy Dixer in the House of Representatives today. It is hardly surprising. Optus has handled a particularly difficult situatio particularly badly. For an organisation of its size and no doubt understanding of what happens in other parts of the world its response to the data breach has been ponderous, vague, defensive, apparently aggressive when dealing with frustrated consumers and lacking transparency. If there was a data breach response plan it was thrown out the window late last week and replaced with not much at all.
The Hansard of Ms O’Neil’s answer Read the rest of this entry »
Posted in Privacy
|
Post a comment »
Rolling out a data breach response is something of a art form in the United States where mandatory data breach notification laws have been part of the regulatory landscape in most states of the Union. Certain types of data breaches, notably involving health information, attract mandatory notifications. Letters to customers and plans to remediate damage are carefully drafted. Australia has no such long term history of being required to respond to data breaches and even under the Breach Notification Regime in Australia notices to clients/consumers/members is not mandatory. It might not even be mandatory to notify the Information Commissioner. The organisation has to make that determination based on the list of factors in Part IIIC of the Privacy Act,
So far Optus is demonstrating how a data breach should not be handled. It dawdled in sending notices, the notice itself was poorly drafted and provided no assistance beyond suggesting customers keep a look out and check various sites.
The media is reporting on annoyance and frustration by customers with the Sydney Morning Herald reporting Frustrated Optus customers get the run around, 2GB’s Optus struggles to explain their data breach in trainwreck interview and Optus customers frustrated after compensation requests denied, phone number change not possible. All of this suggests that Optus either had no or an inadequate data breach notification plan and if it did it didn’t test it with simulations. Data breach plans or incident plans are very important in competently dealing with a data breach. Having a team which can put into place a response is critical.
The examples Read the rest of this entry »
Posted in Privacy
|
Post a comment »
Over the many years I have written about privacy and cyber security (as well as commercial and defamation law) I have never cease to be amazed how organisations blithely accept the risk of a data breach through poor privacy and cyber security practices given the jaw dropping costs of remediation after such a breach. Bringing in a range of experts to assess the damage, locate the cause of the breach, work with the regulators and then deal with litigation by those regulators or disgruntled customers can run up a cost of hundreds of thousands of dollars and often millions.
IBM’s Cost of a Data Breach Report for 2022 highlights the poor state of readiness of many companies with Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
September 25, 2022
When hackers steal data they commonly do it for a reason. The days of student hackers breaching cyber defences for the fun of it are long gone. They have been more a product of Hollywood than reality, with some notable long ago exceptions. Similarly white hat hackers don’t find vulnerabilities and then steal data. They typically find the vulnerability and then notify the company. The Optus breach is more in line with either criminals aiming to turn the product of their theft into money or state based hackers whose aims and motivations are more complicated; disruption, obtaining intelligence data on individuals, data to be used for identity theft and for use in conjunction with other data. State based actors take a much longer view than criminals. There is some evidence that the data, or at least some of it, is being offered for sale on the dark net.
The data breach story has now moved into its second phase, where interested parties use it to push their agendas. The Telcos are making its clear that their compliance obligations in retaining meta data are contributing to privacy breaches. Doubtful. They may contribute to compliance costs and definitely make the consequences of a data breach more significant. So much more to steal (if not properly protected that is). But they do not weaken cyber security defences in and of themselves. There is a real issue about excessive legal requirements to obtain and retain personal information. And the meta data retention laws require telcos to retain masses of data for longer than they would need them not to mention these laws are a continuing pernicious blight on liberal democracy, giving agencies a right to access meta data without a warrant. There is also the general preference for companies to collect and store more personal information than they need and for as long as they can as the Age notes in an opinion piece No, Optus doesn’t need to keep your sensitive information for so long. But none of that is not a cyber security issue, as in protecting personal information from criminal actors. While there may be some regulatory overload on telcos any sympathy must be tempered by the fact that cyber security is a separate issue. The protection of data (even that retained reluctantly) is possible with proper cyber security systems, proper protocols and adequate training. None of which is in abundant supply. Companies give too little emphasis on privacy and spend the bare minimum, often less. Unlike the United States and the United Kingdom, data breaches in Australia do not bring a serious regulatory response by way of civil proceedings, fines or enforceable undertakings. If the worst case scenario from a data breach is a tepid and muted regulatory response and some reputational damage what is the incentive for a company to seriously get its house in order.
