Cybersecurity – Page 2 – Cyber Law Watch

BANKS AND HACKERS: SECURITY AMONGST ENTITIES

Apr 21 2023

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

Presumably inspired by the recently released “Honor Among Thieves”, a film based on table-top roleplaying game Dungeons & Dragons, the Australian government invited representatives from the Reserve Bank, the AFP and regulators ASIC and APRA for a three-hour session of cybersecurity roleplay. Further exercises are expected to be conducted with major banks and financial services, and eventually with the aviation sector and other critical infrastructure areas.

Mar 08 2023

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

[Featured image from a linkedin post of Office of the Australian Information Commissioner made on 3 March 2023]

Shortly after the Government announced their ambition to make Australia a global leader in cyber security, Australia has been named the country with “the greatest progress and commitment toward creating a cyber defence environment” in MIT’s Cyber Defence Index of 2022/23.

However, the Office of the Australian Information Commissioner’s latest notifiable data breaches report paints a different picture. The Commissioner reported a 26% increase in the number of total reported data breaches and a 41% increase in the number of reported data breaches arising from malicious or criminal attacks compared with the first half of 2022. Health service providers and the finance sector were the worst hit, together representing almost a third of reported data breaches.

In releasing the report, the Commissioner once again stressed the need for organisations to collect only the minimum amount of personal information required and deleting it when it is no longer needed. In the report the Commissioner has recommended a number of steps to address the kinds of issues featured in the second half of 2022, including:

Mar 05 2023

By Cameron Abbott, Rob Pulham and Dadar Ahmadi-Pirshahid

Not content with merely implementing broad-scale privacy reform, the Government has announced a new position, the Coordinator for Cyber Security to be added to the Department of Home Affairs as a step towards their aim of “making Australia the most cyber secure nation by 2030“. This would seem to be a rather aspirational target!

The Coordinator will be supported by a National Office for Cyber Security, and their role will be to oversee steps to prevent future cyber security incidents and to help manage cyber incidents as they occur.

Feb 16 2023

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

The Government has today released the Report of the Attorney General’s Department’s review of the Privacy Act 1988 (Cth). The Government is seeking feedback on the 116 proposals in the Report before deciding what further steps to take. Submissions on the report are due on 31 March 2023. With this timing, it’s possible that we will see the review finalised towards the end of the first half of 2023.

The report can be accessed here.

The proposals made in the Report centre around:

Dec 14 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

Dec 02 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Earlier this week (on 29 November), the Australian Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which was introduced to Parliament on 26 October 2022.

The Bill amends the following:

Privacy Act 1988 to expand the Australian Information Commissioner’s enforcement and information sharing powers and increase penalties for serious or repeated interferences with privacy;

Australian Communications and Media Authority Act 2005 to enable the Australian Communications and Media Authority to disclose information to a non-corporate Commonwealth entity that is responsible for enforcing one or more laws of the Commonwealth; and

Australian Information Commissioner Act 2010 to allow the Australian Information Commissioner to delegate certain functions or powers.

Nov 25 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

We’ve just returned from the annual iapp Australia/New Zealand privacy conference held in Sydney this week, and it was a whirlwind. Even if you’re not one of around half of Australians affected by two of the biggest data breaches in our recent history, you’ll be aware a lot is changing – and a lot more is poised to change – in this space.

We’ll be blogging over the coming weeks about some of the key themes and changes your organisation will need to prepare for, including:

– new regulatory enforcement tools

– higher expectations of the way personal information is collected and secured, and when it needs to be destroyed

– potential removal of key exemptions such as the employee records exemption that your business may currently rely on,

– and of course the major penalty increases that seek to deter privacy breaches being viewed as ‘the cost of doing business’,

as Australia tightens the protections around the collection and use of Australians’ personal information.

Stay tuned!

Privacy and cybersecurity laws expected to undergo a significant overhaul in the wake of Optus data breach

Sep 29 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Over the past two years, the Privacy Act has been the subject of long-awaited reform in Australia however, it seems the Optus data breach may have given it some much needed momentum.

