Privacy, Data Protection & Information Management – Page 9

Leaky Port: City of Port Phillip Inadvertently Discloses Personal Information on Federal Government Website

Nov 11 2020

By Cameron Abbott, Warwick Andersen and Max Evans

The City of Port Phillip Council has accidentally published to data.gov.au personal information of an unknown number of residents who had reported graffiti, according to an article from ITNews supported by a statement released by the council.

According to the statement, during work to automate the generation of a graffiti dataset, an incorrect version was selected which led to the unapproved publication of personal information such as names, phone numbers and/or email addresses of the persons who reported graffiti to the council. As the article notes, of the approximately 764 email addresses and 859 phone numbers that were published, 53% of the email addresses belonged to businesses and 28% of the phone numbers were for landlines and 1300 numbers.

Nov 06 2020

By Cameron Abbott, Rob Pulham and Keely O’Dowd

In December 2019, the Australian Government announced it would conduct a review of the Privacy Act 1988 (Cth).

A year has almost passed and finally the Australian Government has publicly released details about the review. On 30 October 2020, the Australian Government released the Terms of Reference of the review. In particular, the review will cover:

The scope and application of the Privacy Act
Whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
Whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
Whether a statutory tort for serious invasions of privacy should be introduced into Australian law
The impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
The effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
The desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.

Nov 02 2020

By Cameron Abbott, Keely O’Dowd and Max Evans

Back in February, we blogged about the large scale ransomware attack experienced by Toll Group.

IT News reports Toll is still “mopping up” the damage caused by these attacks. Since July, Toll has embarked on a year-long accelerated cyber resilience program incorporating teams in India and Australia which led to the appointment of former Telstra Asia Pacific CISO Berin Lautenbach as Toll’s global head of information security in August.

Oct 27 2020

By Cameron Abbott and Keely O’Dowd

Patients of a Finnish psychotherapy centre have become the victims of a blackmail campaign after the centre suffered a data breach. It is reported, the centre’s data was stolen during two attacks, one occurring in November 2018 and the other between the end of November 2018 and March 2019.

A cyber criminal (or criminals) has used the stolen data to contact patients demanding the payment of 200 euros in bitcoin, with this amount increasing to 500 euros if the patient refused to pay within 24 hours. If a patient refused to pay the ransom, the cyber criminal threatened to publish their personal information, including notes from therapy sessions. Around 300 records have been published on the dark web, which suggests patients are refusing to pay the ransom. The centre also received a ransom demand of 500,000 euros for the return of their data, which it has refused to pay.

Oct 19 2020

By Cameron Abbott and Rebecca Gill

The UK Information Commissioner’s Office (ICO) has fined British Airways £20 million, the ICO’s largest fine to date, for failing to protect the personal and financial details of more than 400,000 of its customers.

In a statement published online on 16 October 2020, the ICO stated that its investigation had found that British Airways was “processing a significant amount of personal data without adequate security measures in place”. This failure is said to have breached data protection laws and, subsequently, the airline was the subject of a cyberattack in 2018, which was not detected for more than two months.

Sep 18 2020

By Cameron Abbott and Keely O’Dowd

News reports have surfaced that a woman in Germany has died due to a delay in receiving medical care. What is most concerning about this death is the circumstances in which the woman tragically passed away.

According to reports, the woman needed urgent medical treatment and the hospital she presented to, Duesseldorf University Hospital, was unable to admit her as it was dealing with a ransomware attack.

The hackers exploited a vulnerability in a widely used commercial add-on software. This attack caused a failure in the hospital’s IT systems resulting in it being unable to access data and diverting emergency patients elsewhere. The woman was redirected to a hospital approximately 30km away from Duesseldorf University Hospital, which led to a delay in the woman receiving treatment. Unfortunately the delay proved fatal and the women passed away before she could be treated.

Sep 16 2020

By Cameron Abbott and Keely O’Dowd

The adoption of cloud based solutions offer many advantages to businesses, such as cost savings, efficiencies and flexibility. Cloud based solutions can also improve data security as cloud providers will be tasked with monitoring the security of their solutions, updating software and improving security features as required.

However, adopting a cloud based solution will not automatically reduce an organisation’s exposure to cyber risks. Care must be taken before procuring a cloud based solution and any solution must be properly assessed from a security perspective.

By Cameron Abbott, Keely O’Dowd and Max Evans

The Office of the Australian Information Commissioner (OAIC) has released its report on notifications received under the Notifiable Data Breaches scheme for period January to June 2020.

The OAIC reported 518 breaches were notified to it in the relevant period. The OAIC noted a 3% decrease from the 532 breaches notified in the period July 2019 to December 2019. However, there was a 16% increase on the 447 notifications received during January to June 2019.

Aug 04 2020

By Cameron Abbott and Max Evans

In these unprecedented times, where travel around the globe is primarily halted as nations get to grips with controlling the outbreak of COVID-19, many would think it couldn’t get any worse for travel companies. However, they would be wrong, as according to an article from ITNews, American travel management giant CWT has reportedly paid a whopping 414 bitcoin, equivalent to a value of 4.5 Million USD (approximately 6.3 Million AUD), to hackers who successfully exfiltrated over 2 terabytes of sensitive corporate files.

According to the Article, the successful hackers used a strain of ransomware referred to as “Ragnar Locker” which places computer files into a virtual prison through encryption and renders them unusable until the victim pays for the keys. Then in CWT had to negotiate in a public chat forum to pay for the release. It gives us a rare insight into the dialogue that followed. CWT negotiated the hackers down from their initial demand of 10 Million USD. According to the Report, whilst the hackers claimed to have stolen over 2 terabytes of files including financial reports, security documents and employees’ personal data, it was not clear whether any customer data was compromised.

Jul 28 2020

By Cameron Abbott and Rebecca Gill

The ability of a government to force a technology provider to create a “back door” into their technology to allow security agencies to “listen in” to communications is a very controversial step, but it has not been the subject of much discussion as any recipient of such intervention is gagged.

It was interesting to see that the Independent National Security Legislation Monitor has released a report on its review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA Act). The review considered, and provided recommendations on, the operation, effectiveness and implications of the TOLA Act and whether it is necessary, is proportionate to the threats it seeks to meet and treats human rights properly.

Catagory:Privacy, Data Protection & Information Management

Leaky Port: City of Port Phillip Inadvertently Discloses Personal Information on Federal Government Website

Continuing to take its Toll: Toll Group still feeling impacts nine months after experiencing Ransomware Attack

Therapy clients become targets of blackmail campaign

First reported death connected to misfired ransomware attack on German hospital

Cyber Criminals “King of the (Data Breach) Jungle”: 61% of all Data Breaches caused by Malicious or Criminal Attacks, according to OAIC Report

Can It Get Any Worse? Travel Giant CWT pays $4.5 Million USD ransom to Hackers who Stole Corporate Files and Knocked 30,000 Computers Offline

Trust but verify: Independent report on Australia’s “anti-encryption” legislation released