Privacy, Data Protection & Information Management – Page 16

Surveillance software targets WhatsApp users

May 15 2019

By Cameron Abbott, Rob Pulham and Michelle Aggromito

Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.

This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

May 14 2019

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

Consumer Data Right Draft Rules – submissions closing soon

May 06 2019

By Cameron Abbott, Rob Pulham and Rebecca Gill

The deadline for submissions on the ACCC’s draft Competition and Consumer (Consumer Data) Rules 2019 (Draft Rules) is fast approaching. The ACCC is seeking feedback from community organisations, businesses and consumers on the approach and positions of the Draft Rules for the Consumer Data Right (CDR) regime until this Friday, 10 May 2019.

Key aspects of the Draft Rules (which are available on the ACCC’s website) include:

the three ways in which CDR data may be requested;
the requirements for consent to collect CDR data;
rules relating to the accreditation process; and
rules relating to the thirteen privacy safeguards for CDR data.

PROPOSAL TO INCREASE PENALTIES FOR PRIVACY BREACHES

Mar 26 2019

By Cameron Abbott and Rebecca Gill

In light of concerns over how personal data is being used by social media platforms and tech companies, the Commonwealth Government has proposed amendments to the Privacy Act in order to more harshly penalise companies for privacy breaches. The new regime, which aims to update Australia’s privacy laws in line with increased social media use, will see tougher penalties for all entities that are subject to the Privacy Act, not just the headline companies like Google and Facebook.

The Commonwealth Government proposes to increase the penalties for serious or repeated breaches by such entities from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater value.

Thailand joins the party of legislated Data Protection

Mar 21 2019

By Cameron Abbott and Ella Richards

Following tireless attempts spanning over two decades, Thailand has finally approved the Thailand Personal Data Protection Act (“PDPA”), subject to royal endorsement and publication in the Government Gazette. Previously, the only right pertaining to personal privacy was located in the Thai Constitution, and while certain business sectors (such as telecommunications, healthcare and banking) had some protection, there was an absence of a singular consolidated data protection regime.

You may notice the broad similarity between the PDPA and the European Union’s GDPR; but don’t get too excited. Although various concepts have been drawn from the GDPR, the PDPA has been written with consideration of Thai perspectives, and therefor careful examination of compliance requirements of both regimes will be necessary.

Once the PDPA is published in the Government Gazette, Thailand will allow a transition period for businesses to adapt their practices (as the PDPA will apply to most entities onshore and offshore).

So, what can we do to prepare for the PDPA now?

Any company collecting data from residents of Thailand should ensure they’re in compliance before the PDPA comes into effect. Penalties for non-compliance will be severe, so an evaluation of business procedures will be necessary to determine if additional measures need to be adopted.

IoT (internet of things) legislation makes an appearance in the U.S. Senate

Mar 19 2019

By Cameron Abbott and Ella Richards

For those who are not familiar with the acronym, IoT or ‘Internet of things’ refers to the interconnection of network devices and everyday objects for increased control and ease of use.

The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.

Ratings agency starting to factor in Cyber risk profile

Mar 08 2019

By Cameron Abbott and Wendy Mansell

A recent report released by Moody’s Investors Services has shed some light on which business sectors are most at risk for cyberattacks.

After assessing 35 broad sectors it was concluded that banks, hospitals, security firms and market infrastructure providers face the highest risk. This was based on levels of vulnerability and the potential impact an attack would have.

The key determinative factor for these sectors is that they all rely strongly on technology and the vital role of confidential information in their operations.

The financial repercussions following a cyberattack in each of these sectors is extremely significant when considering the costs of insurance, penalties, consumer impact, potential litigation costs, R&D and technological impact to name a few.

The financial market is so high risk because of the financial and commercial data it holds and ever increasing fact that its services are being offered digitally, across multiple platforms i.e banking mobile/smart watch apps.

On a similar note because medical records are primarily collected and held in electronic form hospitals are very attractive to hackers given the sensitive nature of the data.

While the industries should not be a shock to the reader, it is important for participants in those industries and for suppliers to those participants to realise the risk profile that attaches to them and have procedures in place reflective of those risk levels. How one manages these risks in now likely to have indirect cost implications when you see ratings agencies like Moody’s assessing these sorts of areas.

