September 24, 2022
Every data breach is different. There are different types of attacks, through third party vendors, stolen access credentials, zero day vulnerabilities or a failure to patch cyber defences. What has been released to the public is that there was a weakness in the firewall, a vague description that could mean almost anything. What is not made clear is what defences behind the firewall were in place and were they working. Did Optus have programs running which detected unusual activity within the system? What about defences protecting the data itself. Was there any detection of exfiltration? A surge of activity involving a large volume of data should be detected if there are programs in place and proper procedures.
The breakdown of the breaches, in broad terms are:
- exposed passport, driver’s licence and phone numbers, email and home addresses and dates of birth of 2.8 million customers
- dates of birth, email addresses and phone numbers of another 7 million customers.
Optus’s response to the data breach has been something of a curate’s egg; good in parts.
Optus has adopted a personal approach in response to the breach. A personal mea culpa by the Optus Chief Kelly Bayer as reported by the Australian in Optus chief Kelly Bayer Rosmarin apologises for massive hack that could date to 2017. It provides:
Optus chief executive Kelly Bayer Rosmarin has delivered an emotional apology for the company’s data breach which has affected up to nine million of the telco’s customers.
Fronting the media on Friday Bayer Rosmarin was on the verge of tears when asked how she feels about the data breach occurring under her leadership.
It is understood personal details dating back to 2017, and with possible links to Europe, may have been accessed in the hacking attack.
“[I feel] terrible,” Ms Bayer Rosmarin told reporters.
“It’s a mix of emotions. Obviously, I’m angry, that there are people out there that want to do this to our customers. I’m disappointed that we couldn’t have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer in this industry and really trying to create new and wonderful experiences for our customers. Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
September 23, 2022
Optus suffered a massive data breach through a cyber attack two days ago. The biggest in Australian history involving Australian data. Optus released a media release about it yesterday. The compromised data included names, dates of birth, drivers licences and passport numbers. The sort of information which would allow a hacker to attempt identity theft. Very saleable data on the dark web.
A curious aspect of this incident is that some of that data related to former customers. It will be interesting to see how far back that data goes. Why it is necessary to hold onto former customers of many years back? That may be a breach of the Australian Privacy Principles.
With access to key data, including emails, the danger to customers affected is phishing attacks and attempts at identity theft rather than immediate danger that Optus phone or email data will be used or the services disrupted. There is little wonder that the media is reporting a heightened risk of fraud against those affected. The breach did not include payment details and account passwords.
Optus has notified the Information Commissioner. One issue to resolve is what notification will be provided to affected Optus customers. Australian notifications are rarely as open and expansive as those issued in the United States where mandatory data breach notification has been part of the regulatory environment in most states. Notices by affected organisations in the United States are more candid (though not providing all details for obvious reasons) and contrite and commonly more generous in offering support. That is good business.
In its own review and probably under scrutiny of the Commissioner there will be a careful analysis of the effectiveness of Optus’s Data Breach Response Plan. In my experience Australian organisations put less than optimal effort into preparing for a data breach. Similarly the response to a data breach is too often marked by improvisation than following a plan.
Optus issued a media release today at 2pm titled Optus notifies customers of cyberattack compromising customer information. It Read the rest of this entry »
Posted in Practical issues, Privacy
|
Post a comment »
September 20, 2022
The National Institute of Standards and Technology (“NIST”) has released NIST has released NIST Internal Report (IR) 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight. It is a particularly useful and practical report. In short compass it describes ways to combine risk information across an enterprise. In this way there is integration of risk information issues which permits proper decision making and monitoring.
The report creates an enterprise risk profile (ERP) that supports the comparison and management of cyber risks.
The Abstract provides:
This document is the third in a series that supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This series provides additional details regarding the enterprise application of cybersecurity risk information; the previous documents, NISTIRs 8286A and 8286B, provided details regarding stakeholder risk direction and methods for assessing and managing cybersecurity risk in light of enterprise objectives. NISTIR 8286C describes how information, as recorded in cybersecurity risk registers (CSRRs), may be integrated as part of a holistic approach to ensuring that risks to information and technology are properly considered for the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and enterprise risk profile (ERP) that, in turn, support the achievement of enterprise objectives.
This guide is of particular use for privacy practitioners. It discusses Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
September 11, 2022
The United States National Security Agency (“NSA”) has released its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Cybersecurity Advisory . It notifies National Security Systems operators of the requirement to have quantum-resistant algorithms, being networks which contain classified information or are otherwise critical to military or intelligence activities. A cryptanalytically relevant quantum computer would have the potential to break public-key systems so that it is necessary to plan, prepare, and budget for a transition to QR algorithms if cryptanalytically relevant quantum computers become a reality.
The media release Read the rest of this entry »
Posted in Privacy
|
Post a comment »
Educational institutions are prime targets for cyber attackers. They hold large volumes of personal information of students and staff and often alumni. They are also notoriously poor at maintaining proper data security. A key response to the coronavirus epidemic by schools was to move to remote learning. That meant greater opportunities for cyber attacks. Attacks on educational institutions this month, so far, include Franklin College in the United States being attacked and personal information of 6,000 students possibly being taken. The Savannah College of Art and Design suffered an attack with personal information being accessed. Someone stole personal information of students who studied there from 1989 to 1999. Why an institution would have that information on its server is a mystery and a failure of proper data management. The stolen data included the names and Social Security numbers of students.
