Hacker accesses Argentine Government’s data base and steals ID database for the country’s entire population

October 19, 2021

These days the number of files stolen or compromised by hackers have been increasingly exponentially. The theft of hundreds of twenty years ago have morphed into the loss of thousands and then hundreds of thousands of documents. These days the theft and loss of millions of records are not uncommon. What is less common, as in extraordinary is where the personal information of an entire country’s population is stolen. That is what happened to Argentina earlier in October as reported by the Record in Hacker steals government ID database for Argentina’s entire population.

The article provides:

A hacker has breached the Argentinian government’s IT network and stolen ID card details for the country’s entire population, data that is now being sold in private circles.

The hack, which took place last month, targeted RENAPER, which stands for Registro Nacional de las Personas, translated as National Registry of Persons.

The agency is a crucial cog inside the Argentinian Interior Ministry, where it is tasked with issuing national ID cards to all citizens, data that it also stores in digital format as a database accessible to other government agencies, acting as a backbone for most government queries for citizen’s personal information.

The first evidence that someone breached RENAPER surfaced earlier this month on Twitter when a newly registered account named @AnibalLeaks published ID card photos and personal details for 44 Argentinian celebrities.

This included details for the country’s president Alberto Fernández, multiple journalists and political figures, and even data for soccer superstars Lionel Messi and Sergio Aguero.

A day after the images and personal details were published on Twitter, the hacker also posted an ad on a well-known hacking forum, offering to look up the personal details of any Argentinian user.

Faced with a media fallback following the Twitter leaks, the Argentinian government confirmed a security breach three days later.

In an October 13 press release, the Ministry of Interior said its security team discovered that a VPN account assigned to the Ministry of Health was used to query the RENAPER database for 19 photos “in the exact moment in which they were published on the social network Twitter.”

Officials added that “the [RENAPER] database did not suffer any data breach or leak,” and authorities are now currently investigating eight government employees about having a possible role in the leak.

However, The Record contacted the individual who was renting access to the RENAPER database on hacking forums.

In a conversation earlier today, the hacker said they have a copy of the RENAPER data, contradicting the government’s official statement.

The individual proved their statement by providing the personal details, including the highly sensitive Trámite number, of an Argentinian citizen of our choosing.

“Maybe in a few days I’m going to publish [the data of] 1 million or 2 millon people,” the RENAPER hacker told The Record earlier today. They also said they plan to continue selling access to this data to all interested buyers.

When The Record shared a link to the government’s press release in which officials blamed the intrusion on a possibly compromised VPN account, the hacker simply replied “careless employees yes,” indirectly confirming the point of entry.

According to a sample provided by the hacker online, the information they have access to right now includes full names, home addresses, birth dates, gender info, ID card issuance and expiration dates, labor identification codes, Trámite numbers, citizen numbers, and government photo IDs.

Argentina currently has an estimated population of more than 45 million, although it’s unclear how many entries are in the database. The hacker claimed to have it all.

This is the second major security breach in the country’s history after the Gorra Leaks in 2017 and 2019 when hacktivists leaked the personal details of Argentinian politicians and police forces.

Information Commissioner issues determination into 7- Eleven Stores Pty Ltd [2021] AICmr 50 (29 September 2021) for breaches of Australian Privacy Principles 3 and 5 through use of facial recognition technology of unsuspecting customers.

The Australian Information Commissioner (the “Commissioner”) has issued a very significant s determination resulting from a Commissioner initiated  investigation into 7-Eleven Stores Pty Ltd (Privacy)  [2021] AICmr 50 where she found that 7 Eleven had breached Australian Privacy Principle (APP) 3 and 5 of the Privacy Act 1988.

FACTS

From 15 June 2020 to 24 August 2021 7-Eleven used facial recognition technology in its stores as part of a customer feedback mechanism (the Facial Recognition Tool) in its 700 stores nationwide [4]. The Facial Recognition Tool was supplied by a third party supplier (the Service Provider). 7-Eleven described its use of the Facial Recognition Tool as:

