Breaches – Page 18 – Cyber Law Watch

Australian Government releases Cyber Security Strategy

Apr 29 2016

Cybersecurity appears to be a new popular expenditure, particularly in Australia, as Malcom Turnbull announces his government’s new Cyber Security Strategy initiative budgeted to cost $230 million over 4 years in addition to the $400 million allocated in the 2016 Defence White Paper over 10 years.

So what do we get for all that money? The government has announced their 5 themes of action over the next 4 years which includes:

a national cyber partnership;
strong cyber defences;
global responsibility and influence;
growth and innovation; and
a cyber smart nation.

This will include the funding to establish a Cyber Security Growth Centre through a National Innovation and Science Agenda. The Growth Centre is intended to serve as an innovation hub which will identify and prioritise cybersecurity challenges and identify opportunities for Australia to build globally competitive commercial solutions.

Cybersecurity is grabbing global attention and the Turnbull government has appointment their first Cyber Ambassador. The role of the Cyber Ambassador will be to identify opportunities for practical international cooperation and ensure Australia is situated to take advantage of new commercial opportunities.

Small businesses are often left exposed to hackers due to a lack of resources allocated to cybersecurity and, are targeted for their potential provide a back door to other companies, are often targeted. Turnbull’s no business left behind strategy sees small businesses being allocated $15 million in grants to have their systems tested and improved by The Council of Registered Ethical Security Testers (CREST).

For further information access the government’s plan here.

Privacy Commissioner releases a Guide to deal with data breaches

Apr 19 2016

By Cameron Abbott, Rob Pulham and Simon Ly

On 11 April 2016, the Privacy Commissioner released a guide to deal with issues associated with data breaches. This is aimed at entities regulated by the Privacy Act 1988 (Cth) in order to assist them with complying with the Australian Privacy Principles.

When (and it is likely to be a matter of when and not if) your entity is subject to a data breach, whether it be through your system being hacked or if devices are lost or stolen, it is important that you are equipped to deal with it. It is important to get in front of such problems and have pre-prepared action plans given that it is likely that the first 24 hours will be the most crucial in determining your level of success in dealing with a data breach. Data breaches can be expensive, both in a monetary and reputational sense.

In the guide, the Privacy Commissioner highlighted that a written data breach response plan is an important tool to help deal with such issues. Such a plan should include:

actions to be taken if a breach is suspected, discovered or reported by a staff member, including escalation measures;
the members of the data breach response team; and
the actions the team are expected to take.

Such a plan needs to be regularly reviewed and updated, with all relevant staff kept up to date so that they know what actions they are expected to take.

The Privacy Commissioner suggests the following four steps to be taken when a data breach is discovered:

contain the breach and do a preliminary assessment;
evaluate the risks associated with the breach;
develop a plan for notifying affected individuals and consider what information should be in any notification; and
determine steps to be taken to prevent future breaches.

For more information, please feel free to contact us. You can find out more information on practical steps you can take here.

Bangladesh Bank considers legal action against the NY Fed in Hollywood-esque hack

Mar 31 2016

By Cameron Abbott and Simon Ly

In a story that would make an excellent plot to a sequel to Ocean’s 13, the Federal Reserve Bank of New York has been the target of a successful major cyber hack. Part of the targeted attack was an attempt to steal nearly $1 billion from Bangladesh Bank’s account.

If anyone would be well protected it would be the NY Fed, right? Well, while they were able to block some 30 transactions, 5 were successful, resulting in $81 million being stolen from Bangladesh Bank’s account.

The NY Fed has released a statement outlining that its systems were not breached, but instead pointing to SWIFT, a member-owned cooperative relied upon by banks to authenticate international monetary transactions. In response, a SWIFT representative stated that it “reiterates that the SWIFT network itself was not breached”. For its part, the NY Fed agreed that it “viewed this as a major lapse on the part of FRB NY”.

It will be fascinating to see how this he-said she-said blame game plays out. The current state of events is that the Bangladesh Bank is engaging legal counsel to establish grounds for recompense.

