July 11, 2022
As part of its Shifting Powers series Lloyds has released a timely and very thorough report on cyber security with Shifting powers: Physical cyber risk in a changing geopolitical landscape. The Report sets out scenarios and likely responses which are very helpful and practical (and which are too involved to summarise or analyse in this post).
The press release provides:
In a highly digitised economy, cybersecurity sits at the top of the agenda for businesses, boards, risk managers and governments alike.
In recent years, malware and ransomware attacks have been causing severe disruption for global businesses and their supply chains. In addition to the rise in malware and ransomware attacks, the threat of state-sponsored cyber-attacks has become a significant focus for businesses and governments.
Whilst most cyber-attacks are digital, some result in tangible disruption or damage to the physical environment – these types of attacks are becoming increasingly common place. This is, in large part due to the increasingly interconnected nature of systems and services which expose businesses to perils from physical cyber-attacks such as fires, explosions, flooding or bodily injury.
At Lloyd’s we understand the complex and potentially systemic risks in the cyber class and are committed to supporting a resilient cyber market. Cyber physical represents a key opportunity for insurers to develop a sustainable cyber offering that can help protect customers from a risk that has reached the highest level of priority in boardrooms around the world.
At 38 pages it is a significant, and long, report which defies easy summary however some highly pertinent points it makes includes:
- the potential impacts on businesses are:
- 1. Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware
attacks by cybercriminals targeting another nation’s critical infrastructure
2. Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill
over into cyber-physical sabotage of critical infrastructure
3. Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of
destructive cyber attacks on critical infrastructure
Physical cyber risk
Read the rest of this entry »
Posted in Legal, Privacy
|
Post a comment »
July 8, 2022
Ireland, more accurately Ireland’s Data Protection Commission, has been engaged in a protracted dispute with Meta, Facebook’s parent company, regarding its data handling and compliance with the GDPR Articles. On 15 March 2022 it concluded an inquiry into 12 data breaches by Meta Platforms where it found that Meta had infringed Articles 5(2) and 24(10 of the GDPR. The media release relating to those findings stated:
The DPC has today adopted a decision, imposing a fine of €17m on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) (“Meta Platforms”).
The decision followed an inquiry by the DPC into a series of twelve data breach notifications it received in the six month period between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.
As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.
Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.
Yesterday an article titled Europe faces Facebook blackout reports that the Commission informed its counterparts in Europe that it will block Meta from sending back data to the USA. Meta has said that would close many of its services including Facebook and Instagram. Clearly Read the rest of this entry »
Posted in Privacy
|
Post a comment »
In the Victorian Government Gazette S314 Friday 24 June 2022 the Attorney General made a declaration under section 35(3) of the Defamation Act 2005 to increase the maximum non economic loss damages to $443,00.
The declaration states:
Defamation Act 2005
DECLARATION UNDER SECTION 35(3)
I, Jaclyn Symes, Attorney-General, being the Minister for the time being administering the Defamation Act 2005, hereby declare in accordance with section 35(3) of the Defamation Act 2005 that on and from 1 July 2022 the maximum damages amount that may be awarded for non-economic loss in defamation proceedings is four hundred and forty three thousand dollars ($443,000).
Dated 7 June 2022
JACLYN SYMES MP
Attorney-General
Posted in Defamation, Legal
|
Post a comment »
It has trite to say that a significant amount of cyber hacking is undertaken by or with the connivance of state sponsored actors. For example North Korea was directly responsible for the hack of Sony in 2014 which resulted in half of Sony’s global digital network being destroyed. There are many other instances.
The US Cybersecurity and Infrastructure Security Agency (‘CISA’ has released a joint a joint cybersecurity advisory regarding North Korea’s use of the Maui ransomware to target healthcare and public health sector organisations. Maui ransomware is an encryption binary. It is designed for manual execution by a remote actor using a command-line interface to interact with the malware and to identify files to encrypt.
Along with the advisory is a guidance that should be used to assist in defending against these attacks. There is also a call for critical infrastructure organisations to review and apply the recommended mitigations to reduce the likelihood of compromise from ransomware. Good advice for US organisations and good advice for Australian organisations. State sponsored hackers are equal opportunity criminals.
The press release Read the rest of this entry »
Posted in Privacy
|
Post a comment »
The National Institute of Standards and Technology (“NIST”) has released a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” for public’s comment.
This guide summarizes how commercially available technology is being used to develop an interoperable, open standards-based Zero Trust Architecture. Read the rest of this entry »
Posted in Privacy
|
Post a comment »
July 6, 2022
When I first starting writing about privacy and data security data breaches involved low thousands of records compromised. It didn’t take long for data breaches to involve many thousands of records and occasionally over a hundred thousand records. In the last decade the ability and desire of government, organisations and businesses to collect masses of data has increased exponentially. Storage capacity increased as did the ability of analysing the data with the use of algorithms. Analytics is now a sophisticated discipline and its products have made businesses wealthy. Increased collection,use and storage of data has been matched by increased hacking into systems. Personal information provides valuable source material for identity theft and other forms of fraud. And many businesses and government agencies have traditionally had a terrible record in maintaining proper privacy protections and cyber security systems.
