Cyber Law Watch – Page 38 – Insight on how cyber risk is being mitigated and managed across the globe

UK telecoms company handed record fine for data breach

Oct 10 2016

By Cameron Abbott and Rebecca Murray

Major UK telecoms company, TalkTalk has been fined £400,000 for failing to adequately safeguard personal data when they were hacked in October 2015. The Information Commissioner’s Office’s (ICO) investigation revealed that hackers obtained the details of 156,959 customers, including names, addresses, birthdates, phone numbers and email addresses. In over 15,000 cases, hackers even gained access to bank account details and sort codes. The cyber-attack triggered the launch of a committee inquiry into protection of personal data online. You can read the inquiry report here.

After in depth investigation, the ICO found that TalkTalk’s failure to implement even the most basic cyber security measures allowed hackers to easily penetrate its systems causing substantial damage and distress to its customers. See how the investigation unfolded here and read the ICO’s penalty notice here. The ICO identified TalkTalk’s principal errors as failing to actively monitor its own activities and allowing vulnerabilities to go unnoticed, failing to update its database to protect from bugs, failing to respond to two previous attacks on the same webpages and failing to fix a bug in the software for which a fix was readily available.

It would seem regulators are losing patience with organizations that don’t take their security obligations seriously.

ABS blames IBM for Census fail in damning report

Sep 26 2016

By Cameron Abbott and Rebecca Murray

The Australian Bureau of Statistics (ABS) has blamed the 2016 Census website failure on IBM in a damning Senate inquiry submission. ABS chief statistician David Kalisch said the infrastructure offered by IBM did not adequately prepare for “not unusual” and “anticipated” denial of service attacks on Census night, which ultimately caused the site to be taken down for security reasons. You can read the submission, which was made available online by The Guardian here.

Volkswagen, Israeli experts to establish automotive cybersecurity company

Sep 16 2016

By Cameron Abbott and Rebecca Murray

The increasing connectivity of modern cars has enhanced the modern driving experience beyond what we could imagine only a few decades ago. However, with increasing connectivity comes an increasing risk. Features such as autonomous and intelligent parking and driving systems have increased the number of interfaces in vehicles and therefore the risk of malicious attack. To demonstrate how easily vehicles can be targeted, last year, two hackers developed a tool that can hijack a Jeep remotely over the internet. You can watch the remote hacking of the Jeep featured by WIRED here.

In response to this growing threat, Volkswagen along with three Israeli experts and their team are jointly establishing an automotive cyber security company. The newly founded CYMOTIVE Technologies will develop advanced cyber security for next generation connected cars. CYMOTIVE has announced that it aims to take an innovative and strategic approach to the significant technological challenges that will face the connected car and the development of the autonomous car in the future.

Have I been pwned?

Sep 13 2016

By Cameron Abbott and Rebecca Murray

Information security blog {ride the lightning} has featured Troy Hunt’s “Have I been pwned” website which identifies whether your online account has ever been compromised in a data breach when you enter your account’s login ID.

Troy Hunt describes himself on his website as a Microsoft Regional Director, a Microsoft Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight. While we don’t know much about his site, it is reported to be safe and provides a very handy tool to determine if you have been unknowingly hacked. Of course, even if the site is legitimate, who is to say it won’t be breached? It’s just that it’s so useful.

See if you have been pwned here…and yes…we both have been.

Bitcoin operators exposed to cyber threats

Sep 01 2016

By Cameron Abbott and Rebecca Murray

Reuters has reported that a third of bitcoin trading platforms have been hacked, and nearly half have closed since they entered the scene 6 years ago. This increasing risk for bitcoin holders is compounded by the fact there is no depositor’s insurance to absorb the loss. That approach heightens cybersecurity risks and also exposes the fact that bitcoin investors have little choice but to do business with under-capitalized exchanges.

This issue was evident when Bitfinex was hacked earlier this month and an estimated $70 million in bitcoin was stolen. The virtual bank’s customers were forced to share the losses resulting in a generalized loss percentage of 36.067%. Read our blog post on this hacking here.

Experts say trading venues acting like banks such as Bitfinex will remain vulnerable. These exchanges act as custodial wallets in which they control users’ digital currencies like banks control customer deposits. However, unlike their brick-and-mortar counterparts, when customers’ bitcoin accounts are hacked, there is currently no third party that can step in to deal with the theft. As a result, these underfunded exchanges require nearly perfect security.

Given this it is not surprising that certain governments around the world are exploring the possibility of central bank issued digital currencies using distributed ledger technology which could compete with the private digital currency systems such as bitcoin. Read more on this here.

