Data Breaches 2022 onward (including Optus)

The Gov is certainly aware of the problem of ID checking and document retention and are working on it. As has been previously posted.

However, that doesn’t address the information that organizations need to keep about customers that relate directly to their operations. And wherever there is data, it needs to be managed. And that needs administrators with privileged access. There is just no getting around that. Those administrators need to be managed, and controlled at a low management level. Not some CEO or board level.

Only if damages to those affected are imposed. Often the results of cases are fines but not damages for the victims. Often victims are left with the greater part of their costs being met out of their own pockets.

Even if damages are contemplated or given, they cover some of the burden but not the entire burden. Put in the hands of no win no pay the results for some can be pitiful, I personally know of one case where the result the victim got was 1/8 of the money cost and no payment for the on-going pain and suffering that remains as a result of the breach.

It would be more equitable if victims were properly compensated but most often they aren’t and are made victims again by the processes that are required to address the security breach they suffer.

I also didn’t say that remediation couldn’t or shouldn’t be taken into some account of the fine imposed. I just believe it should not greatly diminish the fine. I more strongly believe that CEOs, Boards, and very senior management should have greater penalties imposed for their failures to adequately protect the personal data they hold of their clients and consumers. Breaches will occur even in well protected systems, onus should be on the Board and senior management proving they used and paid for at least decent and adequate protection of those systems. If they can’t, then they must be made to pay a severe penalty.

1 Like

Agree - we need solutions that remove vulnerability within the systems. Reliable and safe/secure ID verification and limiting access by front end systems to only the information essential to daily operations.

There are various ways to express the roles of boards and executive management. Are they responsible for what happens with staff in more direct management and support roles. The “horses head” offers the following.
Australian Institute of Company Directors: ‘What Is The Relationship Between Management and the Board

The board of directors holds fiduciary duty to serve the organisation’s best interests. Core board roles include guiding strategic direction, overseeing risk management, monitoring performance and shaping ethical culture. Boards appoint the CEO, set executive limitations and evaluate leadership.

Management refers to the executive team led by the CEO. It is responsible for executing strategy and managing day-to-day operations. The CEO serves as the primary liaison between the board and management.

2 Likes

Often that is the reasoning Boards and CEOs take, in that they aren’t responsible for company failures to protect or use good governance. It is the person who put the patch cable into the port that is responsible one. It is the person who carried out the policy rather than report the problem (think about whistleblower protections and the sacking of those who complain). Responsibility unlike trickle down economics starts at the top and flows down. It isn’t the bin cleaner who has to first show responsibility, they show what they have been taught or educated about. If we continue to excuse the upper echelons no change will become apparent.

1 Like

Meanwhile: City of Moreton Bay council launches investigation as private ratepayer information leaked online - ABC News

I struggle to reconcile the choice of the word “leaked” with

Private ratepayer information has been accidentally published on Moreton Bay City Council’s website.

To me, “leaked” in this context implies intention, not accident. Of course, at this early stage of the investigation, it may be that noone really knows what actually happened.

2 Likes

We know exactly what happened. The ‘third-party provider’ done it. As usual, unnamed.

Why it happened? Someone put it onto the website. So take it off. Case closed.

Unless those cute little watchpuppies at OAIC want to do a bit of yapping and make a case of it.

The report does better, if one reads on, including:

accidentally published to the regional council’s website….

The data breach included names, residential addresses, email, phone numbers, complaints to the council and details about council investigations.

So it was a data breech and it was an accident. :thinking:
But no one is saying at this time how it happened. Any thought it was due to a hack? At this point in time the council is avoiding by saying:

“The cause is still to be determined but there is no indication that this is a cyber attack,” the spokesperson said.

1 Like

It does seem to be an increasing problem. Perhaps an obligation under the Notifiable Data Breach (NDB) Scheme should rest with the third party to “out” itself. That would avoid the legal issues with, in this case, the local council naming the third party.

The current arrangements allow, where outsourcing applies, for the two entities both to be obligated under the scheme but they can coordinate their compliance so as to avoid duplication - which recently seems to mean that

  • the third party remains anonymous,
  • the second party takes all of the flak, but
  • can subtly offload some of the opprobrium onto the unnamed third party.

Not really. The NDB Scheme imposes additional obligations that don’t go away just because you have fixed the original problem.

Regardless

in this scenario the next thing I would do is check the web server logs to see whether the information was actually accessed.

However in this case I am pretty sure that the information was accessed and therefore it is too late for “case closed”.

2 Likes

The gift that keeps on giving? What the ACMA has to say about how and why Optus was hacked.

2 Likes

Yeah. ACMA are really up to date. And there was never any ‘cyber attack’.

Also noted the author of the ABC article is located in Broome. Not a location I would associate with credible reporting on IT issues.

1 Like

Doubtless others share similar feelings on the ACMA.

As you point out the “technical” explanation of the mechanism used by the hackers was revealed by the hackers some time prior.

There are other factors - procedural/organisational that should have closed the door exploited. This is what the ACMA is emphasising in saying:

In short: The Australian Communications and Media Authority claims Optus should have known it had a flaw in its system four years before its customers’ data was stolen in 2022.

The ACMA is proceeding in a court case against Optus, as explained in the report.

The Federal Court filing detailed a number of “vulnerabilities” ACMA believed the Optus system to have.
It said two of the company’s domains had the same coding error for one of its access controls, which left it open to cyber attack.
But ACMA said at one point Optus noticed the error and fixed it — but only on one of its domains.
The other was still left vulnerable.

How the court sees it - legal actions take time (months - years) to prepare and prosecute.

2 Likes

I hadn’t been aware that geographic location aligned with particular skills, especially in an age of telecommuting and an industry such as journalism where one goes where the work is.

2 Likes

I have been to Broome. It has some resorts, a croc farm, a nice Cable beach with camel rides. Certainly the place for journalists to ply their trade in IT reporting. Not.

Where they go should be is where things actually happen. Not sit on on their Internet feeds and report on things happening a continent width away.

More on the Medibank breach.