Peter A Clarke

Data breaches, at least the one’s reported, are invariably the result of a cyber attack or phishing. The analog variety are much less common than they were a few decades ago, when I started practising privacy law. Back then data breaches commonly involved records stored in filing cabinets offered for sale or disposal, documents left in the street for recycling, folders of documents taken by disgruntled employees or files left in cars. There was some digital records stolen but that was usually lap tops left in or stolen from places. It was much too hard to exfiltrate masses of data over telephone lines and many records were not on line. That is not to say that analog data breaches don’t occur today. I receive calls about paper form customer lists taken from companies or mail taken from letter boxes. But the data breach suffered by Mercer Super is very unusual. Mail posted to Mercer and collated and placed in its GPO Box at Australia Post Melbourne GPO was targeted by thieves who broke into the GPO. Four times! It is reported by the ABC in Mercer Super reports security breach after Australia Post Melbourne GPO mail theft. Official correspondence and forms completed by clients to Mercer would contain considerable amount of personal information not to mention details of customer accounts.  That can be used for identity theft but also trying to access super accounts which contain considerable sums of money as we have seen from recent cyber attacks on Australian Superannuation funds.  

Theft of mail used to be a very lucrative target for criminals.  Cash, cheques, money orders and securities were transported via mail.  The Great Train Robbery of 1963 involved the theft of £2.61 million from the Royal Mail train on the Glasgow to London run. That haul is worth 62 million pounds today.  Private security vans took over from mail vans and trains and now money is transferred digitally.  

The Australia Post has issued a media release where they say the break ins occurred within the mezzanine area of the Melbourne GPO Box Room in Bourke Street between 6 and 17 July 2025. The thieves were after letters not parcels, which are tracked. It has been repored by the AFR with Post office burglaries spark super fund security alert, Super fund’s warning to customers after post office break-in, Sky’s Major super fund issues alert to customers after mail stolen from Australia Post Melbourne GPO in string of break-ins.

Even though the cause of the data breach can not be blamed on Mercer Super it is important for it to have a viable and effective data breach response plan.  Given the spate of recent attacks on super funds one would have thought it had such a plan.  The question of determining whose personal information has been stolen may be complicated.  Complicated but possible.  Mercer would have a register of mail sent and have a reasonable idea of correspondence it is expecting, such as expected completed forms. But it would necessarily be Read the rest of this entry »

In large data breach incidents affected organisations find controlling the information flow is difficult.  For starters hackers post notices proclaiming their “achievements”.   That is why a more open and transparent approach is the best.  Advise customers/clients/patients what has happened and provided as much information as can safely be given.  It is when companies shut down communication or are obtuse, deliberately or otherwise, that problems arise.  There are often internal leaks from disgruntled staff.  There is often the appearance that there is something to hide.  That gets the media interested.  And sooner or later more information is found. Qantas’ poor communications after the data breach and generally average response is more about having no coherent data breach response plan and any real idea about how to communicate.  It has become an art overseas.

What has come to light is further information about communications between Qantas and the hackers. Qantas provided notification of the data breach on 2 July.  On 4 July it provided an update saying it had not been contacted by anyone.  Sure enough later that day the hackers sent Qantas 4 emails setting out the scope of the data breach.   Qantas’ notices makes no reference to any of that until 7 July, after receiving multiple emails from the hackers. Qantas did not respond to them so the hackers emailed on 7 July.  Only then did Qantas respond. Then there was an exchange with Qantas sending 11 emails.  The emails are heavily redacted but little imagination is required to guess at what the hackers wanted to “resolve” the situation.  Cyberdaily sets out the tortured process in Qantas hack: Court documents reveal scope of communications between hackers and the Flying Kangaroo.  It is more common than one would think for companies to ignore communications from hackers, not appreciate that they are being contacted or, in some situations, not check their emails.  Hackers will Read the rest of this entry »

