The first of the 200 posts in this topic, this is now no201 was about the loss of data through an external actor penetrating the system and resulting in large loss of data. Each example that comes to public view has its own unique story of how this occurred. Typically such breaches are discovered and hopefully those affected advised, the victims are many, and the bad actors are well removed from the enterprise affected. Untouchables! The damage is significant and risks for many long term.
It’s also evident (per recent posts) there are concerns a breach can occur through a deliberate act of an insider. Someone with the appropriate authorisations (level of access) necessary to target individual records. Motivations can differ, but the methodology is the same in most instances. It’s suggested in a well controlled system it’s difficult for the person accessing a record to evade identification due to system monitoring. Although it may not be readily apparent until subsequent events give cause for concern. The impact which can be life threatening is usually limited to one or a few individuals. It’s open to suggest many of these types of breaches may not be detected, or the true extent not publicly revealed.
Many of the most senior staff and finance arms in companies are often disinterested in making their systems and network secure to best practices of the time because of cost and their innate belief she’ll be right and often a misunderstanding (or denial) of how difficult it can be. They do little or pretend they care to window dress their IT budgets.
Without serious accountability in Australia the inevitable is happening where the standards deployed have been and in cases remain woefully behind the times and will stay there until people who understand the problem are promoted and budgeted to own fixing the problem; and most importantly, getting it done being less costly than any fines or cleanup at the cost of the affected if/when it happens.
What we have is the arch-conservative approach over decades where ‘nothing gets done until it needs to be done’, eg reactive government. Now that it has broadly hit the fan (evidenced by this topic) this legal office’s summary from Feb 2023 avoids technicality but as I scan through (admittedly quickly and it is high level) perhaps there is more dancing around the hat by adding layers of text, rules, and regulations that may be complex enough for companies to meet the standards while avoiding actually addressing their security. eg another few hundred pages of privacy notices to accept might suffice?
Many of the words used remain undefined or undefinable and may make it to the end legislation/codes. Those responsible seem to have employed the ‘experts’ who drafted the ACL. Unless it is tightened up it might be providing work for [class action] lawyers?
Aim too high and there’s a risk of missing the target.
One should never underestimate opportunity.
There’s some irony, considering the quality of legislation and how many politicians have legal backgrounds. If it was a chefs mindset to turn robust stock into a flavourless watery soup, they’d have few takers.
A few years ago, yes. Perhaps the fact that they are disclosing the data breach now is an indication of a declining public appetite for “she’ll be right” when it comes to data security. Or maybe there’s a political dimension to it too. Or just “taking out the trash”.
I don’t see why you are calling this a potential breach. Actual personal health information was sent to an external IT vendor.
(I’ve been on the other side of it. It is difficult to do good development and good testing without real data but I don’t think real, highly personal, medical data should ever be made available for that purpose if indeed that was the reason for the data breach. It could, alternatively, just have been an out and out stuff-up.)
I suppose the PwC issue could be considered a ‘data breach’, in that staff were using data from inside the tax office to spruik for business outside the tax office.
Of course, it is a self-inflicted data leak - but costs associated are likely to be at the high end, both reputationally and financially.
To manage potential conflicts of interest large enterprises providing financial advice/services have in place corporate policies. The old school phrase “Chinese Wall” describes the principle.
One might suggest it’s a data breech. Alternately one could suggest one or more of the leadership team made a conscious decision to use information available to one team to inform the priorities of another. With government, regulators and law enforcement now aware of what has occurred
… the Tax Practitioners Board found Mr Collins shared that secret knowledge with people within PwC, which gave the firm an advantage by being able to come up with ways for companies to get around paying the new tax.
Yeah, exactly. If PwC ever gets any more business from the government , PwC will have to satisfy the government that they have this in place adequately. It is fairly common in financial institutions.
but
no, I wouldn’t.
A data breach happens when personal information is accessed or disclosed without authorisation or is lost.
The OAIC has a specific mandate to do with privacy, and its definition reflects that mandate. A proper definition of a ‘data breach’ goes beyond one agency’s remit.
Interestingly though that just expedites the opportunities. Hypothetical:
PwC consults with the government helping to design changes to the tax system to reduce multinational tax avoidance
the government implements the changes and makes them public
PwC now consults with their multinational customers designing ways to defeat the government’s changes
It’s a conflict of interest and a bad look either way - however the “insider” aspect of it means that the multinational customers were able to be ahead of the game. That quite possibly cost the government tax revenue (but only in the short term).
I’ve put this in the scams section because I have no clue where it really belongs. I received a letter yesterday, from Latitude (with which I have no relationship) warning of a security breach in which my driver’s licence number, name, address and phone number have been exposed. They say that this information may be held by them from other companies one had a relationship with, in the past, and they name these. The thing is, I have not dealt tih any, for something like 20 years. Don’t they have to get rid of this kind of information at some point??
In any case, I’m wondering if anyone else had a similar warning.
I’m now off to the Latitude website regarding the matter and hope to be able to see what I need to do. They seem to be doing all that is necessary on their end and the matter has been handed to the AFP for investigation (underway)
It affected more customers than just Latitude. It included past customers of GE which could go back 20 years or more. As customer financial information needs to be retained by financial for many years after account are closed or services ceased, GE customer records prior to 2005 could be implicated in the breach.
GE was often the business behind things like ‘pay no interest for x months’ or retailer branded credit cards.
Choice has an article about the breach and potentially affected consumers:
and discusses why they believe data retention beyond that which is legislated seems to go against the spirit of the Privacy Act.
To keep information about the Latitude breach together, your post has been moved to an existing thread which has discussed data breaches, including that of Latitude.
The thread also discusses unreasonably long data retention by some companies.
20 years?. Try more than 100 years. It started out as AGC, which was bought by Westpac, who then sold it to GE Capital, who then sold it to an overseas consortium of capital investors who named it Latitude.
All along the way customer data for some types of business would have been retained.
So many hundreds of people have been affected. Much of my info is out of date, but address and driver licence not so much. I’ve only been here 20 years but it depends on where/when the info originated I guess. If it was older, everything is out of date except my d/l. If more recent… I havent been taking out loans though I did consider GE at one point when Apple was using them as a finance option. Did not go through with it, and cannot remember how much info I put into an application (if any… can’t even remember that!!)
A big one for us all was the HWL Ebsworth data hack by the ?Russian? group called BlackCat aka ALPHV. The big 4 banks and a huge amount of Government agencies/departments and a raft of others had data taken in the hack of the law firm. Around 4 terabytes of data was taken and it includes huge amounts of consumers data including ID, loans details and other information.
This is going to be a huge nightmare for a lot of us and for many public and private entities.
How was it stored, why was it there, and how was it accessed are some of the questions we should get answers to but are unlikely to.
The injunction of the Court ordering the hacking group to stop releasing data is sure to stop them doing so isn’t it, as they are law abiding citizens who would never dream of stealing data or of breaking any law of Australia (or anywhere else for that matter). I hope my sarcasm and cynical nature in this regard is clearly obvious.
, PwC will have to satisfy the government that they have this in place adequately. It is fairly common in financial institutions.