Singapore Privacy Commissioner imposes $35,000 financial penalty for failing to put in place reasonable data security which resulted in data breach involving theft of 1.26 million users personal information.

April 27, 2022

The Singapore Personal Data Protection Commission has imposed a $35,000 fine on GeniusU for failing to prevent unauthorised access and exfiltration of personal information of 1.26 million.  It is a significant data breach for Singapore in terms of numbers of individuals affected.  Singapore has a population of a little over 5 million. 

As is all too common there were more than one mistake in GeniusU’s cyber security set up.  The likely entry was through the use of a developer’s password.  Once in it was easy to exfiltrate the data.  It was stored in the codebase of its GitHub environment.  

The decision summary relevantly Read the rest of this entry »

Bioaction Pty Ltd v Ogborne, in the matter of Bioaction Pty Ltd [2022] FCA 436 (26 April 2022): 459G of the Corporations Act 2001, whether service within 21 days

In Bioaction Pty Ltd v Ogborne, in the matter of Bioaction Pty Ltd [2022] FCA 436 the Federal Court considered, for the first time by the courts, the deeming provisions of sections 105A and 105B of the Corporations Act regarding service applications to set aside a statutory demand within the 21 day time limit,.  

FACTS

By originating process filed on 3 February 2022, the plaintiff, Bioaction Pty Ltd, sought an order setting aside a statutory demand pursuant to s 459G of the Corporations Act dated 12 January 2022 served by the defendant, Gordon Ogborne (“Ogborne”) [5].

Bioaction  specialises in the design, manufacturing and installation of systems to eliminate or mitigate odorous, hazardous and corrosive gases & Ogborne was its Chief Financial Officer / Chief Operating Officer from December 2019 until November 2021, when he was made redundant [7].

Ogborne and Bioaction were in dispute as to his entitlements where Ogborne claimed he was entitled to any additional sum [8].

On 13 January 2022, Ogborne served the statutory demand on Bioaction seeking payment of $240,688.31 being unpaid:

  • salary,
  • superannuation,
  • salary in lieu of termination,
  • annual leave and
  • redundancy

pursuant to an employment contract [9].

The statutory demand was Read the rest of this entry »

National institute of Standards and Technology release preliminary guide on 5G security; cyber security

April 26, 2022

The National Institute of Standards and Technology has released a preliminary draft guide on ensuring the transference from 4G to 5G is managed properly managed, in particular dealing with adequate cyber and cloud security and privacy protections.

As to be expected, this 83 page document is highly technical however it is a valuable asset for those practising in the privacy and cyber security space.

The Abstract provides:

Organizations face significant challenges in transitioning from 4G to 5G usage, particularly the need to safeguard new 5G-using technologies at the same time that 5G development, deployment, and usage are evolving. Some aspects of securing 5G components and usage lack standards and guidance, making it more challenging for 5G network operators and users to know what needs to be done and how it can be accomplished. To address these challenges, the NCCoE is collaborating with technology providers to develop example solution approaches for securing 5G networks. This NIST Cybersecurity Practice Guide explains how a combination of 5G security features and third-party security controls can be used to implement the security capabilities organizations need to safeguard their 5G network usage.

It defies easy summation.

In the broad the proposed Read the rest of this entry »

Colagrande v Kim [2022] FCA 409 (21 April 2022): defamation, identity of author, assessment of damages, aggravated damages. Award of $420,000 of general damages.

April 25, 2022

It is something of a persistent myth that authors can hide behind pseudonyms and publish defamatory statements with impunity.  If, as demonstrated in Colagrande v Kim [2022] FCA 409 a plaintiff is determined enough there is high probability of obtaining sufficient information to identify the author and convince a court that that person is the correct defendant in a subsequent defamation proceeding. Jagot J ordered a very significant award against the respondents.

FACTS

Dr Colagrande (“Colagrande”) a Australian trained doctor who is highly qualified:

  • in 1999 completing a training Fellowship with the Cambridge Private Hospital in Cambridge, United Kingdom i
  • in 2002, becoming an Honorary Fellow in Aesthetic Plastic and Reconstructive Surgery at Addenbrooke’s Public Hospital in Cambridge, United Kingdom
  • in 2005, gaining a Fellowship in Cosmetic Surgery from the European Academy of Cosmetic Surgery
  • in 2005,  establishing a clinic at Mermaid Beach, Gold Coast, Queensland where he mainly performed cosmetic procedures, health assessments and well-being programs.

In February 2017 Dr Colagrande pleaded not guilty to a charge of  indecent assault of a patient, to which he was found not guilty [5]. On 5 June 2018 the Queensland Court of Appeal quashed that conviction and the prosecution entered a nolle prosequi (a formal abandonment of the charge) on 7 June 2018 [5].

Colagrande had an account with the RateMDs website, a Doctor rating site with over 40 million visits every year. Members of the public can post entries relating to doctors on the RateMDs website [6].