In February 2025 Genea, a large IVF clinic, suffered a significant data breach involving the theft of its patient’s personal information. I posted on the breach on 19 February 2025. I was unimpressed by the non informative statement regarding the breach. I also posted on Genea’s later activity including obtaining injunctive relief on 27 February 2025. On each of 4 and 10 March 2025 Genea provided an update, of sorts. On 4 March 2025 it confirmed that additional stolen data was published on the dark web, which was part of the original theft, and that it was “working to understand precisely what data [sic] has been published” and notifying affected patients and staff etc… It also put in the usual boiler plate about working with the Information Commissioner, the AFP, the National Cyber Security Co Ordinator and the ACSC. The 10 March update was lengthier though not much more informative. Ganea was still “undertaking a full assessment of the incident” but provided recommendations regarding possible phishing or attempts at identity theft. It also referred to the injunction it obtained and provided a link to the orders made (which is something rarely done). This injunction has followed the same approach taken by the HWL Ebsworth in obtaining injunctive relief in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71. In March 2023 the UK High Court also made granted injunctive relief against person(s) unknown in Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 762.

The latest update was on 3 July 2025 where Genea announced that it has concluded its investigation and that it is “starting to communicate directly with individuals”. Beyond stating that it has engaged IdCare the balance of the announcement is a reworking of earlier announcements.  

Today news.com.au published IVF giant Genea reveals dark web data breach impacting thousands where patients and former patients claim the first time they were contacted about the data breach was last week, Friday late to be precise. The ABC also covers the story with Genea IVF confirms sensitive patient health information on dark web.

Genea has refused to provide any detail on the size of the data breach, how many patients or former patients personal information was affected.  That is quite unusual but consistent with the minimalist approach Genea has adopted.  It is a mistake.  It has also refused to advise whether it has paid a ransom.  That is less unusual if it is the case.  Very few organisations admit to paying ransoms. They are not illegal payments thought failing to report them, as from 30 May 2025, to the Government is now illegal.  

On the page where Genea provides updates on the cyber breach there is a pop up page which is titled “unlock your on-demand fertility webinar library” with the statement “From basics to advanced treatments, get free complete access to our webinar library from leading specialists nationwide. ” There is a tab to click onto to “register here.”  It is unintentionally amusing,  To some it might be seen to be in poor taste, whether intentionally or not. 

Overall Genea has handed the data breach poorly.  The announcements have been more about form than substance.  It took 3 weeks from discovery of the data breach to advise there has been such a breach.  It then spent 5 months putting itself into a position to advise people affected what personal information was stolen. That is a unaccountably and unreasonably long amount of time.   BCI has focused on this in its article Why communication is as critical as cybersecurity: Genea breach.  The article provides a brief accurate summary of where Genea has gone so terribly wrong in the handling of this data breach and why it is fundamental to have a coherent and transparent communications strategy.  It should be mandatory reading.  While communication may not mitigate or vitiate liability it will build some goodwill with those whose data has been stolen.  That may reduce the numbers who want compensation.  More importantly, vague and confusing or even duplicitous communication will enrage people and make it likelier they will sue.  

Given Read the rest of this entry »

The use of AI is becoming ubiquitous. Its impact seems to be the subject of endless articles (mostly not drafted with the assistance of AI) either predicting a rosy future or a dystopian nightmare. This week’s Economist’s To survive the AI age, the web needs a new business model is sober but not hair pullingly negative about the AI. It is disruptive, which is a good thing. But just because it is there does not mean it should be used. Case in point, reports of Qantas using AI to send emails to victims. Smart Company’s Qantas using AI for email to hack victims a “risky move” highlights the potential problems. The initial problem is what sort of message is it that sends emails to customers that were generated by ChatGPT, or at least assisted by it. And some AI can be discerned by the mix of loquacious and clunky prose. And Qantas has confirmed use of AI so it is public knowledge.