Cyber attacks becoming common place: Different industries, similar methods

Feb 24 2019

By Cameron Abbott and Ella Richards

Popular car manufacturer Toyota has been hit by a malicious attack rendering their employees completely unable to access their emails. It is unclear whether any customer or employee data has been accessed, and Toyota is going to extensive efforts to discover the origin of the attack.

Staff who are powering on despite their access restrictions have been told to use face-to-face, phone and text communication until the emailing system is back online. Can you imagine!

Although the central server system is inaccessible, dealerships are continuing to operate normally besides being able to provide customers with the date they’ll receive their exciting new car.

Additionally, Melbourne Heart Group was subject to a cyber attack which completely locked them out of their filing system. 15,000 files were scrambled and held for ransom after a cyber crime syndicate hacked into their server, blocked all access to files and demanded a cryptocurrency payment be made.

Melbourne Heart Group is based at Cabrini Hospital in Malvern, but the separation of their systems ensured that no Cabrini operations were affected. Even though a payment was made to decrypt their servers, information including patient details and sensitive medical records are yet to be recovered.

Payment in these situations is always troubling, dealing with faceless individuals, having to trade in cryptocurrencies in order to chart a course to the fastest resolution.

To encrypt or not encrypt? That is the question

Feb 18 2019

By Cameron Abbott and Ella Richards

In response to the new controversial anti-encryption laws, Australian tech heavyweights have banded together to kick and scream over the restrictive implications the laws are already having on their industry.

Quick history lesson; the Assistance and Access Bill permit law enforcement to demand companies running applications such as Whatsapp to allow “lawful access to information”. This can be through either decryption of encrypted technology, or providing access to communications which are not yet encrypted. These ‘backdoors’ are intended to provide the good guys with the opportunity to fight serious crime, however there’s serious fear that in reality, these doors could throw out privacy or let in unwanted guests.

While the legislation states that backdoors should only be created if it doesn’t result in any ‘systemic weakness’; this is yet to be defined in a concrete and informative way. Industry points out that once created any such measure has the potential to be exploited by others. There is no such thing as a “once” only back door.

There is little doubt that this will end up in litigation as larger industry players challenge the abstract concepts in the legislation against the reality of their technology.

StartupAUS, an industry group of tech executives, have made several recommendations to amend the legislation. Even though they’re not holding their breath for any significant changes, they’re demanding more transparency around the requirements. Their recommendations include scrapping the requirement for an employee to build capabilities to intercept communications, tightening the scope of ‘designated communication providers’, giving oversight on how companies will be targeted and increasing what constitutes a ‘serious offence’.

Australia’s legislative response to the problem faced by law enforcement is one of the most heavy handed in the democratic world, and now has the world of technology companies with their significant impact on our economy watching the latest debate on reforms with great concern.

Bypassing the Castle Walls: Tactical Exploitation of America’s Vulnerable Grid

Feb 06 2019

By Cameron Abbott, Max Evans and Wendy Mansell

A recent Wall Street Journal Report has detailed how America’s utility grid was hacked. The Department of Homeland Security has named Russia as responsible for the overwhelmingly complex and threatening campaign.

The scheme targeted energy companies affiliated with the government and was carried out in a sophisticated manner by initially focusing on small firms within the utility supply chain.

Early techniques involved planting malware on the websites of online publications likely to be read by employees of companies within the energy sector. The hackers would lace the online publications with malicious content allowing them to steal usernames, passwords and infiltrate company systems.

A number of small firms fell victim to these tactics giving the hackers broad access to company networks. Fake emails were subsequently sent out on behalf of the affected firms containing forged and malicious Dropbox links which captured usernames, passwords and other credentials. Further they used fake personas to send emails and pretended to be job seekers, by sending resumes containing tainted attachments to energy companies.

The hackers continued this technique of sending malware emails on behalf of firms until they reached the top of the supply chain. It was reported that on at least 8 occasions the hackers infiltrated companies who had access to the industrial control systems that run the grid.

An alarming aspect was the number of affected companies that remained oblivious of the penetration. The report is a useful description of the variety of methods used to tempt employees to expose their credentials. All too easy to do. These same techniques are regularly used by more pedestrian hackers. Two factor authentication and regular password resets remain measures to limit these threats but so many organisations do not use them.

We repeatedly counsel that employees are the last line of defence for your organisation. Circulating the Report may make an interesting read to remind them of the variety of ways they can be seduced to click an incorrect link.

Catagory:Privacy, Data Protection & Information Management