But those breaches were dwarfed by a data breach of the the Los Angeles Unified School District, which enrols 600,000 students. It is the second largest school district in the United States. It has suffered a data breach Data Breach Today reports in Los Angeles School District Hit by Ransomware Attack . It seems that at least 23 sets of credentials were compromised before the attack and offered on the dark web. At least one of those credentials unlocked the account for the school districts virtual public network. Tellingly, last March the FBI Read the rest of this entry »
Posted in Privacy
|
Post a comment »
September 6, 2022
At a time when children’s privacy is top of privacy regulators’ agenda around the world the school administrators in Moorebank have installed fingerprint scanners at their toilets. The rationale, to stop vandalism. A ridiculously out of proportion response to an eternally chronic problem. It brings to mind the saying that the problem with teachers are that they have never left school. Because if this initiative was not so concerning it would be just regarded as juvenile.
According to the State Education Department it is not compulsory to register their fingerprints however the alternative is to get an access card from the office every time a student wants to use the bathroom. What sort of choice is that! Making the alternative difficult and potentially embarrassing effectively restricts the choice. It makes it a non choice. In real terms there is no alternative but to consent for most students. The consultation process, Read the rest of this entry »
Posted in Privacy
|
Post a comment »
The US Federal Trade Commission warned as far back as July that it would focus on illegal sharing of highly sensitive health data. That was preceded with a warning in September 2021 to Health Apps and Connected Device Companies that they had to comply with health breach notification rules. In June 2021 the FTC settled with Flo Health, a fertility tracking app which inappropriately shared sensitive health data with Facebook and Google. On 11 August 2022 the FTC announced it was embarking on commercial surveillance rule making.
In that context it is not surprising that the FTC has commenced proceedings against Kochava for selling data which tracks people when they are involved in sensitive activities, such as attending health clinics and places of worship.
The media release provides:
The Federal Trade Commission filed a lawsuit against data broker Kochava Inc. for selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations. Kochava’s data can reveal people’s visits to reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities. The FTC alleges that by selling data tracking people, Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
Idaho-based Kochava purchases vast troves of location information derived from hundreds of millions of mobile devices. The information is packaged into customized data feeds that match unique mobile device identification numbers with timestamped latitude and longitude locations. According to Kochava, these data feeds can be used to assist clients in advertising and analyzing foot traffic at their stores and other locations. People are often unaware that their location data is being purchased and shared by Kochava and have no control over its sale or use. Read the rest of this entry »
Posted in Big Data, Federal Trade Commission, Privacy
|
Post a comment »
The Irish Data Protection Commission has reportedly fined Instagram 405 million euros for misusing personal information. The mishandling involves publiclly displaying their phone numbers and emails addresses and permitting them to create business accounts.
This represents the second biggest fine by an EU regulator.
The story is covered by the Australian which provides:
Social media platform Instagram has been slapped with a record 405 million euro ($592m) fine by Ireland’s data privacy regulator for mishandling children’s data, publicly displaying their phone number and email addresses.
A 2020 investigation by Ireland’s Data Protection Commission found that children between the ages of 13 and 17 were allowed to create and operate business accounts on the Instagram platform, which published the children’s phone numbers and in some cases email addresses. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
September 4, 2022
The repetition of tens of millions of records being breached each month can have a numbing effect and can lead the reader to be either blase or resigned (they are different) to each installment. It can lead to the wrong attitude that data breaches are inevitable. That old saw is relied on by organisations who don’t like regulation or being made to pay more attention to data security.
It governance has compiled its list of data breaches for August and calculated that 97, 456,345 records were breached in 112 publicly disclosed incidents. The reference to public disclosure is important. There is significant under reporting. Later disclosures by affected organisations and breaches being discovered by third parties (including hackers) provide ample evidence that some organisations try to avoid disclosing breaches when they think they can get away with it. Further, in many cases while the data breach can be established organisations are reluctant to provide information of how many records have been accessed. That makes getting a complete figure a difficult proposition.
For August some of the data breaches:
Read the rest of this entry »
Posted in General, Privacy
|
Post a comment »
It is trite to say that technology has faced outpaced the common law and statute when it comes to regulating surveillance practices. In Australia the Privacy Act 1988 has inadequate coverage with exemptions for journalists and political parties. The Australian Privacy Principles contain exemptions which limit their effectiveness. And finally the regulator is timid. The surveillance devices legislation while technically neutral is drafted for an analog world. Neither legislation nor legislators have considered the impact of persistent surveillance where devices could track individuals throughout the day with the assistance of Artificial Intelligence. It is not a dystopian future. It is real and, again, described in the Wall Street Journal’s article The Two Faces of China’s Surveillance State where the capacity of the State to monitor its citizens is significant which it seeks to use to crush dissent and potential dissent and offer a better future that such overweening controls brings. The first is a human rights abuse as the Office of the High Commissioner on Human Rights report makes clear in OHCHR Assessment of human rights concerns in the Xinjiang Uyghur Autonomous Region, People’s Republic of China while the latter is a Faustian bargain.
Meanwhile in Australia ASIC has found that there is “room for improvement” by life insurers in their use of surveillance. In its review of 4,800 individual disability income insurance claims it found that where physical surveillance was used in mental health claims in half of those instances it was unwarranted. The total sample size was small, a total of 10 instances, but for half to be unwarranted is a concern. Similarly it found that the user of surveillance was unwarranted in 17.5% of cases because the insurer could have at least Read the rest of this entry »
Posted in Privacy
|
Post a comment »