There is a skill in drafting letters to clients/patients/shareholders/whoever relating to data breaches.  It has developed in the United States to quite a high level because they have had to deal with significant data breaches over a longer time period and have had obligations and liabilities to deal with which have not reached Australian shores until relatively recently.  They also tend to be very sensitive to reputational damage, something some Australian companies are less concerned with given their poor responses to data breaches.  Australian companies are very resistant to taking on board the hard earned lessons of their US cousins.  They tend to use PR firms whose approach is to churn out media releases and letters full of boilerplate platitudes which make for a wordy vague and overlong document  saying very little.  That is regarded as a smart play.  It almost always continues the controversy.

The Smart Money article Read the rest of this entry »

KNP a Northamptonshire transport company has closed because a hacker was able to guess a password. That entry access throughout the company’s computer system and encrypt its data and lock its internal systems. The story is reported by the BBC in Weak password allowed hackers to sink a 158-year-old company. Hackers successfully guessing at passwords is something of a throwback to an earlier era.  Hackers typically don’t try to work out a moderately strong password (eg 8 characters, with an uppercase, number and character) because that would require either an inordinate amount of time and likely alert the company.  Hackers can guess an easy password by running through the usual default simple and foolish passwords (QUIRTY, 12345, password) or a default of a person’s name or the name spelt backwards.  Those sort of passwords still exist, particularly in organisations without password programs which require a certain password strength.  The other aspect of the breach is that once in the hackers had untrammeled access to the data and were able to lock the internal systems.  This suggests beyond the external cyber defence (the wall to put it another way) there was nothing.  No siloing of data, no programs to detect unusual activity and no authorisation to certain parts of the computer system.  And likely no external back up with programs to block ransomware program.  The consequences are significant, 700 people have lost their jobs.

The article Read the rest of this entry »

Service of court orders are invariably necessary to permit action for contempt for a breach of those orders. In cases of injunctive relief commonly the Court requires service of those orders. It becomes more difficult when the subject of those orders inhabit the dark web, have no representatives to accept service of those orders and can easily disappear. Welcome to the world of service of cyber hackers.Non publication orders against cyber hackers are a relatively recent phenomenon as is the method of service.

Qantas served the non publication orders made by Justice Kunc of the New South Wales Supreme Court via Tox. According to affidavit material filed by Qantas the documents containing the orders were sent last Thursday and a return email was received 3 hours later. What is not clear is how the order has been brought to attention of those who may not be the cyber criminals but come upon this information.  That may be attended to by specific exemptions to the orders.  It is not known. In crafting orders it is important to make them sufficiently focused so as to avoid unwelcome consequences such as a victim of the cyber breach being in contempt because he or she found his or her information on the dark web or elsewhere.

The Australian has covered this story in How Qantas served papers on cyber criminals over hack attack on customer database. What seems to be clear is that cyber hackers are based outside Australia.  That is a perennial problem and one that does not Read the rest of this entry »

ENISA releases annual reports of security incidents every year. This year it reported 188 incidents submitted by national authorities from 26 EU Member States and two European Free Trade Association (EFTA) countries. This is an increase of 20.5% over 2023, with 156 incidents from 26 EU Member States and one EFTA country. That said there was a reduction in user hours lost according to the press release.

According to the Read the rest of this entry »

The case of Kate Aston being videoed walking out of a bathroom and Nathalie Matthews being concerned about intimate videos she filmed would be made public raises issues of privacy protections in each case and what each could do to protect their privacy. Particularly with the statutory tort of serious invasion of privacy coming into operation on 10 June 2025.

While both factual situations are unique they are not, in broad strokes, all that unusual in privacy law.  The use of videos and cameras used in a setting which should be private and which clearly cause serious distress is not unknown. Many cases, almost invariably resulting in a prosecution, involve the use of a camera/video in a toilet. But there is no hard dividing line taking photos or videos of someone in a toilet and photographing or videoing someone with that same equipment who are leaving a toilet.  The question is whether there is a reasonable expectation of privacy.  In case of someone using the toiletry facilities the answer is clearly yes.  In terms of someone leaving a toilet it is most likely yes.  The distinction is slight.  One can have a reasonable expectation of privacy in a semi public or even public space. In 2008 the UK Court of Appeal in Murray v Big Pictures (UK) Ltd [2008] EWCA Civ 446 found that a child had a right to privacy in a public space. The Mrs Murray in that case writes under the nome de plume of JK Rowling. While the claim was brought on behalf of the Murray’s child the defendant’s interest was more about capturing an image of Mrs Murray with her family, child especially.  While that case focused on the rights of the child the subsequently developed principles apply to adults. It depends on the circumstances.  And those circumstances do not assist someone who intentionally waits outside a toilet and uses the video to catch another on film leaving the toilet.  And then posts that footage on line.  

