cyber attack – Cyber Law Watch

“Grandma, I have [not] been kidnapped”: The FCC Bans AI-Generated Robocalls

Feb 12 2024

By Andrew Glass, Gregory Blase, and Joshua Durham

Effective immediately, the Federal Communications Commission (FCC) banned AI-generated phone calls with its recent Declaratory Ruling (the Ruling). Known as audio or voice “deepfakes,” AI can be trained to mimic any person’s voice, resulting in novel scams such as grandparents receiving a call from their “grandchild” and believing they have been kidnapped or need money for bail. FCC Commissioner Starks deemed such deepfakes a threat to election integrity, recalling that just recently, “potential primary voters in New Hampshire received a call, purportedly from President Biden, telling them to stay home and ‘save your vote’ by skipping the state’s primary.”

California Proposes Cybersecurity Requirements for Businesses

Oct 11 2023

By: Eric Vicente Flores, Avril Love, and Whitney McCollum

In recognition of Cybersecurity Awareness Month in the US, we will be bringing awareness to relevant 2023 cybersecurity updates each week.

On 28 August, the California Privacy Protection Agency (CPPA) published draft regulations regarding risk assessments and cybersecurity audits for consideration at the Board’s September meeting. The draft regulations precede the formal rulemaking process, but provide insight into CPPA’s current priorities.

Apr 27 2023

By Cameron Abbott, Rob Pulham, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

We saw last year how low hackers are willing to stoop to shame companies into paying ransoms, including leaking sensitive information aimed at embarrassing individuals affected by data breaches. As a result we also saw prominent calls for ransom payments to be ‘banned’, to reduce the financial incentives for hackers to target Australians’ personal information.

We are now hearing the flipside to that argument, with AGL Energy warning that a government-imposed ban on companies paying cyber ransoms to hackers could cause “catastrophic damage”.

Dec 14 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

Sep 29 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Over the past two years, the Privacy Act has been the subject of long-awaited reform in Australia however, it seems the Optus data breach may have given it some much needed momentum.

The Optus attack is understood to have affected the details of 11.2m Optus customers, and of that 2.8m individuals have had their driver’s licence and/or passport numbers compromised. The hacker claims to have extracted the data from an API – software that allows two different systems to talk to each other. Therefore, if the claim is true the hacker didn’t need to provide authentication (e.g. a username and password) to retrieve the data.

In the wake of the attack, the Government has shared its plans to pursue substantial reforms that will include increased penalties under the Privacy Act (currently capped at $2.22m per offence) as well as changes to data breach notification laws to allow companies to rapidly inform financial institutions of affected individuals in an effort to minimise fraud.

The data breach also highlights the risks involved in collecting large amounts of personal information and storing this for excessive time periods. While the Privacy Act promotes the collection of a minimum amount of personal information, i.e. only that information that is necessary for a particular purpose and which the entity intends to use or disclose – individuals generally have limited control over how long their information is retained for.

During the initial stages of the Privacy Act review, the Attorney General’s Department sought submissions from entities on their views as to whether individuals should be given the right to have their personal information erased. Optus in submissions to the review argued against such a change stating that the right to erase personal data would involve significant technical hurdles and compliance costs that would outweigh the benefits. Of course this incident has happened just as stores are gearing up for Halloween – a fitting time for those public submissions to come back to haunt them.

Ransomware plan of action

Oct 18 2021

By Cameron Abbott, Rob Pulham and Ella Richards

Following the 60% increase in ransomware attacks over the past year, the Department of Home Affairs has released a Ransomware Action Plan – proposing to introduce mandatory reporting requirements for companies who have been hit by a ransomware attack.

Under the proposal, companies with a turnover of $10 million or more per year will be required to inform the Australian Cyber Security Centre soon after experiencing a ransomware attack and will face civil penalties if they fail to comply. The government is also planning to introduce a standalone offence for cybercriminals who seek to target critical infrastructure as part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

This document is part of Australia’s overarching 2020 Cyber Security Strategy, with industry and community consultation anticipated in the near future. Stand by for further developments.

Class action following ransomware attack on Colonial Pipeline

Jun 07 2021

By Cameron Abbott and Jacqueline Patishman

Last week we posted about a ransomware attack on the American Colonial Pipeline Company. This week, the Company has been hit with a class action alleging that a range of US businesses and consumers suffered loss as a result of Colonial Pipeline’s decision to cut its supply of fuel until the ransomware attack was resolved. Meanwhile, the Company is still not entirely back on track – Colonial’s main website is still offline.

Nov 02 2020

By Cameron Abbott, Keely O’Dowd and Max Evans

Back in February, we blogged about the large scale ransomware attack experienced by Toll Group.

IT News reports Toll is still “mopping up” the damage caused by these attacks. Since July, Toll has embarked on a year-long accelerated cyber resilience program incorporating teams in India and Australia which led to the appointment of former Telstra Asia Pacific CISO Berin Lautenbach as Toll’s global head of information security in August.

Sep 18 2020

By Cameron Abbott and Keely O’Dowd

News reports have surfaced that a woman in Germany has died due to a delay in receiving medical care. What is most concerning about this death is the circumstances in which the woman tragically passed away.

According to reports, the woman needed urgent medical treatment and the hospital she presented to, Duesseldorf University Hospital, was unable to admit her as it was dealing with a ransomware attack.

The hackers exploited a vulnerability in a widely used commercial add-on software. This attack caused a failure in the hospital’s IT systems resulting in it being unable to access data and diverting emergency patients elsewhere. The woman was redirected to a hospital approximately 30km away from Duesseldorf University Hospital, which led to a delay in the woman receiving treatment. Unfortunately the delay proved fatal and the women passed away before she could be treated.

By Cameron Abbott, Keely O’Dowd and Max Evans

The Office of the Australian Information Commissioner (OAIC) has released its report on notifications received under the Notifiable Data Breaches scheme for period January to June 2020.

The OAIC reported 518 breaches were notified to it in the relevant period. The OAIC noted a 3% decrease from the 532 breaches notified in the period July 2019 to December 2019. However, there was a 16% increase on the 447 notifications received during January to June 2019.

Tag:cyber attack

“Grandma, I have [not] been kidnapped”: The FCC Bans AI-Generated Robocalls

California Proposes Cybersecurity Requirements for Businesses

Proposed cyber ransom bans predicted to cause “catastrophic damage”

New Privacy Enforcement Act commences in Australia

Privacy and cybersecurity laws expected to undergo a significant overhaul in the wake of Optus data breach

Ransomware plan of action

Class action following ransomware attack on Colonial Pipeline

Continuing to take its Toll: Toll Group still feeling impacts nine months after experiencing Ransomware Attack

First reported death connected to misfired ransomware attack on German hospital

Cyber Criminals “King of the (Data Breach) Jungle”: 61% of all Data Breaches caused by Malicious or Criminal Attacks, according to OAIC Report