Tag: data security

1
Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered
2
New GDPR Guidelines on Data Transfers
3
And it’s here! China’s new privacy laws come into effect
4
Another attack on critical infrastructure – New York’s subway hacked
5
City of Oldsmar, Florida narrowly avoids ‘hot water’ in remote cyberattack on its infrastructure
6
A Home Affair: Department of Home Affairs ordered to compensate Asylum Seekers following inadvertent disclosure
7
First reported death connected to misfired ransomware attack on German hospital
8
Can It Get Any Worse? Travel Giant CWT pays $4.5 Million USD ransom to Hackers who Stole Corporate Files and Knocked 30,000 Computers Offline
9
“This is a public health app, it’s not a surveillance app”: Review finds “nothing particularly disturbing” about the Federal Government’s coronavirus tracing app
10
Zooming In: “Zoom’s” Significant Privacy and Data Security Risks brought to Light Again (and Again)

Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered

By Cameron Abbott, Rob Pulham, Max Evans and Ella Krygier

A critical security vulnerability has been discovered in Apache Log4j, an open-source logging library used by many popular Java applications to provide logging functionality for troubleshooting purposes, according to the Australian Cyber Security Centre (ACSC).

The software’s vulnerability, known as Log4Shell, allows for remote code execution, which, if left unfixed, could allow cybercriminals to take control of IT systems, steal personal data, passwords and files, and install backdoors for future access, simply by adding an additional line of arbitrary code. According to the ACSC, malicious cyber actors have used this vulnerability to target and compromise IT systems globally and in Australia, which led the ACSC to publish advice on mitigation and detection recommendations.

Read More

New GDPR Guidelines on Data Transfers

Claude-Étienne Armingaud, Camille Scarparo and Bastien Pujol

On 19 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines on the interplay between Article 3 GDPR (territorial scope) and Chapter V GDPR (transfer of personal data to third countries or international organization) of the General Data Protection Regulation (“GDPR”).

Those draft Guidelines aim at clarifying the mechanism of international transfers and more specifically provide a necessary assistance to controllers and processors in the European Union (“EU”) or otherwise subject to GDPR, including guidance on when a data importer would be subject to GDPR and an interpretation of the concept of international transfer.

In order to characterize a processing as a “transfer”, the EDPB relied on the three following cumulative criteria:

  1. The data exporter (a controller or processor) is subject to the GDPR for the given processing;
    • As a reminder, while GDPR generally applies to all entities processing personal data and established in the EU, it can also have an extra territorial reach for certain processing operations consisting in (i) offering products or services to individuals in the EU (e.g. ecommerce and apps) or (ii) monitoring of EU individuals’ behavior taking place in the EU (e.g. cookies and other tracking technologies).
  2. The data exporter transmits or makes available the personal data to the data importer (another controller, joint-controller or processor); and
    • In that regard, the mere remote access to the data would still qualify as a “data transfer” and it remains to be hopefully clarified in the final Guidelines whether the sharing of personal data among joint-controllers (both subject to GDPR from the inception of the processing operations) would in and of itself be considered as a data transfer.
  3. The data importer is in a third-country or is an international organization.

In addition, a processing that meets these three criteria will be considered a transfer when the importer is established in a third-country and subject to the GDPR following provisions of article 3.2 GDPR. The EDPB considered that when the controller located in a third-country is already subject to GDPR, “less protection/safeguards are needed”. Nevertheless, conflicting national laws, government access in the third-country as well as the difficulty to enforce and obtain redress against an entity outside the EU should be addressed when developing relevant transfer tools.

The EDPB specified that personal data directly collected from the data subjects, at their own initiative, should not to be considered as a transfer.

An online public consultation is opened on the matter until 31 January 2022.

And it’s here! China’s new privacy laws come into effect

By Cameron Abbott, Rob Pulham and Ella Richards

On 1 November 2021 the People’s Republic of China (PRC) effected the Personal Information Protection Law (PIPL).

The PIPL joins existing Cybersecurity Law and Data Security Law to broaden privacy obligations within the PRC. This comprehensive legislation governs the treatment of personal information within the PRC and strengthens the existing data localisation requirements.

Our colleagues have summarised the PIPL Draft Bill here and prepared advice on the collection of employee’s personal information under the PIPL here.         