It goes without saying that these mind boggling figures and the nature of the attack emphasise that no one is immune from attacks. Next time someone tells you that it can’t happen to your organisation – remember this example.

For more information, please see Bloomberg’s report here.

Nissan shakes like a LEAF and disables app after car hacking potential exposed

Mar 02 2016

By Cameron Abbott and Meg Aitken

Lock you doors…oh wait, that won’t protect you. Australian security researchers, Troy Hunt and Scott Helme have exposed a security flaw in Nissan’s Connect app which allows certain features of the manufacturer’s best-selling electric car, the ‘LEAF’, to literally be controlled by someone else on the other side of the world.

Hunt and Helme recently discovered that the app did not require any owner identification information in order to link with and control LEAF cars. All that was required was the Vehicle Identification Number (VIN), which is conveniently displayed on the chassis of the vehicle.

OK, so hackers couldn’t actually steer the car, but they could command the climate control and telematics to access driving data about trip durations, raising privacy concerns. Further, given that the LEAF is an electric powered vehicle, being able to access the climate controls could potentially allow a hacker to drain the battery and leave a driver stranded.

Car companies are racing to embrace the internet of things, and privacy and security seems to be taking a back seat. While there is no doubt that connected car technology boasts exciting functionality for drivers, it is not without road bumps, and we are once again reminded of the dangerous potential presented by interconnected devices. With a bit of luck, Nissan’s scare will see the automotive industry get in the driver’s seat towards developing a better appreciation of the risks associated with these devices and how they can be mitigated.

Nissan has now reportedly disabled the NissanConnect app and plans to release a new version once these security concerns are rectified. According to Hunt’s blog post, it took Nissan more than a month to take the app offline after he reported the security vulnerabilities.

Read Troy Hunt’s blog post on the discovery here.

It’s official and, it’s personal – Gemalto’s 2015 results reveal scary cybercrime stats

Feb 29 2016

By Cameron Abbott and Meg Aitken

Never mind your credit card details, let’s worry about cybercriminals stealing your identity.

The latest Breach Level Index released by Gemalto has revealed that identity theft was the primary target of hackers in 2015, with stolen personal information accounting for 53% of all data breaches.

It’s a worry, you see, because while your credit card has inbuilt security defences and merchant protection mechanisms, your valuable personal information is probably stored in multiple locations, across a number of interfaces, in a variety of forms, exposing it to substantial risk of theft.

Not only is the massive volume of personal information that is available to be stolen a cause for alarm, but what cybercriminals can potentially do with that information is the major concern.

So who is to blame? Well, malicious outsiders were the leading source of data breaches in 2015, accounting for 58%, accidental loss of data was next and then came malicious insiders, who accounted for 14% of all data breaches.

Clearly, companies need to recognise that today’s cyber environment demands robust security strategies that not only protect networks from external attacks and accidental data loss, but also keep an eye on insiders too.

To secure against a data breach, Gemalto recommends that organisations commit to the encryption of all sensitive information, secure storage and management of data and encryption keys, and controlled access and authentication of users.

Access the Gemalto 2015 Breach Level Index Report here.

Privacy concerns over Westfield’s ticketless parking system

Feb 05 2016

By Cameron Abbott, Meg Aitken and Shirley Chen

Westfield has sidelined the SMS feature of its ticketless parking system this week due to concerns it breached Australian privacy laws.

Westfield’s newfangled ticketless parking system attempted to make parking quicker and easier for shoppers by scanning car number plates on entry and exit of their carparks, and sending an SMS notification to registered parkers recording their entry time and an alert message when their free parking time was nearly up. To register for the service, users were merely required to provide a name, license plate number and phone number (with no verification).

Privacy experts raised the alarm that any person could register false details and track another person’s physical location via the SMS notifications. This was a particular worry for those in domestic violence situations and could also potentially enable stalking or thieves to determine when homeowners had left their houses. The feature’s Terms and Conditions failed to address any of these issues.

