Data Breaches 2016 to 2021

Perhaps marketing and finance take priority?

Or teaching, since they are educational institutions.

Not really applicable in this case. The pwnage was of a third party product. The universities, and hence their students, are victims because they are customers (users) of this product.

Ultimately the attractiveness of third party products comes down to cost. Do you develop it in-house or do you buy a product or service COTS (commercial off the shelf)?

In this particular case, as the article says, COVID was also a factor i.e. a rush to adopt online exam tools because doing exams in person may become unviable for the foreseeable future. That probably meant, in this case, that developing in-house was not an option in the time available.

Most disturbing in that article was:

unencrypted passwords

So, the year is 2020, and computer applications are still storing passwords in plaintext (rather than salted and hashed)?

Curiously, it also says:

“We understand the data relates to people who were registered as users of ProctorU’s services on or before 2014," the spokesperson said.

So someone hacked this data 6 years ago and sat on it for 6 years??

More likely someone has been using it for the last six years but it has finally come to the universities’ attention.

… and best case scenario … the third party product was storing passwords in plaintext back in 2014 but in the ensuing 6 years have now fixed that?

Here is a real doozey.

From the article:

The Transport for NSW spokeswoman said some drivers request a new licence in a case when they believe they’ve been impacted by identity fraud.

So you get a new driver’s licence number. You don’t get a new name, date of birth, address or face.

This sounds like yet another failure of outsourcing and privatisation, and another area in which Australian law is lagging behind the need for privacy.

I have not had membership in the IEEE for over a decade nor have I been a donor, yet today I received a notice that my details were included in a hacking breach at their fundraiser. The opening paragraph…

IEEE and the IEEE Foundation take the privacy of our members and donors seriously. The company that provides our fundraising and donor engagement systems, Blackbaud, notified us of a data security incident that occurred between February and May 2020. Blackbaud reported the ransomware attack affected hundreds of their educational-institution and non-profit clients worldwide, including IEEE… Based on the information provided by Blackbaud, IEEE and the IEEE Foundation have reason to believe that your data may have been included in Blackbaud’s data incident. The data that was accessed may include …remain vigilant and promptly report any suspicious activity to the proper authorities and financial institutions …

In the message it includes Blackbaud has reported that the cybercriminals destroyed the stolen data; they know this how? Very reassuring. Right it is.

This reinforces that information on the internet can have a half live, not an expiration date.

They paid the criminals to delete rather than publish, and rely upon the honesty of criminals who want to blackmail others in the same manner - in other words, a pinky promise.

Moving completely into the realm of speculation … a site with very good security but (by definition) not good enough security may be able to see exactly what functions were executed by the hackers.

For example, a site with very good network controls may have successfully blocked exfiltration but the hackers had enough access to delete or alter data (e.g. SQL injection attack) - and the (off-host, append-only) SQL logs show that the hackers did that.

On the other hand, the large time range for the hack and the fact that it is some months in the past

a data security incident that occurred between February and May 2020

is not reassuring that this would have been the case!

Yep. Once information is collected, it can live forever, with copies being held by various criminal organisations, including governments, activists, organised crime, casual hackers, …

It’s a shocker - when you think how many different places will accept a drivers licence for identification purposes.

Doesn’t the ABC use the exact same screenshot every time? It seems that all hackers use Ubuntu.

Three of those are possible.

It may be too early to say that. Even if true, it is not as if government departments have never in the past “mistakenly left exposed” information that has been collected by government.

The form that is shown in the article can be found here: https://www.rms.nsw.gov.au/documents/about/forms/45071726-tolling-notice-statutory-declaration-companies.pdf

Let’s wait for the full facts before letting RMS itself off the hook.

There is no such thing as ‘good enough’ security - you can only ever claim that there are no known vulnerabilities. IT security is always going to involve fixing things after the door has been kicked down.

Once the hacker has exfiltrated your data, you actually need to rely upon more than their promise not to release it. Generally hackers now work in groups for these larger ransomware attacks, so you need to trust each member of the group not to release the data (for example, selling it on the side). You also need to trust that the data has in fact been deleted properly, and no traces are left anywhere. Finally, you have to trust that the hacker has properly secured the data it exfiltrated.

Point taken, but my suspicion would be that the data is held by a company that operates a toll road based upon the number of records accessed and the data that was stored.

The Commonwealth is definitely on the hook, for not having adequate data security and breach notification laws.

I don’t think it will be too long before it appears for sale if it hasn’t already. I haven’t gone looking yet and I probably won’t bother for awhile until curiosity gets the better of me but this data appears within hours normally but they may have held off until the ransom was paid. Reddit as pastebins etc are the usual method but photos included may get better money dark web.

If the Govt thinks they have control of this one they are deluded.

So is the following the same data breach or a different data breach? I think a different one. If you live in NSW then that’s two bites at the cherry …

There’s our “Ubuntu hacker” again …

This is so relevant here and under tenancy blacklists I am cross posting it. This appears to be a farcical and cynical finger at ‘us’.

It would appear to highlight a gap in Australia’s Notifiable Data Breaches (NDB) scheme. If a company is able to deny that a breach occurred when in fact a breach did occur and resist the investigation by the OAIC then the company may get away with it.

I am not clear whether the company in this case is arguing that it is not covered by the NDB scheme at all.

Normally, denying that a breach occurred is impossible because someone leaked or hacked, and the data comes into the public sphere such that it is persuasive that a breach has occurred and such that denials that a breach occurred are not credible.

In other words, what is anyone’s basis for believing that a data breach occurred? Presumably the OAIC must have a prima facie case.

A tiny “breach” in the overall scheme of things but: https://www.abc.net.au/news/2020-10-01/dfat-email-fail-addresses-australians-overseas-coronavirus/12719804

That’s gonna be a looong email if someone forwards it!

Not to mention the ReplyAll storms that it could create. Rolls eyes.

Major US Government agencies discover they have been hacked.