Peter A Clarke

It has trite to say that a significant amount of cyber hacking is undertaken by or with the connivance of state sponsored actors.  For example North Korea was directly responsible for the hack of Sony in 2014 which resulted in half of Sony’s global digital network being destroyed.  There are many other instances.

The US Cybersecurity and Infrastructure Security Agency (‘CISA’ has released a joint a joint cybersecurity advisory regarding North Korea’s use of the Maui ransomware to target healthcare and public health sector organisations. Maui ransomware is an encryption binary. It is designed for manual execution by a remote actor using a command-line interface to interact with the malware and to identify files to encrypt.

Along with the advisory is a guidance that should be used to assist in defending against these attacks.  There is also a call for critical infrastructure organisations  to review and apply the recommended mitigations to reduce the likelihood of compromise from ransomware.  Good advice for US organisations and good advice for Australian organisations.  State sponsored hackers are equal opportunity criminals. 

The press release Read the rest of this entry »

The National Institute of Standards and Technology (“NIST”) has released a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” for public’s comment.

This guide summarizes how commercially available technology is being used to develop an  interoperable, open standards-based Zero Trust Architecture. Read the rest of this entry »

When I first starting writing about privacy and data security data breaches involved low thousands of records compromised.  It didn’t take long for data breaches to involve many thousands of records and occasionally over a hundred thousand records.  In the last decade the ability and desire of government, organisations and businesses to collect masses of data has increased exponentially. Storage capacity increased as did the ability of analysing the data with the use of algorithms.  Analytics is now a sophisticated discipline and its products have made businesses wealthy.  Increased collection,use and storage of data has been matched by increased hacking into systems.  Personal information provides valuable source material for identity theft and other forms of fraud.  And many businesses and government agencies have traditionally had a terrible record in maintaining proper privacy protections and cyber security systems.

Now data breaches regularly involve millions of records, occasionally tens of millions of records. But not records of a billion people.  Until now.  Data Breach today reports in Unknown Hacker Steals Data of 1 Billion Chinese Citizens that an configuration error in Alibaba’s private cloud server resulted in a data breach involving a billion individuals.  The data was collected by Shanghai National Police and taken from its database.  The information was a hackers dream; names, home addresses, identification number and phone numbers.  That data, 23 terrabyte’s worth, is being offered for sale on a hacker forum for 10 Bitcoin (or over $200,000).

The story has been reported widely with Reuters, ABC, Bleeping Computer and the Guardian reporting on the breach among many others. China, being China, such a bad news story has been censored.  This can have the potentially Read the rest of this entry »

Publications by the National Institute of Standards and Technology (“NIST”) is regarded by many privacy and cyber security practitioners as setting out technical and process standards.  That is not a universal view but given its output it is a matter of time before that becomes a reality.

The NIST has released its Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process. 

The first group of algorithms NIST has chosen are designed to withstand the possible assault of a future quantum computer. Quantum computers are likely to become powerful enough to break present-day encryption.  That poses a serious threat to information systems.  The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard. Those selected algorithms are either alogorithms for:

• general encryption, used to access secure websites; or
• digital signatures, used to verify identities during a digital transaction or remote signing.

The Abstract Read the rest of this entry »

One of the most significant amendments to the Privacy Act 1988 in 2014 relating to credit reporting.  A key element of those amendments was the establishment of Credit Reporting Codes. On 7 June 2022, the Australian Information Commissioner approved a replacement to the Privacy (Credit Reporting) Code 2014 (Version 2.2) by introducing the Privacy (Credit Reporting) Code 2014 (Version 2.3) (Code). Version 2.3 of the Credit Reporting Code registered on 1 July 2022. It took effect on 1 July 2022.

For anyone involved practising in privacy law, particularly with a connection to banking and finance, it is worth reviewing the updated code carefully.

The release Read the rest of this entry »

The phrase “six degrees of separation” should be truncated to “one degree of separation” when describing data flows.  Personal information of Australians is held by many US companies and organisations courtesy of on line shopping, various subscription services and other connections.

