The data breach that affected 9.8 million Australians and resulted in the personal information of 10,000 Optus customers being exposed on the dark web in September last year will be litigated in a class action lawsuit filed last Friday (21 April) in the Federal Court of Australia.Read More
Shortly after the Government announced their ambition to make Australia a global leader in cyber security, Australia has been named the country with “the greatest progress and commitment toward creating a cyber defence environment” in MIT’s Cyber Defence Index of 2022/23.
However, the Office of the Australian Information Commissioner’s latest notifiable data breaches report paints a different picture. The Commissioner reported a 26% increase in the number of total reported data breaches and a 41% increase in the number of reported data breaches arising from malicious or criminal attacks compared with the first half of 2022. Health service providers and the finance sector were the worst hit, together representing almost a third of reported data breaches.
In releasing the report, the Commissioner once again stressed the need for organisations to collect only the minimum amount of personal information required and deleting it when it is no longer needed. In the report the Commissioner has recommended a number of steps to address the kinds of issues featured in the second half of 2022, including:Read More
Not content with merely implementing broad-scale privacy reform, the Government has announced a new position, the Coordinator for Cyber Security to be added to the Department of Home Affairs as a step towards their aim of “making Australia the most cyber secure nation by 2030“. This would seem to be a rather aspirational target!
The Coordinator will be supported by a National Office for Cyber Security, and their role will be to oversee steps to prevent future cyber security incidents and to help manage cyber incidents as they occur.Read More
Over the past two years, the Privacy Act has been the subject of long-awaited reform in Australia however, it seems the Optus data breach may have given it some much needed momentum.
The Optus attack is understood to have affected the details of 11.2m Optus customers, and of that 2.8m individuals have had their driver’s licence and/or passport numbers compromised. The hacker claims to have extracted the data from an API – software that allows two different systems to talk to each other. Therefore, if the claim is true the hacker didn’t need to provide authentication (e.g. a username and password) to retrieve the data.
In the wake of the attack, the Government has shared its plans to pursue substantial reforms that will include increased penalties under the Privacy Act (currently capped at $2.22m per offence) as well as changes to data breach notification laws to allow companies to rapidly inform financial institutions of affected individuals in an effort to minimise fraud.
The data breach also highlights the risks involved in collecting large amounts of personal information and storing this for excessive time periods. While the Privacy Act promotes the collection of a minimum amount of personal information, i.e. only that information that is necessary for a particular purpose and which the entity intends to use or disclose – individuals generally have limited control over how long their information is retained for.
During the initial stages of the Privacy Act review, the Attorney General’s Department sought submissions from entities on their views as to whether individuals should be given the right to have their personal information erased. Optus in submissions to the review argued against such a change stating that the right to erase personal data would involve significant technical hurdles and compliance costs that would outweigh the benefits. Of course this incident has happened just as stores are gearing up for Halloween – a fitting time for those public submissions to come back to haunt them.
By Cameron Abbott and Hugo Chow
A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.
WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.
One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.
As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.
Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.
We expect to hear more about these sorts of concerns from a range of jurisdictions.
Intelligence experts KELA recently announced that almost 500,000 customer records of different car suppliers were being offered for sale on the dark web by hacking group “KelvinSecurity Team”.
According to reports, almost 400,000 UK based BMW customers’ data is being sold on the online black market. This data includes the initials and surnames of car owners, home addresses, email addresses, the names of dealerships and car-registration information. The data of Mercedes, SEAT, Honda and Hyundai car owners also form part of the compromised customer records.Read More
We are living in an era of online shopping, where consumers are more willing to hand over personal information for goods and services, and are less suspicious of whom they are divulging their personal information to. As a result, online businesses are in possession of a vast amount of their customers’ personal information. The recent hack of Sneaker Platform Stock-X reminds us yet again of the importance of businesses maintaining comprehensive and up to date security processes, and in particular, the necessity of having an adequate data breach response plan in place.
Stock-X, a platform for the re-sale of sneakers and apparel, was recently hacked, exposing over six million users’ personal data, including their real name, username, password, shoe size and trading currency. According to a Report by TechCrunch, Stock-X’s initial response was to reset customer passwords, stating that it was due to system updates. A spokesperson for Stock-X later disclosed to TechCruch that Stock-X was alerted to “suspicious activity”. TechCrunch reports; however, an unnamed data breach seller had contacted it claiming more than 6.8 million records were stolen from Stock-X in May, and that the records had been put up for sale and sold on the dark web for $300.Read More
By Cameron Abbott and Wendy Mansell
Fifty countries including Japan, Canada and many EU nations have come together with over 150 tech companies, pledging to fight against cybercrime. United State’s tech giants such as Facebook, Google and Microsoft have also joined the party.
The United States, Russia and China however have decided not to sign on. Each has no doubt very different reasons for this – the disappointment is mostly directed to the US. However it is a shame that Russia and China did not also feel the weight of the international community pressure to accept these principles.
The effort to combat cybercrime is being led by France, with French President Emmanuel Macron claiming that it is urgent that the internet is better regulated.
The countries and companies involved are fighting against illegal online activity like censorship, cyber interference in elections, hate speech and trade secrets theft.
The pledge has been made in a document titled the “Paris call for trust and security in cyberspace”.
By Cameron Abbott and Colette Légeret
The UK’s banking watchdog, the Financial Conduct Authority (FCA), has fined Tesco Bank, the banking arm of UK supermarket chain Tesco, £16.4 million (approximately AU$29.5 million) for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack that occurred in 2016.
This cyber-attack affected thousands of account holders and netted the cyber-criminals £2.26 million (approximately AU$4.07 million) in 48 hours. It was described, at the time, as an unprecedented assault against a UK regulated bank.