Another attack on critical infrastructure – New York’s subway hacked

By Cameron AbbottRob Pulham and Jacqueline Patishman

In April, New York’s subway authority was hacked by a group of cybercriminals with suspected Chinese government connections. The authority is responsible for operating all of New York’s train and bus systems and the attack exposed vulnerabilities in the services used by millions every day.

Read More

City of Oldsmar, Florida narrowly avoids ‘hot water’ in remote cyberattack on its infrastructure

By Cameron AbbottRob Pulham and Jacqueline Patishman

News reports have surfaced reporting that a hacker in the US gained access to the Oldsmar’s water treatment plant system in an attempt to release a corrosive chemical into the Oldsmar’s water supply.

Read More

A Home Affair: Department of Home Affairs ordered to compensate Asylum Seekers following inadvertent disclosure

By Cameron Abbott, Warwick Andersen, Michelle Aggromito and Max Evans

As a result of a recent class action, the Department of Home Affairs has been ordered by the Australian Information Commissioner, Angelene Falk, to pay compensation to asylum seekers after the Department was found to have interfered with the privacy of 9,251 detainees.

According to a media release from the Office of the Australian Information Commissioner (OAIC) , the relevant breach stemmed from February 2014, where the Department published on its website a “Detention Report”, which had embedded within it a Microsoft Excel spreadsheet containing the personal information (including full names, date of birth and period of immigration detention) of 9,258 individuals who were in immigration detention at that time.

Read More

First reported death connected to misfired ransomware attack on German hospital

By Cameron Abbott and Keely O’Dowd

News reports have surfaced that a woman in Germany has died due to a delay in receiving medical care. What is most concerning about this death is the circumstances in which the woman tragically passed away.

According to reports, the woman needed urgent medical treatment and the hospital she presented to, Duesseldorf University Hospital, was unable to admit her as it was dealing with a ransomware attack.

The hackers exploited a vulnerability in a widely used commercial add-on software. This attack caused a failure in the hospital’s IT systems resulting in it being unable to access data and diverting emergency patients elsewhere. The woman was redirected to a hospital approximately 30km away from Duesseldorf University Hospital, which led to a delay in the woman receiving treatment. Unfortunately the delay proved fatal and the women passed away before she could be treated.

Read More

Can It Get Any Worse? Travel Giant CWT pays $4.5 Million USD ransom to Hackers who Stole Corporate Files and Knocked 30,000 Computers Offline

By Cameron Abbott and Max Evans

In these unprecedented times, where travel around the globe is primarily halted as nations get to grips with controlling the outbreak of COVID-19, many would think it couldn’t get any worse for travel companies. However, they would be wrong, as according to an article from ITNews, American travel management giant CWT has reportedly paid a whopping 414 bitcoin, equivalent to a value of 4.5 Million USD (approximately 6.3 Million AUD), to hackers who successfully exfiltrated over 2 terabytes of sensitive corporate files.

According to the Article, the successful hackers used a strain of ransomware referred to as “Ragnar Locker” which places computer files into a virtual prison through encryption and renders them unusable until the victim pays for the keys. Then in CWT had to negotiate in a public chat forum to pay for the release.  It gives us a rare insight into the dialogue that followed. CWT negotiated the hackers down from their initial demand of 10 Million USD. According to the Report, whilst the hackers claimed to have stolen over 2 terabytes of files including financial reports, security documents and employees’ personal data, it was not clear whether any customer data was compromised.

Read More

“This is a public health app, it’s not a surveillance app”: Review finds “nothing particularly disturbing” about the Federal Government’s coronavirus tracing app

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

The Federal Government’s coronavirus tracing app has raised some privacy concerns amongst the Australian public. Even some of our government Ministers have ruled out downloading the app due to such concerns! However, the independent cyber security body tasked with reviewing the app has said that it has found no major concerns with it.

Read More

Zooming In: “Zoom’s” Significant Privacy and Data Security Risks brought to Light Again (and Again)

By Cameron Abbott, Warwick Andersen, Rob Pulham, Allison Wallace and Max Evans

It hasn’t even been 10 days since our previous Blog on Zoom, which highlighted a number of privacy and data security issues prevalent in the use of the popular telecommunications software, and already further privacy issues have been alleged. Let’s put these allegations under the magnifying glass:

Disclosure to Facebook: Even If You don’t have an Account

Firstly, Vice reports that the iOS version of the Zoom app transfers analytics data to Facebook, even if Zoom users don’t have a Facebook account, without disclosing as such in its Privacy Policy.

Read More

Copyright © 2022, K&L Gates LLP. All Rights Reserved.