  • a tablet was located inside the 7-Eleven stores enabled a customer to complete a voluntary survey about his or her’s in-store experience.
  • each tablet had a built-in camera that took facial images of the customer while that person was  completing the survey.
  • the customer’s facial image was captured twice, when the individual  first engaged with the tablet and then after completing the survey.
  • the facial images were stored on the tablet for around 20 seconds before being uploaded via a secure connection to a secure server hosted in Australia within the Microsoft Azure infrastructure (the Server). Once the upload occurred, the facial image was deleted from the tablet.
  • the Service Provider processed the facial images  (the Detect API) by converting each facial image to an encrypted algorithmic representation of the face (faceprint) and assessed and recorded inferred information about the customer’s approximate age and gender;
  • the faceprint was then sent to another API (the Similarity API), along with all other faceprints generated by responses entered on the same tablet for the previous 20 hours;
  • these faceprints were compared to other faceprints to identify faceprints that were sufficiently similar.  The Facial Recognition Tool  directly linked individuals’ faceprints with survey responses, by using each faceprint as an ‘identifier’.  These processes enabled an individual depicted in a faceprint to be distinguished from other individuals whose faceprints were held on the Server [38].
  • the Similarity API looked for faceprints that were similar. If there was a high probability match, then the corresponding matched survey results were flagged;
  • the facial images were retained on the server for 7 days so that  the Service Provider could identify and correct any issues, and reprocess survey responses if necessary;
  • while there was no defined retention period for faceprints after 24 hours if there was any attempt to identify a match using the Similarity API that would come up as an error;
  • the faceprints and customers’ survey answers were stored in a dedicated encrypted database. All survey responses were timestamped and associated with the relevant store where the relevant tablet was located [6]

As at March 2021, approximately 1.6 million survey responses had been completed [7]
The ostensible reason for generating faceprints were to detect if the same person was leaving multiple responses to the survey within a 20 hour period on the same tablet. If they were, their responses may not have been genuine, and were excluded from the survey results. 7-Eleven said Read the rest of this entry »

Commonwealth releases Ransomware Action Plan

October 14, 2021

The Home Affairs Ministers, Karen Andrews, today released the Government’s Ransonware Action Plan.

It has been heralded as a new plan to protect Australia against ransomware.  Actually that is the title of the media release Read the rest of this entry »

Sceam Constructions Pty Ltd v Clyne [2021] VSCA 270 (27 September 2021): s 459G Corporations Act 2001, alleged genuine dispute, meaning of “supporting”, meaning of fairly alert, meaning of Graywinter principle.

October 6, 2021

Consideration of statutory demands is relatively infrequent by the appellate division of any Supreme Court in Australia.  So it is notable when the Victorian Court of Appeal, in Sceam Constructions Pty Ltd v Clyne [2021] VSCA 270, reviewed the operation of section 459G of the Corporations Act, the meaning of fair notice and what is meant by the Graywinter principle, which, apparently, is no longer a favoured term.

FACTS

The Clynes  engaged Sceam Construction Pty Ltd (‘Sceam’) to carry out renovation works at their home under the terms of a standard form ‘Simple Works Contract’.  The Clynes served a statutory demand under the Corporations Act 2001 (Cth) on Sceam for $109,514.23.  The debt is described as an Read the rest of this entry »

National Institute of Standards and Technology releases Machine Learning for Access Control Policy Verification NISTIR 8360

September 20, 2021

The National Institute of Standards and Technology (“NIST”) has released its report for Machine Learning for Access Control Policy Verification.  It is a very technical document but useful for those interested in machine learning.

A machine learning classification algorithm is particularly efficient for system model verification  because it does not require comprehensive or complex test cases or oracle, which are needed for  traditional model verification methods. Read the rest of this entry »

Are our intuitions about privacy consistent with this era’s law and technology. The dilema

September 17, 2021

In Psyche’s Our evolved intuitions about privacy aren’t made for this era the authors posit the theory that our evolved intuitions about privacy are out of sync with the modern era.  That does explain the significant tension and our mutually contradictory revulsion but also embrace of runaway technology which excel in surveilling our purchases, work, finances and much of our life. An intriguing quote is that ‘we have palaeolithic emotions; medieval institutions; and god-like technology’.

It is well Read the rest of this entry »

Threat report from Australian Cyber Security Centre, Data Breach notification report by Information Commissioner and report of 61 million records breached worldwide in August 2021 point to cyber attacks being a growing problem

September 16, 2021

A confluence of reports highlights the dismal state of security preparedness in Australia in particular and throughout the developed world generally.

It governance calculates that in August there were 84 cyber attacks which results in 60,865,828 records being breached.  Of that number T Mobile suffered a hack which affected 53 million records.