The ABC in Australian user data security in doubt after TikTok admits US data accessible by China highlights the vulnerability of data relating to Australians can be as great as those of US individuals where third parties can access the US user data. And US users of Tik Tok have/can have their data accessed by Tik Tok Employees.  Tik Tok admits that is employees in China have access to US user data. If they are both stored on the same servers the likelihood of harm can be as great.

There is a very real concern that norms about accessing information differ between Read the rest of this entry »

Itgovernance has identified 80 incidents in June 2022 which resulted in 34,908,053 records being compromised.  The types of attacks vary as does the severity of the attacks. 

Those breaches included:

• Shields Health Service suffering a cyber attack involving compromise of 2 million records;
• a human error in the form of an unauthorised person making available 2 million records on a hacking forum.  The information offered was first and last name, Social Security number; Medicare beneficiary identification number; date of birth; address and contact information; and health insurance information
• .Baptist Medical Center and Resolute Health Hospital suffered a cyber attack involving 1,254,534 records. The information accessed included some or all of demographic information  such as full name, date of birth, and address, Social Security number, health insurance information, such as name of insurer/government payor, policy and/or group numbe, medical information, such as medical record number, dates of service, provider and facility names, chief complaint or reason for visit, and other visit, procedure and diagnosis information; and billing and claims information, such as account and/or claim status, billing and diagnostic codes, and payor information. 
• Flagstar Bank has data breach impacting 1.5 million customers.
• Yuma Regional Medical Center has ransomware attack affecting 700,000 patients;
• Perkins & Co suffered a data breach via an attack on a third party vendor, Netgain, which Perkins used for hosting its data in the cloud.  A total of 354,647 records were compromised.
• Pegasus airlines leaked 6.5 terra bytes of personal information of flight crew.  A total of 23 million records leaked.  The information was left online. 
• in Australia Icare, an insurer, leaked personal information relating to 193,000 injured workers to 587 employers and insurance brokers.  The leak happened through a spreadsheet mistakenly attached to emails to wrong employers. 
• in Japan a person doing work for Amagasaki city lost a USB storage device which had records of all of the city’s residents.  He lost the device after having a drink or three at a restaurant. 
• in Malaysia, the point of sale provider Storehub had a data leak exposing personal information of almost a million customers. 
• there was a leak of gun owners personal information in California from the state’s Department of Justice.  The information released included names, birthdates, gender, race, driver’s license numbers, addresses and criminal histories of people who were granted or denied permits to carry concealed weapons between 2011 and 2021. 
• the insurer EMC National LIfe Company suffered a data breach involving 288,288 records.   

Read the rest of this entry »

The US President’s  Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. made on February 12, 2020 has had a significant impact on government agencies  working on instituting standards to improve cyber security and privacy generally.

The Executive Order specially stated that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.” The Order called for updates to the profile every two years or on an as needed basis.

Positioning, navigation and timing (PNT) services is a US owned utility. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Air Force develops, maintains, and operates the space and control segment.

The PNT Profile is designed to be used as part of a risk management program in order to help organizations manage risks to systems, networks, and assets that use PNT services.  It is not intended to serve as a solution or compliance checklist that would guarantee the responsible use of PNT services

The abstract provides:

The national and economic security of the United States (US) is dependent upon the reliable functioning of critical infrastructure. Positioning, Navigation and Timing (PNT) services are widely deployed throughout the critical infrastructure. A disruption or manipulation of PNT services would have adverse impacts on much of the nation’s critical infrastructure. In a government wide effort to mitigate these impacts, Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services was issued on February 12, 2020. The National Institute of Standards and Technology (NIST) as part of the Department of Commerce (DoC), produced this PNT Profile in response to Sec.4 Implementation (a), as detailed in the EO. The PNT Profile was created by using the NIST Cybersecurity Framework and can be used as part of a risk management program to help organizations manage cybersecurity risks to systems, networks, and assets that use PNT services, and is intended to be broadly applicable across all sectors. NIST acknowledges the tremendous efforts being undertaken by individual entities to address the responsible use of PNT services in their particular sectors and also encourages the development of sector specific guidance should more granular or specific risk management efforts be required. The PNT Profile can serve as a foundation for the development of sector specific guidance as well. This PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to natural and man-made, both intentional and unintentional, disruptions and manipulations.