According to the ABC the Government is going to legislate to require financial institutions of data breaches. The Australian runs a similar story as well. This is dealing with symptoms not problems and makes a complicated but ineffective privacy regime even more cumbersome.
The ABC story provides:
The Home Affairs Minister is soon expected to announce several new security measures following the massive Optus data breach that saw hackers steal the personal details of up to 9.8 million Australians.
On Saturday, Clare O’Neil and several of her federal ministerial colleagues met with the Australian Signals Directorate and the Cyber Security Centre to discuss the fallout from the devastating cyber-hack.
Under the changes to be announced in coming days, banks and other institutions would be informed much faster when a data breach occurs at a company like Optus, so personal data can’t be used to access accounts.
The ABC has been told the first step to occur will be directing Optus to hand over customer data to the banks so financial institutions can upgrade security and monitor customers who’ve had their personal details stolen. Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
September 24, 2022
Every data breach is different. There are different types of attacks, through third party vendors, stolen access credentials, zero day vulnerabilities or a failure to patch cyber defences. What has been released to the public is that there was a weakness in the firewall, a vague description that could mean almost anything. What is not made clear is what defences behind the firewall were in place and were they working. Did Optus have programs running which detected unusual activity within the system? What about defences protecting the data itself. Was there any detection of exfiltration? A surge of activity involving a large volume of data should be detected if there are programs in place and proper procedures.
The breakdown of the breaches, in broad terms are:
- exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers
- dates of birth, email addresses and phone numbers of another 7 million customers.
Optus’s response to the data breach has been something of a curate’s egg; good in parts.
Optus has adopted a personal approach in response to the breach. A personal mea culpa by the Optus Chief Kelly Bayer as reported by the Australian in Optus chief Kelly Bayer Rosmarin apologises for massive hack that could date to 2017. It provides:
Optus chief executive Kelly Bayer Rosmarin has delivered an emotional apology for the company’s data breach which has affected up to nine million of the telco’s customers.
Fronting the media on Friday Bayer Rosmarin was on the verge of tears when asked how she feels about the data breach occurring under her leadership.
It is understood personal details dating back to 2017, and with possible links to Europe, may have been accessed in the hacking attack.
“[I feel] terrible,” Ms Bayer Rosmarin told reporters.
“It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers. Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
September 23, 2022
Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data. Optus released a media release about it yesterday. The compromised data included names, dates of birth, drivers licences and passport numbers. The sort of information which would allow a hacker to attempt identity theft. Very saleable data on the dark web.
A curious aspect of this incident is that some of that data related to former customers. It will be interesting to see how far back that data goes. Why it is necessary to hold onto former customers of many years back? That may be a breach of the Australian Privacy Principles.
With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected. The breach did not include payment details and account passwords.
Optus has notified the Information Commissioner. One issue to resolve is what notification will be provided to affected Optus customers. Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states. Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support. That is good business.
In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan. In my experience Australian organisations put less than optimal effort into preparing for a data breach. Similarly the response to a data breach is too often marked by improvisation than following a plan.
Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information. It Read the rest of this entry »
Posted in Practical issues, Privacy
|
Post a comment »
September 20, 2022
The National Institute of Standards and Technology (“NIST”) has released NIST has released NIST Internal Report (IR) 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight. It is a particularly useful and practical report. In short compass it describes ways to combine risk information across an enterprise. In this way there is integration of risk information issues which permits proper decision making and monitoring.
The report creates an enterprise risk profile (ERP) that supports the comparison and management of cyber risks.
The Abstract provides:
This document is the third in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding the enterprise application of cybersecurity risk information; the previous documents, NISTIRs 8286A and 8286B, provided details regarding stakeholder risk direction and methods for assessing and managing cybersecurity risk in light of enterprise objectives. NISTIR 8286C describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and enterprise risk profile (ERP) that, in turn, support the achievement of enterprise objectives.
This guide is of particular use for privacy practitioners. It discusses Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
September 11, 2022
The United States National Security Agency (“NSA”) has released its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Cybersecurity Advisory . It notifies National Security Systems operators of the requirement to have quantum-resistant algorithms, being networks which contain classified information or are otherwise critical to military or intelligence activities. A cryptanalytically relevant quantum computer would have the potential to break public-key systems so that it is necessary to plan, prepare, and budget for a transition to QR algorithms if cryptanalytically relevant quantum computers become a reality.
The media release Read the rest of this entry »
Posted in Privacy
|
Post a comment »