Ashley Madison data breach joint findings released

Sep 01 2016

By Cameron Abbott and Rebecca Murray

The Australian Privacy Commissioner, Timothy Pilgrim and The Privacy Commissioner of Canada, Daniel Therrien have released a joint report on the data breach of cheating website Ashley Madison which affected approximately 36 million Ashley Madison user accounts last year. Read our post on the breach here.

Controversially, despite the company not having a physical presence in Australia, the Commissioners found that Ashley Madison’s parent company Avid Life Media (ALM) was regulated as an “APP entity” due to the fact that it carried on business and collected personal information in Australia. This finding was based on the fact that ALM conducted marketing in Australia, targeted Australian residents for its services and collected the personal information of Australians.

ALM agreed to a number of enforceable undertakings to the Commissioner. Amongst other things, ALM has undertaken to augment its security framework, provide extensive security training for staff and cease its practice of retaining the information of users with deleted, deactivated or inactive accounts. Consistent with the trend in undertakings it requires independent verification of certain compliance steps. Find the undertakings here.

It also seeks to address the accuracy of the records, which is a challenge for a cheating website. Letting someone sign up using for example Tony Blair’s email address captured the attention of the regulators. They focused on the interests under Privacy laws of those whose email addresses were falsely added to the sign up. A confirming email with an option to opt out was not considered an adequate measure.

Lawyers potential rich targets for hackers

Aug 30 2016

By Cameron Abbott and Rebecca Murray

As the threat of cybercrime and cyber espionage continues to grow globally, the Law Council of Australia has announced that it will launch a national cyber security information campaign for the legal profession this year. Read the Law Council’s media release here.

The Law Council has been working in partnership with the legal profession, cyber security experts, and government to formulate the information initiative since it nominated cyber security as a key priority at the beginning of the year. Launch of the campaign is expected by the end of 2016.

The president of the Law Council, Stuart Clark, says cyber security is a ‘major problem’ for law firms and the government has an important role to play in raising awareness and providing information about the technology involved. We say, we like teasing large global companies about their security failings … as long as it’s not ours!!

Government committed to introducing Mandatory Data Breach Notification laws

Aug 22 2016

By Cameron Abbott and Rebecca Murray

After much delay, a spokesperson for Attorney-General, George Brandis has said the government is committed to introducing the Mandatory Data Breach Notification laws this year. We will be sure to look out for it during the next term of Parliament. You can find more information on the proposed scheme and its regulatory impact on the Attorney General’s Department consultation for Serious Data Breach Notification webpage.

Oracle’s Point-of-Sale division targeted by professional hackers

Aug 17 2016

By Cameron Abbott and Rebecca Murray

Oracle confirmed last week that its security was breached by a Russian organized cybercrime group infamous for hacking retailers and banks. Alarmingly, Oracle’s MICROS point-of-sale credit card payment system was one of the systems targeted in the attack. While the impact of the breach is still being investigated, the attack could have had wide impact. MICROS is one of the top three point-of-sale vendors worldwide and sells point-of-sale systems used at more than 330,000 cash registers globally.

It has been reported that Oracle became aware of the breach after its staff discovered malicious code on the MICROS customer support portal and systems. It is thought that the hackers installed malware on the troubleshooting portal in order to capture customers’ credentials as they logged in. Usernames and passwords could then be used to access customer accounts and remotely control MICROS point-of-sales terminals.

The attack has been linked to crime gang, Carbanak Gang, which has been accused of stealing more than $1 Billion from banks and retailers in the past. These guys clearly know what they are doing.

Sour Apple blasts the Banks for application to ACCC

Aug 10 2016

By Cameron Abbott and Rebecca Murray

Last month we reported that three of Australia’s largest banks had collectively launched an application to the ACCC seeking permission to negotiate with Apple Inc. to install their own electronic payment applications on iPhones.

Apple has submitted a scathing response to the ACCC, warning that allowing the banks to negotiate will compromise the iPhone handset’s security, reduce innovation and blunt Apple’s entry into the payments market in Australia. Read Apple’s submission to the ACCC here.

Apple expressed particular concern about security risks, claiming that providing simple access to NFC antenna by banking applications would fundamentally diminish the high level of security of Apple devices. This concern is not unwarranted as it was recently revealed that hackers have found ways to intercept contactless mobile payments in Samsung’s latest Galaxy smartphones. While Samsung refuted this in a recent blog post, an attached Samsung FAQ revealed that it is possible for an attacker to skim a smartphone’s payment token and make fraudulent purchases.