The released document comes in at a hefty 115 pages.

Some interesting matters to note Read the rest of this entry »

Today the Information Commissioner, the Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA) and the eSafety Commissioner (eSafety) have released a joint communique regarding their co ordination and priorities for the next year.  The key focus will be digital transparency and algorithms and their impact.  As to what exactly that means in terms of action taken by regulators is not clear.  Both issues are very important in the privacy sphere. 

The communique provides:

Digital Platform Regulators Forum names algorithms, digital transparency and increased collaboration as priorities for 2022/23

The heads of the four members of the Digital Platform Regulators Forum (the forum) met yesterday and have agreed on a collective set of priorities for 2022/23.

Members of the forum are: The Australian Competition and Consumer Commission (ACCC), Australian Media and Communications Authority (ACMA), eSafety Commissioner (eSafety) and Office of the Australian Information Commissioner (OAIC).

The forum’s strategic priorities for 2022/23 include a focus on the impact of algorithms, seeking to increase transparency of digital platforms’ activities and how they are protecting users from potential harm, and increased collaboration and capacity building between the four members.

Through the forum all members have agreed to share information and work together to tackle issues across their traditional lines of responsibility.

Digital transparency Read the rest of this entry »

Choice has formally complained to the Australian Information Commissioner about the use of Facial Recognition by Kmart, Bunnings and the Good Guys.  Itnews has covered the story in Australian retailers named in facial recognition complaint. 

Choice’s announced the complaint by media release which provides:

CHOICE has asked the Office of the Australian Information Commissioner to investigate Kmart, Bunnings and The Good Guys for potential breaches of the Privacy Act (1988). CHOICE is concerned that the retailers’ practices related to their use of facial recognition technology pose significant risks to individuals. The social and economic risks include invasion of privacy, misidentification, discrimination, profiling and exclusion, as well as vulnerability to cybercrime through data breaches and identity theft.

Key issues

CHOICE has concerns with the retailers’ practices for two main reasons:

1. 1. Lack of notice and consent in the collection of sensitive information. The retailers’ use of online privacy policies and small signage in store as the key mechanisms to provide notice and obtain consent from individuals about the collection of their sensitive information is insufficient and non-compliant.
   2. The stated business purpose is disproportionate to the privacy harms posed to individuals. The retailers’ large scale collection and use of their customers’ sensitive information significantly invades the privacy of its customers. It is a disproportionate response to the risk of theft and anti-social behaviour in stores.

Choice has also made public the 16 page formal complaint.  It is comprehensive and refers to the Determination by the Information Commission against Clearview AI (Commissioner initiated investigation into Clearview AI, Inc. [2021] AICmr 54).  It is quite an impressive document. 

Choice alleges that the Kmart, Bunnings and the Good Guys breach the following Australian Privacy Principles (APPs):

APP 1.3 – have a clearly expressed and up-to-date APP Privacy Policy about how the
entity manages personal information;
? APP 3.3(a)(ii) – only collect ‘sensitive information’ where it is reasonably necessary;
? APP 3.3(a) – only collect ‘sensitive information’ with consent;
? APP 3.5 – only collect personal information by lawful and fair means; and
? APP 5.1 – take reasonable steps to notify an individual of the APP 5 matters or to
ensure the individual is aware of those matters.

As a prelude to the publishing its findings Choice undertook a survey of 1000 Australians about their awareness of facial recognition technology and found:

• 76% of respondents didn’t know retailers were using facial recognition.
• 83% of respondents think retail stores should be required to inform customers about the
  use of facial recognition before they enter the store.
• 78% expressed concern about the secure storage of faceprint data.
• 65% are concerned about stores using the technology to create profiles of customers
  that could cause them harm.

That is a very clever move.

Regarding the potential breaches :

APP1

Choice argues

• retailers’ privacy policies (Appendix B) do not clearly express how the entities manage personal, including sensitive, information obtained through use of facial recognition technologies
• retailers were not forthcoming on how they manage sensitive information obtained through facial recognition technologies. There is a reluctance by the retailers to be clear, transparent and upfront about their privacy practices

Read the rest of this entry »