customer data – Page 4 – Cyber Law Watch

Update everything: Discovery of Wi-Fi flaw in connected devices

Oct 19 2017

By Cameron Abbott, Rob Pulham and Olivia Coburn

A Belgian researcher has discovered a weakness in WPA-2, the security protocol used in the majority of routers and devices including computers, mobile phones and connected household appliances, to secure internet and wireless network connections.

The researcher, Mathy Vanhoef, has named the flaw KRACK, for Key Reinstallation Attack.

Any device that supports Wi-Fi is likely to be affected by KRACK, albeit devices will have different levels of vulnerability depending on their operating systems. Linux and Android are believed to be more susceptible than Windows and iOS, and devices running Android 6.0 are reportedly particularly vulnerable.

SEC wants to collect more information – but can they protect it?

Oct 02 2017

By Cameron Abbott and Olivia Coburn

The United States Securities and Exchange Commission (SEC) is facing scrutiny on its handling of a data breach that occurred in 2016 – but was only publicly disclosed on 20 September 2017.

Hackers accessed information on corporate filings intended for investors, which would be used for insider trading.

Deloitte hack: Big four cyber-security advisor takes a hit

Sep 28 2017

By Cameron Abbott and Olivia Coburn

“Big four” accounting and consulting firm Deloitte revealed on Monday that it was targeted by a hack that exposed its email system and client records.

Although Deloitte has not yet provided details on the full extent of the breach, it confirmed that the information accessed includes confidential emails and plans of some of its blue-chip clients. It also said that “very few” clients were affected.

Equifax data breach: 143 million records exposed but senior executives not told immediately?

Sep 12 2017

By Cameron Abbott and Olivia Coburn

Equifax has joined Yahoo on the podium for the award no one wants: suffering one of the largest data breaches in history.

Equifax, one of the three largest US credit reporting agencies, announced last week that it suffered a cybersecurity incident potentially impacting 143 million US consumers – a figure comprising of roughly 55 per cent of Americans aged 18 years or older. Some UK and Canadian residents are also affected.

Security incidents high, confidence to manage them low. Really? We did see this coming – why aren’t we better prepared?

Aug 31 2017

By Cameron Abbott and Olivia Coburn

RiskIQ, a US-based cyber security company, has reported that 40% of businesses surveyed in the US and the UK have experienced 5 or more significant security incidents in the past 12 months. Significant incidents include malware, targeted attacks, mobile exposures, rogue mobile apps, website or brand abuse, phishing and social impersonation.

RiskIQ, through IDG Connect, also surveyed the confidence of corporate decision-makers in their ability to handle and mitigate cyber threats. Their report, 2017 State of Enterprise Digital Defense Report, reveals that nearly two-thirds of respondents had no to modest confidence in their ability to manage digital threats.

Gartner: Worldwide spending on information security to reach $93 billion in 2018

Aug 24 2017

By Cameron Abbott and Olivia Coburn

Global spending on information security products and services will reach $86.4 billion this year, according to US-based technology research and advisory firm Gartner, Inc.

This figure is an increase of 7 per cent over 2016, and is expected to grow to $93 billion in 2018.

Privacy Commissioner investigates alleged sale of telco customer information

Nov 21 2016

By Cameron Abbott and Allison Wallace

Australia’s Information and Privacy Commissioner Timothy Pilgrim is making enquiries into allegations that the personal information of customers of three Australian telcos is being sold online.

Fairfax uncovered an alleged rort involving ‘corrupt insiders’ at the offshore call centres of Telstra, Optus and Vodafone, which has allegedly seen details including customers’ addresses, dates of birth and billing statements leaked to at least one private company in India, which is then allegedly selling the information for up to $1000.

Commissioner Pilgrim has said in a statement that he is working to determine what further action may need to be taken.

All three telcos have also released statements, reiterating that they take the privacy of their customers seriously. Vodafone and Optus have met with the AFP, which has now passed the matter on to Indian authorities.

Apple sends passionate message to customers following court order to hack iPhone

Feb 18 2016

By Cameron Abbott and Meg Aitken

A US District Court has ordered Apple to assist US law enforcement agents to bypass the security features, disable the auto-erase function and ultimately access the data contained within an iPhone 5C that was used by one of the San Bernardino shooters, Syed Rizwan Farook.

Apple’s CEO Tim Cook responded to the order with an open letter to customers discussing the privacy and security implications of the order and calling for public discussion on the issue.

Read Apple’s Customer Letter here.

Access the Court Order here.

Hold the phone…is “metadata” personal information? Who knows?

Feb 12 2016

By Cameron Abbott, Simon McDonald and Meg Aitken

The ongoing debate surrounding what “metadata” actually is, and how it should be characterised under privacy laws has once again resurfaced. This time, the Federal Court will have a chance to decide on the issue, following a decision by the Privacy Commissioner to appeal a finding that denied a journalist access to metadata on the basis that it was not personal information.

Way back in 2013, a then technology journalist for Fairfax, Ben Grubb, asked Telstra to provide him with metadata and other information held by it in relation to his mobile phone on the basis that it constituted ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) and he was therefore entitled to it.

Telstra did provide some information to Mr Grubb (including his outgoing call records, bills and the customer details they had stored for him), however it submitted that the “metadata” produced from his mobile phone use on Telstra’s network was not personal information, as it was not linked to him in a way that made his identity apparent or reasonably ascertainable.

Unsatisfied with this answer, Mr Grubb lodged a complaint with the Privacy Commissioner. In May 2015, the Commissioner held that Telstra ‘cross-matched’ data across its mobile network in such a way that it was possible to determine a customer’s identity and that Telstra was therefore in breach on NPP 6.1 (as it then was) by refusing to provide Mr Grubb with access to his personal information.

Telstra appealed to the Administrative Appeals Tribunal of Australia (AATA). Taking a strangely narrow approach to the issue, Deputy President Forgie ruled that the mobile network data was not personal information for the purpose of the Privacy Act. Instead, she said that the metadata was actually information about the service provided by Telstra and the delivery of that service, rather than about Mr Grubb and his mobile phone use. On that basis, Telstra was not obliged to provide Mr Grubb with access to the information, despite it being generated directly from his use of Telstra’s services.

Seem contrary to the deliberately broad concept of personal information that is designed to protect individuals? We agree, and so does the Privacy Commissioner. ‘Stay on the line’ to see how the Federal Court approaches the issue.

Access the determination and reasons for determination of Privacy Commissioner Timothy Pilgrim in Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015) here.

Access the AATA decision of Deputy President S A Forgie in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 (18 December 2015) here.

Access the Office of the Australian Information Commissioner’s Press Release here.

Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy

Nov 30 2015

By Cameron Abbott and Meg Aitken

While the festive season approaches and retailers prepare for their busiest time of the year, a sophisticated form of point-of-sale malware, known as ‘ModPOS’, has reared its ugly head and is targeting payment terminals in the U.S.

It is estimated that the first ModPOS data hacks occurred in 2013 and that millions of credit and debit cards used at a broad variety of U.S. retailers have since been compromised. The unique complexity of the code, which experts say has never been seen before in malware, made it tricky to decipher.

Cyber security experts have warned that ModPOS has the ability to not only “scrape” credit and debit card numbers from the memory of point-of-sale terminals, but that the multifaceted code also records keystrokes of computer operators and transmits stolen data. If that isn’t enough, the malware is particularly difficult to detect and is reportedly capable of infiltrating despite security software and data controls.

More details about ModPOS malware can be found here.

Tag:customer data