Cyber Law Watch – Page 20 – Insight on how cyber risk is being mitigated and managed across the globe

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

May 14 2019

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents

May 13 2019

By Cameron Abbott, Rob Pulham and Rebecca Gill

It’s Privacy Awareness Week and today’s topic is “data breaches”. With data breaches and responding to cyber attacks becoming an inevitable part of doing business, it’s a timely reminder about the importance of adequately resourcing your IT security areas, and of having comprehensive and well-tested data breach response plans in place, as illustrated by the Fourth Annual Study on The Cyber Resilient Organization (Study), conducted by the Ponemon Institute on behalf of IBM Resilient.

The Study surveyed 3,655 IT and IT security practitioners in 11 countries and regions, including Australia. The results of the Study indicate that a majority of Australian businesses are vulnerable to cyber-attacks due to a lack of skilled personnel and incident response plans.

Sharing of ‘abhorrent violent material’ now an offence under new laws

May 09 2019

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Governments around the world are imposing more responsibilities on tech providers to deal with online harms. In response to the recent attacks in Christchurch, in which a gunman livestreamed on Facebook his attack on a mosque, the Australian Government recently enacted the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (Cth) (Act). The Act, which commenced on 6 April 2019, was pushed through swiftly and has a broad reach.

Under the Act, internet, content and hosting service providers must refer details of any ‘abhorrent violent material’ that records or streams ‘abhorrent violent conduct’ to the Australian Federal Police. Abhorrent violent material is material that is audio, visual or audio-visual, and that records or streams ‘abhorrent violent conduct’. Such conduct includes acts of terrorism, murder, attempted murder, torture, rape and kidnapping.

Consumer Data Right Draft Rules – submissions closing soon

May 06 2019

By Cameron Abbott, Rob Pulham and Rebecca Gill

The deadline for submissions on the ACCC’s draft Competition and Consumer (Consumer Data) Rules 2019 (Draft Rules) is fast approaching. The ACCC is seeking feedback from community organisations, businesses and consumers on the approach and positions of the Draft Rules for the Consumer Data Right (CDR) regime until this Friday, 10 May 2019.

Key aspects of the Draft Rules (which are available on the ACCC’s website) include:

the three ways in which CDR data may be requested;
the requirements for consent to collect CDR data;
rules relating to the accreditation process; and
rules relating to the thirteen privacy safeguards for CDR data.

Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report

Apr 30 2019

By Cameron Abbott and Rebecca Gill

Australian businesses and consumers were duped into paying scammers with nearly half a billion dollars in 2018 according to the ACCC’s Targeting Scams: Report of the ACCC on scam activity 2018 (Report). The Report also highlights the use of sophisticated technology by scammers.

According to the Report, the most financially harmful scam affecting Australian businesses was the ‘business email compromise’ (BEC) scam. This involved a scammer gaining access to a business’s entire email or IT system. The scammer would then impersonate the business and send emails to suppliers and customers of the business, advising changes to payment details.

REPORT FINDS MORE THAN HALF OF RANSOMWARE VICTIMS WOULD PAY THE RANSOM

Apr 18 2019

By Cameron Abbott, Rob Pulham and Rebecca Gill

Telstra’s 2019 Security Report has found that majority of the respondents who have been victims of ransomware attacks have paid the attackers to unlock files. Many of these respondents successfully retrieved their data after paying the ransom.

Of the 320 Australian respondents, 51 per cent said that they had paid ransomware attackers to regain access to encrypted files. Further, the Report found that 77 per cent of Australian businesses that had paid a ransom were able to retrieve their data after making the payment. Whilst this was the lowest rate of data retrieval post-payment out of the 13 countries in the survey, 79 per cent of the Australian respondents still said that they would pay the ransom again if they had no back-up files available.

PROPOSAL TO INCREASE PENALTIES FOR PRIVACY BREACHES

Mar 26 2019

By Cameron Abbott and Rebecca Gill

In light of concerns over how personal data is being used by social media platforms and tech companies, the Commonwealth Government has proposed amendments to the Privacy Act in order to more harshly penalise companies for privacy breaches. The new regime, which aims to update Australia’s privacy laws in line with increased social media use, will see tougher penalties for all entities that are subject to the Privacy Act, not just the headline companies like Google and Facebook.

The Commonwealth Government proposes to increase the penalties for serious or repeated breaches by such entities from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater value.

Tourists aren’t the only thing visiting London’s hotspots

Mar 22 2019

By Cameron Abbott and Ella Richards

Over 100 million cyber-attacks have hit London’s top tourist attractions over the past few years, signalling hackers turning their attention to the treasure trove of customer’s personal data and related opportunities for ransomware attacks.

Kew Gardens experienced an incredible 86 million attacks during 2018 and has seen a 438% increase in attacks year-on-year. Personal and financial details of over 100,000 of its members and over 800 staff are highly sought after, with 82 million spyware attempts and 1.6 million information-stealing attempts last financial year alone. Although Kew Gardens have performed admirably in mitigating the attacks, a major server breach in 2017-2018 and an incident involving a compromised email address managed to slip through.

Imperial War Museum was the next highest target; with over 10 million cyber security incidents spread over three years and 8 successful ransomware attacks within that time. The Natural History Museum tallied 875,414 cyber-attacks over three years, of which 26,610 were considered ‘unmitigated’ threats.

Lastly, Tate Gallery (which oversees the Tate Modern Tate Britain Galleries) was subject to 494,709 attacks last year alone, however only four attacks featuring malware and phishing software were successful.

These attacks demonstrate hacker’s increasing focus on personal and financial data, which tourist hotspots and museums collect in enormous volumes on a daily basis. Sheila Flavell (COO of FDM Group) points out that in the wake of these incidents, the UK needs to increase their level of cyber expertise by attracting more people into the tech industry. We agree there are not going to be many unemployed cybersecurity consultants with this sort of scale of activities!

Thailand joins the party of legislated Data Protection

Mar 21 2019

By Cameron Abbott and Ella Richards

Following tireless attempts spanning over two decades, Thailand has finally approved the Thailand Personal Data Protection Act (“PDPA”), subject to royal endorsement and publication in the Government Gazette. Previously, the only right pertaining to personal privacy was located in the Thai Constitution, and while certain business sectors (such as telecommunications, healthcare and banking) had some protection, there was an absence of a singular consolidated data protection regime.

You may notice the broad similarity between the PDPA and the European Union’s GDPR; but don’t get too excited. Although various concepts have been drawn from the GDPR, the PDPA has been written with consideration of Thai perspectives, and therefor careful examination of compliance requirements of both regimes will be necessary.

Once the PDPA is published in the Government Gazette, Thailand will allow a transition period for businesses to adapt their practices (as the PDPA will apply to most entities onshore and offshore).

So, what can we do to prepare for the PDPA now?

Any company collecting data from residents of Thailand should ensure they’re in compliance before the PDPA comes into effect. Penalties for non-compliance will be severe, so an evaluation of business procedures will be necessary to determine if additional measures need to be adopted.

IoT (internet of things) legislation makes an appearance in the U.S. Senate

Mar 19 2019

By Cameron Abbott and Ella Richards

For those who are not familiar with the acronym, IoT or ‘Internet of things’ refers to the interconnection of network devices and everyday objects for increased control and ease of use.

The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.