The Optus attack is understood to have affected the details of 11.2m Optus customers, and of that 2.8m individuals have had their driver’s licence and/or passport numbers compromised. The hacker claims to have extracted the data from an API – software that allows two different systems to talk to each other. Therefore, if the claim is true the hacker didn’t need to provide authentication (e.g. a username and password) to retrieve the data.

In the wake of the attack, the Government has shared its plans to pursue substantial reforms that will include increased penalties under the Privacy Act (currently capped at $2.22m per offence) as well as changes to data breach notification laws to allow companies to rapidly inform financial institutions of affected individuals in an effort to minimise fraud.

The data breach also highlights the risks involved in collecting large amounts of personal information and storing this for excessive time periods. While the Privacy Act promotes the collection of a minimum amount of personal information, i.e. only that information that is necessary for a particular purpose and which the entity intends to use or disclose – individuals generally have limited control over how long their information is retained for.

During the initial stages of the Privacy Act review, the Attorney General’s Department sought submissions from entities on their views as to whether individuals should be given the right to have their personal information erased. Optus in submissions to the review argued against such a change stating that the right to erase personal data would involve significant technical hurdles and compliance costs that would outweigh the benefits. Of course this incident has happened just as stores are gearing up for Halloween – a fitting time for those public submissions to come back to haunt them.

New World tech fall victim to Old World tricks

Jul 27 2022

By Cameron Abbott, Rob Pulham and Dadar Ahmadi-Pirshahid

OpenSea have reported a breach whereby email addresses registered with the site have been shared with an unauthorised third party.

For landlubbers, OpenSea is the world’s largest marketplace for non-fungible tokens (NFTs).

The Head of Security at OpenSea identified an employee of OpenSea’s third party email delivery vendor as the source of the breach. The employee reportedly misused their access privileges to download and share the list of the site’s registered email addresses with an external party.

People who have shared an email address with OpenSea, such as subscribers to the site’s newsletter, are warned to remain vigilant about attempts by malicious parties to impersonate communications from OpenSea.

OpenSea has dealt with several security incidents this year. Only a month ago, a former OpenSea product manager was arrested and is reportedly the first person to have been charged in connection with a digital asset insider trading scheme. The product manager’s responsibilities included deciding which NFTs would be featured on the site’s homepage, which he allegedly used for his own financial gain. When OpenSea had discovered his conduct in September 2021, OpenSea requested and accepted the product manager’s resignation. Immediately afterwards, OpenSea commissioned a third party review of the incident and implemented the review’s recommendations to strengthen their existing policies.

In May this year, OpenSea’s Discord server was hacked. Just a few months earlier, 254 NFTs valued at around $1.7million USD were stolen through what appear to have been phishing attacks. OpenSea has reportedly reimbursed the victims.

These incidences highlight the status of NFT marketplaces as high value targets for malicious actors and reveals that many of the security vulnerabilities faced in the ‘old’ world of cyber technology remain a threat in the new world of blockchain and NFTs.

Once again, these incidents serve as a reminder for organisations to develop effective cyber security risk management, which requires an approach that encompasses all security vulnerabilities and that includes mechanisms governing employee access and use of sensitive information.

New concerns over China’s ability to access user data on WeChat

Jun 21 2022

By Cameron Abbott and Hugo Chow

A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.

WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.

One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.

As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.

Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.

We expect to hear more about these sorts of concerns from a range of jurisdictions.

Tag:Cybersecurity

BANKS AND HACKERS: SECURITY AMONGST ENTITIES

Good report card but data breaches are up, with no sign of letting up

Australia to be the most cyber secure nation?

The wait is over: The Privacy Act Review Report has been published!

New Privacy Enforcement Act commences in Australia

Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws

Privacy and cybersecurity laws expected to undergo a significant overhaul in the wake of Optus data breach

New World tech fall victim to Old World tricks

New concerns over China’s ability to access user data on WeChat