In early 2019 when Colagrande Read the rest of this entry »

National Institute of Standards and Technology releases 3 guidelines: Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments, Hardware Enabled Security: Machine Identity Management and Protection and Hardware-Enabled Security:Policy-Based Governance in Trusted Container Platforms

April 22, 2022

Yesterday the National Institute of Standards (“NIST”) released Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments, Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms and Hardware Enabled Security: Machine Identity Management and Protection and Hardware-Enabled Security:Policy-Based Governance in Trusted Container Platforms.

The guides are highly technical but include useful practical methodologies on cyber security.  They are a valuable resource.  In Australia there is nothing equivalent at this level of detail. 

Trusted Cloud

The abstract Read the rest of this entry »

National Institute of Standards and Technology releases guide on “Satellite Ground Segment: Applying the Cybersecurity Framework to Assure Satellite Command and Control”

April 19, 2022

It is sign of how mainstream satellites have become and part of the the consumer economy that the National Institute of Standards and Technology (“NIST”) starts the process of developing guidelines for cybersecurity relating to the operation of satellite.  The NIST has released “Satellite Ground Segment: Applying the Cybersecurity Framework to Assure Satellite Command and Control”.   

While the number of satellite operators is relatively, if not absolutely, small guides such as these have a broader application for those who take cyber security seriously. 

The NIST abstract provides:

Space operations are increasingly important to the national and economic security of the United States. Commercial space’s contribution to the critical infrastructure is growing in both volume and diversity of services, as illustrated by the increased use of commercial communications satellite (COMSAT) bandwidth, the purchase of commercial imagery, and the hosting of government payloads on commercial satellites. The U.S. Government recognizes and supports space resilience through numerous space policies, executive orders, and the National Cyber Strategy. The space cyber-ecosystem is an inherently risky, high-cost, and often inaccessible environment consisting of distinct yet interdependent segments. This report applies the NIST Cybersecurity Framework to the ground segment of space operations with an emphasis on the command and control of satellite buses and payloads.

The objectives of guide Read the rest of this entry »

The US authorities uncover a versatile hacking tool targeting critical infrastructure

April 14, 2022

Wired reports that the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI released an advisory about the a malware toolset which can interfere with industrial control systems.  Given Australia has just passed an updated critical infrastructure legislation this is a particularly relevant development.  The state of protection by Australian organisations is generally poor, legislation notwithstanding.

The advisory Read the rest of this entry »

Another example if more was needed of poor email practices in Ilinois clinic in the USA – 503,000 affected by email breach.

The health industry always features prominently with data breaches and commensurate poor privacy and data security practices.  To show the consequences of one, entirely avoidable, lapse upon a poorly protected organisation note that salutory example of the data breach at the Christie Clinic in Illinois.  A single email account was compromised resulting in unauthorised access and resulting in the personal information of 503,000 individuals.  It is the third largest recorded health data breach thus far in 2022.  It is Read the rest of this entry »

NIST releases guides to Enterprise Patch management

April 11, 2022

The National Institute of Standards and Technology (“NIST”) releases excellent guides in relation to all manner of technology.  It is particularly helpful in providing processes to improve cyber security and deal with data breaches.

Last week the NIST through its  National Cybersecurity Center of Excellence (NCCoE) released

The focus of both guides highlights the importance of timely and appropriate patching so as to enable  organisations to have an adequate cybersecurity system.

Patching is a form of preventive maintenance of computing technologies.  It helps prevent compromises, data breaches, operational disruptions, and criminal acts.

SP 800 – 40

SP 800-40 Revision 4 recommends that leadership at all levels of an organization, along with business/mission owners and security/technology management teams, should jointly create an enterprise strategy that simplifies and sets up processes for patching.

Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization.

The publication refers to Read the rest of this entry »

Data Availability and Transparency Act 2022 passes and receives Royal Assent on 1 April 2022

April 10, 2022

On 31 March 2022 the Federal Parliament passed the Data Availability and Transparency Bill 2022.  It became law on 1 April 2022.  It’s genesis is traced back to reforms proposed by the Productivity Commission’s  Inquiry Report into Data Availability and Use (2017).

The Minister’s Second Reading Speech provides:

I am pleased to introduce this bill which will create the Data Availability and Transparency Act, appropriately abbreviated to DATA.

This bill establishes a new data sharing scheme for federal government data, underpinned by strong safeguards to mitigate risks and simplified processes to make it easier to manage data sharing requests.

2020 has shown us how critical this piece of legislation is.

We started the year in the middle of one of the most disastrous bushfire seasons in recent memory, with thousands of Australians needing access to government services to support them through this difficult time.

Australians continue to face the onslaught of the COVID-19 pandemic, which has cost them their jobs and their livelihoods, and they are turning to their government for help.

Government data and digital services have been fundamental to the government’s response to these events.

Data allowed Australians to receive timely and reliable services in a time of need.

Data allowed Australians to access government services online instead of queuing at Centrelink shopfronts.

It was data that informed the development of essential programs like the JobKeeper payment, so that we could provide relief to Australians who have lost their jobs during this pandemic.

The government’s vision is that Australians experience the same seamless approach to government services every day, not just in times of crisis. Read the rest of this entry »