The Gov is certainly aware of the problem of ID checking and document retention and are working on it. As has been previously posted.
However, that doesn’t address the information that organizations need to keep about customers that relate directly to their operations. And wherever there is data, it needs to be managed. And that needs administrators with privileged access. There is just no getting around that. Those administrators need to be managed, and controlled at a low management level. Not some CEO or board level.
Only if damages to those affected are imposed. Often the results of cases are fines but not damages for the victims. Often victims are left with the greater part of their costs being met out of their own pockets.
Even if damages are contemplated or given, they cover some of the burden but not the entire burden. Put in the hands of no win no pay the results for some can be pitiful, I personally know of one case where the result the victim got was 1/8 of the money cost and no payment for the on-going pain and suffering that remains as a result of the breach.
It would be more equitable if victims were properly compensated but most often they aren’t and are made victims again by the processes that are required to address the security breach they suffer.
I also didn’t say that remediation couldn’t or shouldn’t be taken into some account of the fine imposed. I just believe it should not greatly diminish the fine. I more strongly believe that CEOs, Boards, and very senior management should have greater penalties imposed for their failures to adequately protect the personal data they hold of their clients and consumers. Breaches will occur even in well protected systems, onus should be on the Board and senior management proving they used and paid for at least decent and adequate protection of those systems. If they can’t, then they must be made to pay a severe penalty.
Agree - we need solutions that remove vulnerability within the systems. Reliable and safe/secure ID verification and limiting access by front end systems to only the information essential to daily operations.
There are various ways to express the roles of boards and executive management. Are they responsible for what happens with staff in more direct management and support roles. The “horses head” offers the following.
Australian Institute of Company Directors: ‘What Is The Relationship Between Management and the Board
The board of directors holds fiduciary duty to serve the organisation’s best interests. Core board roles include guiding strategic direction, overseeing risk management, monitoring performance and shaping ethical culture. Boards appoint the CEO, set executive limitations and evaluate leadership.
Management refers to the executive team led by the CEO. It is responsible for executing strategy and managing day-to-day operations. The CEO serves as the primary liaison between the board and management.
Often that is the reasoning Boards and CEOs take, in that they aren’t responsible for company failures to protect or use good governance. It is the person who put the patch cable into the port that is responsible one. It is the person who carried out the policy rather than report the problem (think about whistleblower protections and the sacking of those who complain). Responsibility unlike trickle down economics starts at the top and flows down. It isn’t the bin cleaner who has to first show responsibility, they show what they have been taught or educated about. If we continue to excuse the upper echelons no change will become apparent.
I struggle to reconcile the choice of the word “leaked” with
Private ratepayer information has been accidentally published on Moreton Bay City Council’s website.
To me, “leaked” in this context implies intention, not accident. Of course, at this early stage of the investigation, it may be that noone really knows what actually happened.
The report does better, if one reads on, including:
accidentally published to the regional council’s website….
…
The data breach included names, residential addresses, email, phone numbers, complaints to the council and details about council investigations.
So it was a data breech and it was an accident.
But no one is saying at this time how it happened. Any thought it was due to a hack? At this point in time the council is avoiding by saying:
“The cause is still to be determined but there is no indication that this is a cyber attack,” the spokesperson said.
It does seem to be an increasing problem. Perhaps an obligation under the Notifiable Data Breach (NDB) Scheme should rest with the third party to “out” itself. That would avoid the legal issues with, in this case, the local council naming the third party.
The current arrangements allow, where outsourcing applies, for the two entities both to be obligated under the scheme but they can coordinate their compliance so as to avoid duplication - which recently seems to mean that
the third party remains anonymous,
the second party takes all of the flak, but
can subtly offload some of the opprobrium onto the unnamed third party.
Not really. The NDB Scheme imposes additional obligations that don’t go away just because you have fixed the original problem.
Regardless
in this scenario the next thing I would do is check the web server logs to see whether the information was actually accessed.
However in this case I am pretty sure that the information was accessed and therefore it is too late for “case closed”.
Doubtless others share similar feelings on the ACMA.
As you point out the “technical” explanation of the mechanism used by the hackers was revealed by the hackers some time prior.
There are other factors - procedural/organisational that should have closed the door exploited. This is what the ACMA is emphasising in saying:
In short: The Australian Communications and Media Authority claims Optus should have known it had a flaw in its system four years before its customers’ data was stolen in 2022.
The ACMA is proceeding in a court case against Optus, as explained in the report.
The Federal Court filing detailed a number of “vulnerabilities” ACMA believed the Optus system to have.
It said two of the company’s domains had the same coding error for one of its access controls, which left it open to cyber attack.
But ACMA said at one point Optus noticed the error and fixed it — but only on one of its domains.
The other was still left vulnerable.
How the court sees it - legal actions take time (months - years) to prepare and prosecute.
I hadn’t been aware that geographic location aligned with particular skills, especially in an age of telecommuting and an industry such as journalism where one goes where the work is.
I have been to Broome. It has some resorts, a croc farm, a nice Cable beach with camel rides. Certainly the place for journalists to ply their trade in IT reporting. Not.
Where they go should be is where things actually happen. Not sit on on their Internet feeds and report on things happening a continent width away.
Yes. The language in the relevant legislation is inherently vague - such that, just because Optus stuffed up (proven), we should not assume that their actions meet the requirements of that part of the legislation and/or the intention of that part of the legislation. And, gee, even if Optus loses, they can always appeal …
Even so … surely this can be settled out of court with some sort of agreed fine, rather than tying up court hours stretching on for years, making only the lawyers wealthy.
MediSecure gave details about the kinds of data stolen, including full names, phone numbers, dates of birth, home addresses, Medicare numbers, and Medicare card expiry dates.
The government needs to lift its game with the Medicare card at next renewal.
The 6.5 terabytes of data also included some sensitive health information, such as which medications people were prescribed, the name of the drug, dosage, the reason for their prescription, and instructions for taking the medication.
Don’t these people have any kind of exfiltration detection? My internet would be flat stick for a “decade” to exfiltrate that much data.
I think you have to legitimately ask why this information was even accessible online for a company that was not apparently doing anything. However that exact timing is not known to me i.e. when they lost the government contract.
Credit card details were not exposed in the breach.
authorities now believe most Australians have been exposed in some way, and some several times over.
And that is dangerous because with drivers licence and medicare card details, it becomes possible to defeat even solid online validation i.e. to usurp someone’s identity with an online entity.