According to 7 News Ms Aston has commenced legal action. Whether that is a claim in privacy, equity, defamation or any other cause of action is unknown.  

According to the Australian report of the Matthews case the concern is there are intimate videos would be made public and that motivated her to apply for a domestic violence order.  The abuse of intimate videos, previously made consensualy, have been the subject of two superior court decisions in Australia; the Victorian Court of Appeal decision in  Giller v Procopets [2008] 24 VR 1 and the Western Australian decision of Wilson v Ferguson [2015] WASC 15 which I posted on in 2015.  

Either of these cases could be run without the statutory tort of serious invasion of privacy.  With that tort extant and these fact situations commencing after 10 June 2025 the tort is available to either.  The strength of the case depends on all of the facts, not just the media coverage. 

It is interesting to read Read the rest of this entry »

The desire if not obsession of government agencies and private organisations and companies to collect and store information has been a problem as long as there has been the capacity to make records. It has been regularly satirised (eg Brazil). it is no joke.  Digitisation and increased ability to  economically store vast stores of data has meant that governments, organisations and companies could collect much more personal information than thought possible in the analog era.  More importantly, advanced computing especially the use of algorithms made that data particularly valuable.  As a result many government bodies and companies hold an enormous amount of personal information.  In cyber security language that is sometimes described as the honey pot.  The question often posed is, how to reduce this honey pot and thereby minimise the exposure to individuals losing their personal information. One of the solutions raised is to require agencies and companies to remove data.  That is the product of wrong analysis.  It implies that the regulation is lacking.  That is not correct.  The laws are adequate.  It is the regulation and enforcement of those laws, especially the Privacy Act 1988, that has been inadequate over a very long time.  As a result there is complacency in the market place.  Under the Privacy Act 1988 an entity should only collect personal information relevant to its primary purpose.  It should only retain that personal information for as long as it is relevant to that purpose.  That, especially, companies collect as much information as possible on the most tenuous bases is a matter of their desire, not compliance with the law.  The problem is that they have not been called on it.  There have not been enough cases in the Federal Court where those breaches have not been prosecuted.  All of this is not to say the Privacy Act 1988 needs further reform.  It does.  But the issue of data hoarding can be dealt with by a determined, effective and properly resourced regulator.  

The ABC has published an interesting essay Experts say forcing companies to delete data would remove cybercrime ‘honey pot‘ .

It provides, with my notations:

If an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.

There are exceptions to Read the rest of this entry »

The cyber attack of Trumpets of Patriots and the United Australia Party highlights two issues with privacy. The first is that political parties harvest huge amounts of personal information. Some of it relates to membership. Some is obtained through enquiries, surveys and data provided from other political sources, such as parliamentarians. Political parties operate on data. It is a critical part of messaging and lobbying. This cyber attack highlights a flaw in the Privacy Act 1988. Registered political parties are exempt  under section 7C from the operations of the Privacy Act 1988. The Privacy Commissioner has no power to investigate the breach. The question then is whether either or both the United Australia Party and the Trumpets of Patriots are “registered political parties.”  According to the Australian Electoral Commission the Trumpet of Patriots is a registered political party. The United Australia Party is not.  It has been deregistered and despite its best efforts in Babet v Commonwealth of Australia; Palmer v Commonwealth of Australia [2025] HCA 21 could not be re registered.  Interestingly the Trumpets of Patriots notified the Privacy Commissioner of the data breach.

That does not mean Trumpets of Patriots is immune from suit even if it is exempt under the Privacy Act.  

The story is covered in Read the rest of this entry »