The SMS service is currently suspended as internal investigations are conducted, though the rest of the ticketless parking system and app continue to operate.

Learn more about the ticketless parking system here.

Read the ITNews report on the issue here.

Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy

Nov 30 2015

By Cameron Abbott and Meg Aitken

While the festive season approaches and retailers prepare for their busiest time of the year, a sophisticated form of point-of-sale malware, known as ‘ModPOS’, has reared its ugly head and is targeting payment terminals in the U.S.

It is estimated that the first ModPOS data hacks occurred in 2013 and that millions of credit and debit cards used at a broad variety of U.S. retailers have since been compromised. The unique complexity of the code, which experts say has never been seen before in malware, made it tricky to decipher.

Cyber security experts have warned that ModPOS has the ability to not only “scrape” credit and debit card numbers from the memory of point-of-sale terminals, but that the multifaceted code also records keystrokes of computer operators and transmits stolen data. If that isn’t enough, the malware is particularly difficult to detect and is reportedly capable of infiltrating despite security software and data controls.

More details about ModPOS malware can be found here.

Hotel Industry Payment Systems Under Attack

Nov 26 2015

By Cameron Abbott and Meg Aitken

Stayed at one of Hilton Worldwide Holdings’ (Hilton) hotels between 18 November – 5 December 2014 or 21 April – 27 July 2015? Check your bank statement.

Within the same week, both the Hilton and Starwood Hotels & Resorts Worldwide Inc. (Starwood) have discovered the point-of-sale terminals at a number of hotels across the globe have been infected with malware.

The malicious malware has enabled hackers to pinch the credit and debit card information of Starwood and Hilton customers, however there is apparently no evidence that personal contact information provided as part of the hotels’ guest-reservation system or loyalty rewards program was stolen.

While the attack on Starwood was confined to 54 of its hotels in North America, the Hilton attack affected the chain’s hotels globally, including Australian establishments. The number of cards compromised has not been revealed by either hotel.

Starwood and Hilton hotels are not the only luxury hotel chains to be affected by data hacks in 2015. The Mandarin Oriental and Trump International have also reported data security breaches involving intrusive malware this year. In the case of Starwood the hack occurred over eight months without detection showing how sophisticated some of these attacks are.

Starwood’s media release can be found here. Hilton’s media release can be accessed here.

Ashley Madison Hackers Release User Data

Aug 29 2015

By Cameron Abbott and Melanie Long

On 19 August 2015 the group known as ‘The Impact Team’, who a month earlier hacked into online affair website Ashley Madison, made good on its threat and released a “data dump” of Ashley Madison users’ personal information. A second and larger release of stolen data occurred 2 days later and appears to have included emails sent by Noel Biderman, Ashley Madison’s founder and CEO of parent company Avid Life Media.

Following the release of the stolen data, acting Australian Information Commissioner, Timothy Pilgrim, announced the launch of an investigation into the breach which is to be conducted in liaison with the Office of the Privacy Commissioner of Canada (where Avid Life Media is based). On 28 August 2015 Noel Biderman stepped down from his role as CEO of Avid Life Media.

Read the ABC news’ article in relation to the first data release here.

ABC news’ article relating to second data release can be found here.

The Office of the Australian Information Commissioner’s press release relating to its investigation can be found here.

Ashley Madison Data Security Breach

Jul 19 2015

By Cameron Abbott and Melanie Long

On 19 July 2015 the Avid Life Media dating website Ashley Madison, which is aimed at married people who want to have an affair, was hacked by a group known as ‘The Impact Team’. The Impact Team has threatened to release users’ profiles if Ashley Madison and other Avid Life Media websites such as Established Men and Cougar life are not shut down. The Impact Team claims to have stolen the details (including names, addresses, credit card numbers and personal sexual fantasies) of over 37 million users.

The story was broken by Brian Krebs, a former cyber crime writer for the Washington Post, on his blog ‘Krebs on Security’. A link to his article, which includes a statement made by Avid Life Media following the hack, can be found here.

Catagory:Breaches