As the previous topic on data breaches was becoming extended, this is the new season of breaches.
2016 to 2021
2022 to 2023 (includes initial release of Optus breach)
2 Likes
I recently received an email from a former employer advising that they had experienced a cyber security event and my details could have been exposed. I stopped working for this company approximately 12 years ago. Should they have deleted ex employees data after 7 years? They did provide 2 years access to a credit reporting agency at their cost. I was also caught up in the Optus data leak. They did not offer this.
2 Likes
Advice on keeping records includes obligations to retain specified records for 7 years, and some for 5 years. There is also a general recommendation to retain other records, time periods not specified.
âEmployee records | business.gov.au
Itâs a challenging question, given ex employees may make claims long after leaving for occupational related illness, or other. There is no mention in the reference to destroy or delete records after any time.
2 Likes
My gut answer: yes
Another answer: Itâs not âall or noneâ. They can retain very basic information such as your name and when you started and when you left and perhaps your role history - while still deleting information that is more useful for cybercriminals such as address, phone, identifying document numbers, tax and financial information, âŠ
Other answer: Archive after 7 years so that older records are only available in encrypted offline storage.
You can lock your credit record - and that is free. (I was caught up in the Optus breach and I locked my credit record. However this is a two-edged sword, so consider carefully.)
Indeed that is a possibility. One, likely controversial, answer for that is that the government should legislate hard time limits on when claims can be made. So, after 7 years, records by law must be deleted but as a complementary measure no claims can be made after 7 years. This should not be wildly controversial because after 7 years you may have greater difficulty proving that it was that specific employer âwhat dun itâ - rather than a previous employer, a later employer, or anything that is unrelated to employment.
However we digress from the topic of data breaches.
2 Likes
And today the courts in Victoria: Cyber attack on Victoria's court system may have exposed recordings of sensitive cases - ABC News
hackers accessed an area of the court systemâs audio-visual archive. That would mean recordings of hearings including witness testimony from highly sensitive cases may have been accessed or stolen.
(thereby potentially exposing the identity of some witnesses in âhighly sensitive casesâ)
(add to that the whole Victorian justice system Lawyer X debacle âŠ)
It always disturbs me greatly that anyone anywhere thinks itâs a good idea to have such records accessible to the internet. Airgap, people!!
3 Likes
I also initially thought that, but there are many records, especially in the HR and safety area, which need to be kept almost indefinitely (at least for the lifespan of employees).
Many matters relating to employment donât have statute of limitations, and as reported from time to time in the media, there can be allegations raised many decades after employment ceases. As employers become party to any litigation (if the subject of the allegation occurred in the workplace), records need to be kept in order to respond to any allegations.
Maybe your other answer might be a prudent measure. .
3 Likes
Which is a fair reason to keep archives. There would be nothing wrong with records of past employees being archived offline however so that their data is not accessible without physical access to the premises. You would not have to access that archive very often.
3 Likes
IMHO, it should be mandatory for every entity that collects personal information to remove such data from all online systems once itâs no longer active. If there is any good reason to retain it for some length of time, that must be in offline archives.
It would be most unusual that such historical data must be accessed often enough to justify keeping any of it online.
2 Likes
As I wrote: the government should legislate hard time limits on when claims can be made.
Unless the archive is stored offsite, hence why I wrote: encrypted offline storage
That way neither a rogue employee of the third-party data storage company nor someone who breaks into their premises can access any useful information.
If archived content is stored onsite then same deal. It should be encrypted.
A fair point and a good first step. However once information gets archived, there is a risk that it is kept âforeverâ i.e. it becomes less likely that the intent of the current privacy law will be achieved.
When the Data Retention period finally, really, actually expires ⊠which company is going to bother to bring archived material onsite / online in order to remove expired material?
One approach is to ensure that the offline archived material is encrypted. Then when the material is old enough for âexpiryâ, you just delete the encryption key (assuming that the encryption key is rolled over according to a predictable and known schedule and assuming that the keys themselves are correctly managed).
2 Likes
There are sufficient examples of legally recognised claims being made many years after someone leaves an employer. The legal system has accepted long time retrospective workplace occurring claims of employee/s against another employee of the business . Occupational claims can relate to events or exposures decades prior. Asbestos and coal dust are just two that might stand out to the community.
The potential calls on employee and related business records suggest secure retention should be a high priority. Whether for personal or financial remedy.
1 Like
In 2002 I needed a statement from a NSW and a Qld government agency regarding my employment status 30 years earlier. NSW was unable to provide it but Qld was.
I suspect Qld still had and has warehouses full of old paper records, all neatly indexed and filed.
A similar document was needed from a US government agency. The original was retrieved 15 years after the fact from a warehouse.
It is not just the internet and electronic media that may have infinite lives - or at least until the paper crumbles.
3 Likes
This wonât be supported for safety or some HR matters. Take exposure to a hazardous material, where the exposure takes many decades (50, 60 or even 70 years) to show an impact. Under current legislation, as the exposure occurred in the workplace, the employer takes on the responsibility for the impact. Supplementary information about the exposure also needs to be kept, such as whether the hazardous material was present at the workplace, controls in place to manage the hazardous materials, employee training undertaken/records, whether an particular employee had potential to be subject of exposure and the list goes on.
Some matters such as allegations about misconduct (such as bullying, sexual harassment, discrimination) could have statute of limitations, but if they are brought into workplaces, possibly these would also need to be adopted for civil cases as well (for consistency).