Now data breaches regularly involve millions of records, occasionally tens of millions of records. But not records of a billion people. Until now. Data Breach today reports in Unknown Hacker Steals Data of 1 Billion Chinese Citizens that an configuration error in Alibaba’s private cloud server resulted in a data breach involving a billion individuals. The data was collected by Shanghai National Police and taken from its database. The information was a hackers dream; names, home addresses, identification number and phone numbers. That data, 23 terrabyte’s worth, is being offered for sale on a hacker forum for 10 Bitcoin (or over $200,000).
The story has been reported widely with Reuters, ABC, Bleeping Computer and the Guardian reporting on the breach among many others. China, being China, such a bad news story has been censored. This can have the potentially Read the rest of this entry »
Posted in Privacy
|
Post a comment »
Publications by the National Institute of Standards and Technology (“NIST”) is regarded by many privacy and cyber security practitioners as setting out technical and process standards. That is not a universal view but given its output it is a matter of time before that becomes a reality.
The NIST has released its Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process.
The first group of algorithms NIST has chosen are designed to withstand the possible assault of a future quantum computer. Quantum computers are likely to become powerful enough to break present-day encryption. That poses a serious threat to information systems. The four selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard. Those selected algorithms are either alogorithms for:
- general encryption, used to access secure websites; or
- digital signatures, used to verify identities during a digital transaction or remote signing.
The Abstract Read the rest of this entry »
Posted in Privacy
|
Post a comment »
July 5, 2022
One of the most significant amendments to the Privacy Act 1988 in 2014 relating to credit reporting. A key element of those amendments was the establishment of Credit Reporting Codes. On 7 June 2022, the Australian Information Commissioner approved a replacement to the Privacy (Credit Reporting) Code 2014 (Version 2.2) by introducing the Privacy (Credit Reporting) Code 2014 (Version 2.3) (Code). Version 2.3 of the Credit Reporting Code registered on 1 July 2022. It took effect on 1 July 2022.
For anyone involved practising in privacy law, particularly with a connection to banking and finance, it is worth reviewing the updated code carefully.
The release Read the rest of this entry »
Posted in Commonwealth Privacy Commissioner, Privacy
|
Post a comment »
July 4, 2022
The phrase “six degrees of separation” should be truncated to “one degree of separation” when describing data flows. Personal information of Australians is held by many US companies and organisations courtesy of on line shopping, various subscription services and other connections.
The ABC in Australian user data security in doubt after TikTok admits US data accessible by China highlights the vulnerability of data relating to Australians can be as great as those of US individuals where third parties can access the US user data. And US users of Tik Tok have/can have their data accessed by Tik Tok Employees. Tik Tok admits that is employees in China have access to US user data. If they are both stored on the same servers the likelihood of harm can be as great.
There is a very real concern that norms about accessing information differ between Read the rest of this entry »
Posted in Privacy
|
Post a comment »
Itgovernance has identified 80 incidents in June 2022 which resulted in 34,908,053 records being compromised. The types of attacks vary as does the severity of the attacks.
Those breaches included:
- Shields Health Service suffering a cyber attack involving compromise of 2 million records;
- a human error in the form of an unauthorised person making available 2 million records on a hacking forum. The information offered was first and last name, Social Security number; Medicare beneficiary identification number; date of birth; address and contact information; and health insurance information
- .Baptist Medical Center and Resolute Health Hospital suffered a cyber attack involving 1,254,534 records. The information accessed included some or all of demographic information such as full name, date of birth, and address, Social Security number, health insurance information, such as name of insurer/government payor, policy and/or group numbe, medical information, such as medical record number, dates of service, provider and facility names, chief complaint or reason for visit, and other visit, procedure and diagnosis information; and billing and claims information, such as account and/or claim status, billing and diagnostic codes, and payor information.
- Flagstar Bank has data breach impacting 1.5 million customers.
- Yuma Regional Medical Center has ransomware attack affecting 700,000 patients;
- Perkins & Co suffered a data breach via an attack on a third party vendor, Netgain, which Perkins used for hosting its data in the cloud. A total of 354,647 records were compromised.
- Pegasus airlines leaked 6.5 terra bytes of personal information of flight crew. A total of 23 million records leaked. The information was left online.
- in Australia Icare, an insurer, leaked personal information relating to 193,000 injured workers to 587 employers and insurance brokers. The leak happened through a spreadsheet mistakenly attached to emails to wrong employers.
- in Japan a person doing work for Amagasaki city lost a USB storage device which had records of all of the city’s residents. He lost the device after having a drink or three at a restaurant.
- in Malaysia, the point of sale provider Storehub had a data leak exposing personal information of almost a million customers.
- there was a leak of gun owners personal information in California from the state’s Department of Justice. The information released included names, birthdates, gender, race, driver’s license numbers, addresses and criminal histories of people who were granted or denied permits to carry concealed weapons between 2011 and 2021.
- the insurer EMC National LIfe Company suffered a data breach involving 288,288 records.
Read the rest of this entry »
Posted in Privacy
|
Post a comment »