This is so relevant here and under tenancy blacklists I am cross posting it. This appears to be a farcical and cynical finger at ‘us’.
It would appear to highlight a gap in Australia’s Notifiable Data Breaches (NDB) scheme. If a company is able to deny that a breach occurred when in fact a breach did occur and resist the investigation by the OAIC then the company may get away with it.
I am not clear whether the company in this case is arguing that it is not covered by the NDB scheme at all.
Normally, denying that a breach occurred is impossible because someone leaked or hacked, and the data comes into the public sphere such that it is persuasive that a breach has occurred and such that denials that a breach occurred are not credible.
In other words, what is anyone’s basis for believing that a data breach occurred? Presumably the OAIC must have a prima facie case.
A tiny “breach” in the overall scheme of things but: https://www.abc.net.au/news/2020-10-01/dfat-email-fail-addresses-australians-overseas-coronavirus/12719804
That’s gonna be a looong email if someone forwards it!
Not to mention the ReplyAll storms that it could create. Rolls eyes.
Major US Government agencies discover they have been hacked.
It gets worse.
In January 2021, Oxfam Australia was the victim of a data breach which exposed 1.8M unique email addresses of supporters of the charity. The data was put up for sale on a popular hacking forum and also included names, phone numbers, addresses, genders and dates of birth. A small number of people also had partial credit card data exposed (the first 6 and last 3 digits of the card, plus card type and expiry) and in some cases the bank name, account number and BSB were also exposed. The data was subsequently made freely available on the hacking forum later the following month.
Data lost/hacked was:
Bank account numbers, Dates of birth, Email addresses, Genders, Names, Partial credit card data, Payment histories, Phone numbers, Physical addresses
Number of lost client records:
1,834,006 (1 in about every 14 Australians it would seem to equate to)
Information courtesy of http://haveibeenpwned.com/
Oxfam in their press release declined to state how many clients had been affected…I think the excuse is weak but here is what they said and judge for yourself how advising how many had been affected would allow what Oxfam suggests could be the fallout:
“In the interests of ensuring the ongoing security of our database and our supporters’ privacy and protection and to reduce the risk of attempts by scammers to target Oxfam supporters, we are not releasing details of the number of people who may have been impacted”
Yeah right!! More likely they don’t want their supporters to know how many of them are affected…bum covering is my opinion. Adding the words “ongoing security” in the light of loss of the security seems a weird choice…perhaps they should have used “future security” because it hasn’t been ongoing due to the loss of control.
I signed up for Firefox Monitor a while back. It emails whenever my email shows up on a hacker site. I received one about the Oxfam breach this morning.
It is a good service, no cost.
It uses haveIbeenpwned for the breach info, which is also a free service. Troy Hunt still is the one behind the pwned service.
From Firefox Monitor FAQs
“ How does Firefox Monitor know I was involved in these breaches?
Firefox Monitor gets its data breach information from a publicly searchable source, Have I Been Pwned. If you don’t want your email address to show up in this database, visit the opt-out page”
It seemingly does not make sense.
Possibly something has been lost in translation i.e. someone, somewhere deep in the bowels of cybersecurity made a recommendation and that text is what it has become.
Does mandatory disclosure need to cover this? i.e. take away the choice from the victim organisation to reveal the scale of the breach. (This breach is pretty small in the overall scheme of things.)
One thing that bugged me:
purchased through our former shops
So let me get this straight … the shops don’t exist any more but they were keeping the transaction info “just in case” … and hackers copied that info.
This is a fundamental problem with Big Data, and government is part of the problem, not part of the solution.
PS The link that you included at the top of your post was its own mini data breach. I hate those opaque links. Here’s a clean link: Oxfam Australia was the victim of a data breach
Fixed it, was a simple copy and paste of Troy’s info in the first place so not sure how the data was added. Noting that the post to the Firefox Monitor FAQ didn’t include the garbage.
A link from @Fred123’s article in Secrecy, privacy, security, intrusion about the hack of the Airlines Frequent Flyer data
A data breach of a slightly different kind: https://www.abc.net.au/news/science/2021-03-11/verkada-hackers-gained-access-to-australian-surveillance-cameras/13237820
Just a lazy 150,000 surveillance cameras worldwide.
I tear my hair out with the idiocy of the concept of a camera company having remote access to the camera after the camera is sold …
The hackers claim to have peered inside women’s health clinics, psychiatric hospitals, prisons, police stations and gyms in the US.
Great. No security fail there.
No system should ever be considered unhackable. If you considered your database as a hackable target, there is no way you’d ever design that level of access behind a single door. Terrible security decision. Even if you require post-sale access to the cameras, surely they should be accessed through separate servers
Once upon a time Computer Science 101 taught systems programmers that the number 1 job of any operating system was to protect itself from users and their applications. It took lots of compute power and some OS were more successful than others. Consequently Applications Programming 101 taught that the application had to protect itself from the user. Back when it was noticed few applications tested the inputs for the unexpected, relying on every user to be using the application for its intended purpose.
There was networking and remote access, mostly proprietary, and then ‘the internet’ happened.
Unfortunately in the name of function and the processors available in the times, those ‘101’ lessons got lost, and by the time anyone remembered they might have been necessary foundations it was too late. It evolved into ‘look what we can do now’ rather than ‘we can do this securely and safely’.
Or require some action on the part of the customer to enable remote access on a temporary basis.
Or anything else that you can think of.
But open slather by default (or even mandatorily)? There should be a law against it …
Hence one of the easiest ways for malicious actors to get where they are not supposed to be - via such fun tricks as buffer overflows and command line injections.
Thanks once again to XKCD for an easy explanation.
62 posts were split to a new topic: Data Breaches 2022 onward (including Optus)
6 posts were merged into an existing topic: Data Breaches 2022 onward (including Optus)