I believe that the simple solution is what you have outlined above. There should be a limitation to the timeframes information is readily available. After this timeframe, any records which need to be kept should have restricted access and not accessible to anyone except those in the business/organisation with necessary delegations/authorisations. This could include archiving, encrypting and storing somewhere where there isnât ready access.
2 Likes
Mate, I know it wonât be supported (by whom?). I said at the outset: âlikely controversialâ.
At the end of the day, whether there is a limitation and, if so, what number of years it is ⊠is wildly inconsistent between civil and criminal and between different occurrences (within one jurisdiction, never mind about between different jurisdictions), and
there is nothing sacred about any such limitation period value. It is always 100% at the discretion of the parliament to legislate what the period is.
True enough but as I noted, in that case if you launch a civil case 70 years after your employment commenced and has long since ended, how do you prove that it was that particular employer who should be paying up? (since you may have had a long working life, working with similar hazardous material for a number of employers - as well as undertaken activities in your life unrelated to employment)
The trend in recent times has been towards longer limitation periods.
(We even have the bizarre and erratic situation in New York state, and some other states in the US, where the statute of limitations has been temporarily suspended. The threat of such legislative behaviour effectively means that records can never be deleted even if the limitation period has been reached. Of course this measure in the relevant US states has resulted in literally thousands of claims coming out of the woodwork i.e. âwoodworkersâ.)
Anyway ⊠the key point is that the lack of a reasonable limitation period
- is a trojan horse for Infinite Data Retention. In my opinion Data Retention is fundamentally bad and Infinite Data Retention is even worse (and conflicts with your non-existent in Australia Right to be Forgotten); and
- from a practical standpoint, given the âcompetentâ data handling that most governments and companies are capable of, will lead to more and worse data breaches.
There are other options.
While not applicable to the specific scenario being discussed here (âwoodworkersâ), other organisations have chosen de-identification as a strategy for âold dataâ. So you do keep the data forever but it becomes separated from PII, in some way or other, after X years. (De-identification is not regarded as perfect but from the point of view of the cybercriminal, it is likely to make the data much less attractive.)
So deletion, airgap, offline, offsite, de-identification ⊠could all be part of the solution. However for that to happen the holders of data will have to come to the realisation that there is a problem.
1 Like
Low cost, high reward: The hackers holding Australia to ransom
According to the Australian Signals Directorate, more than 127,000 hacks against Australian servers were recorded between the 2022 and 2023 financial years â an increase of more than 300 per cent over the prior year â and OâReilly says that matches what heâs seeing on the ground.
The federal governmentâs âsix shieldâ strategy includes $291 million in support for small and medium-sized businesses, including the creation of a cyber health-check program offering free and tailored cybersecurity assessments to business owners. It has a stated goal of making Australia the worldâs safest cyber nation by 2030.
We can but hopeâŠ
3 Likes
Hope is great but security comes from the expenditure of effort. That means that security has to figure somewhere in a businessâs priorities.
âsafest nationâ is probably optimistic anyway but
- you donât even have to be the safest (you just have to be a poor return on investment)
- âsafestâ is in any case a mugâs game - a race to the top, as it were (it canât be the case that every country can be the safest)
- it remains to be seen what the cost to Australia from any government proposals is, financial and non-financial - it can end up being diminishing returns as you try to squeeze out every last successful hack (but 127,000 ?successful hacks in ?2 years is starting from a high base so there should be some low-hanging fruit)
I have no problem with the government doing unsolicited external white hat probing of businesses (regardless of the size of the business). If the government isnât doing it then you can be sure that criminals are doing it anyway.
1 Like
I suspect that North Korea probably qualifies as the âsafest nationâ in cyber-security terms, with Cuba possibly also in the running. I probably should not omit Gaza, the West Bank and Lebanon. Ukraine will have leapt up the rankings in the last couple of years.
In other words, if you really want the best cyber-security then either donât be online or be the ongoing target of another nation state. And in the latter case, Russians are still causing enormous disruption. (I suppose a top quality âred teamâ could be the equivalent to a nation state, but the cost would be prohibitive.)
1 Like
Fair enough that thatâs another approach on it. But letâs say we mean: safest while still allowing unrestricted access by the customer to the internet. So the meaning is that the lack of a computer or the lack of internet access is not âsafetyâ.
Also, I donât know how safe North Korea would really be. Sure, you are âsafeâ from outside influences but are you safe from your own government if you live inside a great firewall?
2 Likes
MOAB (Mother Of All Breaches) has been found on the internet. It contains at least 26 Billion records. Most of the detail has already been part of past releases, this one has indexed and made searchable the whole 26 Billion. Link is below, it will take you to the article. All up, the MOAB is 12 Terabytes of data, thatâs a huge amount of data.
https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/
2 Likes
I think you mean Lotâs oldest son and founder of the kingdom peopled by the Moabites. Not to be confused with the Jeroboamites (who I think had something to do with the walls of Jericho?).
In other interesting/concerning/puzzling security news, a bit of self-reporting by Ars Technica:
Fortunately the attack only worked on systems that had already been infiltrated, but this is another example of why you cannot trust third parties such as advertisers.
2 Likes
No, nothing about biblical Moab or Moabites in the article 
Obviously that MOAB acronym has been used at least by the US Military to describe their most powerful non-nuclear bomb. In this case I think the name used for that giant bomb of data was an allusion to that military item.
I have the opinion the Ars Technica issue more a virus/hack/malware issue than a data breach. From the information explained in the article, the malware was then sometimes used to install a Crypto-mining hack of the infected machines.
1 Like