Yesterday the Australian Cyber Security Centre (ACSC) released its Annual threat report for 2020 – 2021 which reports that over 67,500 cyber crime reports were made in the last 12 months. And the ACSC acknowledges that the figure could, and probably is, higher.  Probably Read the rest of this entry »

Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News Channel Pty Ltd v Voller [2021] HCA 27 (8 September 2021): defamation, publication of comments on social media

September 12, 2021

The High Court in Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News Channel Pty Ltd v Voller [2021] HCA 27 with a 5:2 majority rejected an appeal by media outlets against a ruling that they were liable for comments to their articles on a Facebook page.

FACTS

The appellants each maintain a public Facebook page on terms of use agreed with Facebook which:

  • is used to share content and connect with Facebook users.
  • is publicly accessible to users, who are able to view and comment on content posted to that page [5].

The use of the Facebook pages usually involves:

  • the posting of a hyperlink to a news story,
  •  a headline,
  • a comment
  • an image.
  • readers being invited to:
    • “Like”,
    • “Comment”  which are made by users appear on the page and are available to be seen by all Facebook users who can see the page
    • “Share” the post [6]

 Facebook Page administrator

  • could:
    • prevent, or
    • block,

the posting of comments by third parties

  • could not block all posts on a public Facebook page  [7].
  • could delete comments after they were posted but this would not prevent publication
  • could “hide” most comments, through the application of a filter, which would prevent publication to all except the administrator which could then be assessed by an administrator [7]

The trial judge found the appellants were publishers.

DECISION

MAJORITY

KIEFEL CJ, KEANE AND GLEESON JJ

Their Honours, as did all judges in this decision, undertook a very comprehensive review Read the rest of this entry »

South Australia uses facial recognition and geolocation data for quarantine checks.

September 7, 2021

The adjective “Orwellian” is both overused and misused.  It is often tagged onto a complaint which does not describe a situation, idea, or societal condition that George Orwell identified as being destructive to the welfare of a free and open society. It is commonly used by someone to label an argument or, often government, proposal which he or she finds disagreeable.  Unfortunately the South Australian Governments use of an app to geo locate and have facial recognition is for those in quarantine is Orwellian. And how this trial became reality demonstrates the dismal state of policy development and exclusion of any input from the community. 

It is relevant to note that South Australia has no Privacy Act.  There is no regulator to deal with privacy breaches, of which this app has the potential for many.  It is a dismal failure of public policy and panic over prudence.  That there has been no outcry from the polity within Australia is a poor reflection on the state of debate here.  The Civil Society’s response has been inconsistent but largely ineffectual.  The New South Wales Council for Civil Liberties has criticised it on the basis that safeguards are not in place (SA facial recognition app trial should not go ahead without safeguards). It is a weak response that accepts that “..it was possible for facial verification to be conducted safely and appropriately, with the right safeguards.”  Really!  There is more than a few well regarded privacy and other experts who wouldn’t even accept that proposition.  It is a weak and unimpressive Read the rest of this entry »

Ben Stokes privacy action results in apology by the UK Sun and an apology

August 30, 2021

On 17 September 2019 the Sun published a story about the murder suicide of Ben Stokes mother’s ex husband 31 years previously in New Zealand.  The story is no longer available on line.  The murder was of his mother’s two children. This tragic event occurred before Ben Stokes, a prominent English cricketer, was born.  At the time Ben Stokes reacted furiously to the story describing it as disgusting and immoral.  The Guardian ran a detailed piece with Ben Stokes attacks ‘despicable’ Sun story about family tragedy.  The next month Ben Stokes and his mother, Deborah, issued proceeding in the UK Court of Chancery.  The Particulars of Claim was served on 22 January 2020 with the Defence filed on 16 April 2020. 

The nub of the defence was that, first, the story about the murders were covered by the New Zealand media and, secondly, the Sun obtained an on the record interview with the family and had approached Ben Stokes for comment.

At the time, and subsequently, there was a lively debate about whether the report was one of free expression and/or a legitimate story to report versus privacy.  On 18 September 2019 the independent came out in support of the Sun.  At the time the Conversation in Ben Stokes v The Sun: gross intrusion or simple reportage? How media privacy law works highlighted some of the issues, such whether a privacy claim can be brought when the information is in the public domain, and whether a claim can be made by a person when it relates to inter related parties. 

There was no trial on the merits.  The Sun and Stokes settled on favourable terms to Stokes. The Stokes’ solicitors released a statement confirming Read the rest of this entry »