CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.


Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants
Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on
Surveillance software targets WhatsApp users
Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia
Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents
Sharing of ‘abhorrent violent material’ now an offence under new laws
Consumer Data Right Draft Rules – submissions closing soon
Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report

Privacy Awareness Week (Personal Data): technology suspicion – consumer concerns surrounding voice and digital assistants

By Cameron Abbott, Rob Pulham, Michelle Aggromito, Max Evans and Rebecca Gill

Protecting personal data is a fundamental aspect of any privacy regime. As we become more technological advanced, organisations are finding innovative ways to interact with consumers through more intuitive communication channels, such as voice recognition via digital assistants. But not everyone trusts such technology, as Microsoft’s April 2019 report on voice assistants and conversational artificial intelligence has found.

The report found that 41% of voice assistant users were concerned about trust, privacy and passive listening. Other interesting findings of the report include:

  • A majority of users (52%) had concerns surrounding security for personal information, and around a quarter of the users (24%) had suspicions surrounding the ways in which companies might use the information.
  • Almost half the users (41%) were concerned with their devices actively listening or recording conversations when idle.
  • Around a quarter of the users (14%) did not trust the companies behind the voice assistant, and 36% of users did not want their personal information or data being used.

According to the report, headlines surrounding topics such as misunderstood commands and unrequested purchases have greatly influenced consumer attitudes towards these forms of technology. Clearly users are struggling to reconcile the competing interests. The technology understands you better the more information it collects from you. Where will you draw the line between these interests?

Privacy Awareness Week (Health Information): Health sector and the notifiable data breach scheme – 12 months on

By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill

It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.

Here’s the health sector at a glance:

  • Of the 964 eligible data breaches notified to the OAIC from 1 April 2018 to 31 March 2019, health information breaches accounted for 249 notifications (just over a quarter of all notifications). This is consistent with international trends which often show the health sector as a leading reporter of data breaches.
  • Human error was the leading cause of data breaches in the health sector, accounting for 55% of the breaches. This figure was relatively higher when compared to the average rate of data breaches in other industries due to human error (35%).
  • Human error in the health industry typically involved sending personal information to the wrong recipients via email and other forms communication.

Of itself, these figures seem to paint a grim picture for the health sector, which is the leading reporter of data breaches in Australia. However, there may be a silver lining for health organisations. As the Report identifies, the statistics arguably reflect the health sector’s preparedness to report data breaches. This potentially suggests a greater maturity and understanding of their obligations than other sectors that deal with less sensitive data, and could well be influenced by the more regulated nature of the sector, as well as the fact that the sector routinely deals with sensitive health information which inherently carries higher risk of causing serious harm if misused.

For more insights into health information and the scheme, check out our blog posts “My Health Records – to opt-in, or to opt-out? That is the question” and “Mandatory data breach reporting in 60 seconds”, or feel free to contact us for any assistance or information.

Surveillance software targets WhatsApp users

By Cameron Abbott, Rob Pulham and Michelle Aggromito

Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.

This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.

The surveillance software effectively rendered the app’s prized end-to-end encryption redundant as it allowed the attacker to read messages on the compromised devices.

WhatsApp released a fix last Friday and has encouraged all its users to update their apps, but some questions still remain.

In particular, while the app update fixes the issue that allowed the attack in the first place, it is not clear if the update can also remove the surveillance software embedded in already compromised devices.

WhatsApp has described the hackers as “a private company that has been known to work with governments to deliver spyware”, which news outlets have reported is Israel’s NSO Group. Regardless of the parties involved, the ability to defy WhatsApp’s encryption is a scary reminder of the potential impact of a “technical capability” that could be required under the recently enacted Australian encryption laws (except that it has not been kept secret!). If you would like to know more about the new laws, check out our recent blog posts ‘What do you need to know about the encryption killing legislation’ and ‘To encrypt or not encrypt? That is the question’, or feel free to contact us for any assistance or information.

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

The key findings of the Report include:

  • the largest credential stuffing attacks of 2018 occurred in the video media sector. The market for stolen media and entertainment accounts is thriving as the accounts are sold in bulk;
  • the attacks usually occurred after reported data breaches; and
  • checker programs (or “All-in-One” applications) such as SNIPR are common. These programs allow attackers to validate stolen credentials or to generate combination lists. The credentials can then be sold, traded or harvested for various types of personal information.

Recent credential stuffing attacks demonstrate how your entire digital life can be exposed following a data breach paired with a credential stuffing attack. A successful credential stuffing attack can significantly damage a brand’s reputation and increase its operational costs – even though the attack wasn’t the brand’s fault.

Businesses should consider implementing multi-factor authentication, which can be effective in preventing credential stuffing attacks. Consumers should also be educated about phishing emails and the dangers of using the same password for all logins!

Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents

By Cameron Abbott, Rob Pulham and Rebecca Gill

It’s Privacy Awareness Week and today’s topic is “data breaches”. With data breaches and responding to cyber attacks becoming an inevitable part of doing business, it’s a timely reminder about the importance of adequately resourcing your IT security areas, and of having comprehensive and well-tested data breach response plans in place, as illustrated by the Fourth Annual Study on The Cyber Resilient Organization (Study), conducted by the Ponemon Institute on behalf of IBM Resilient.

The Study surveyed 3,655 IT and IT security practitioners in 11 countries and regions, including Australia. The results of the Study indicate that a majority of Australian businesses are vulnerable to cyber-attacks due to a lack of skilled personnel and incident response plans.

Some interesting results of the Study were:

  • only 22% of Australian respondents agreed that they had sufficient staffing to achieve a high level of cyber resilience (globally the figure wasn’t much higher, at 30%);
  • 79% of Australian respondents did not have a cybersecurity incident response plan (CSIRP) that applied consistently across the entire enterprise;
  • more than half of the Australian respondents who had CSIRPs said they did not test them; and
  • of the 11 countries, Australia reportedly experienced the biggest increase (70%) in the volume of cybersecurity incidents in the past 12 months, compared against 61% overall.

The Study also highlights the key characteristics of “high performing” organisations that are cyber resilient, and emphasises the need to have skilled IT personnel and consistent enterprise-wide CSIRPs.

We all see the regular occurrence of breach events – it is not like we are not well warned.  With the mandatory reporting the consequences are far more public and painful, but obviously not painful enough for Australian companies to truly tackle the problem head on.

Sharing of ‘abhorrent violent material’ now an offence under new laws

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Governments around the world are imposing more responsibilities on tech providers to deal with online harms. In response to the recent attacks in Christchurch, in which a gunman livestreamed on Facebook his attack on a mosque, the Australian Government recently enacted the Criminal Code Amendment (Sharing of Abhorrent Violent Material) Act 2019 (Cth) (Act). The Act, which commenced on 6 April 2019, was pushed through swiftly and has a broad reach.

Under the Act, internet, content and hosting service providers must refer details of any ‘abhorrent violent material’ that records or streams ‘abhorrent violent conduct’ to the Australian Federal Police. Abhorrent violent material is material that is audio, visual or audio-visual, and that records or streams ‘abhorrent violent conduct’. Such conduct includes acts of terrorism, murder, attempted murder, torture, rape and kidnapping.

Content and hosting service providers must also remove or cease to host abhorrent violent material ‘expeditiously’, which is left undefined in the Act. It is also immaterial whether the content or hosting service is provided within or outside Australia.

The Act also imposes significant criminal penalties on individuals and companies for failing to meet their obligations. For instance, the penalty for a company for failing to delete such violent material is either a fine of up to $10.5 million, or a fine of up to 10 per cent of the company’s annual turnover, whichever is the greater.

The Act will have wide ramifications for tech service providers and any such organisations that may fall under the Act’s scope should implement and check their reporting and screening processes in order to avoid committing an offence under these new laws. As it stands, many such providers are not in any position to comply with these laws.

Consumer Data Right Draft Rules – submissions closing soon

By Cameron Abbott, Rob Pulham and Rebecca Gill

The deadline for submissions on the ACCC’s draft Competition and Consumer (Consumer Data) Rules 2019 (Draft Rules) is fast approaching. The ACCC is seeking feedback from community organisations, businesses and consumers on the approach and positions of the Draft Rules for the Consumer Data Right (CDR) regime until this Friday, 10 May 2019.

Key aspects of the Draft Rules (which are available on the ACCC’s website) include:

  • the three ways in which CDR data may be requested;
  • the requirements for consent to collect CDR data;
  • rules relating to the accreditation process; and
  • rules relating to the thirteen privacy safeguards for CDR data.

K&L Gates has previously blogged on the CDR in relation to the Australian Open Banking regime.

A quick recap: In May 2018, the Commonwealth Government committed to implement the CDR in line with the recommendations of the Review into Open Banking in Australia. The CDR is a competition and consumer reform which aims to give Australian consumers greater control over their data. It will allow a consumer to require a company, such as their bank, to share their data with another accredited service provider, such as another bank or a comparison site, for the purposes the consumer has authorised. The expectation is that this will create more choice for consumers and facilitate competition amongst providers.

The Draft Rules would be made under the proposed Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth), which provides the framework for the CDR.

Although the CDR will initially apply to the banking sector followed by energy and telecommunications, the intention is that it will be rolled out economy-wide on a sector-by-sector basis, so now is a good time to become familiar with the proposed framework and to start planning for its potential effect on your organisation’s processes.

Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report

By Cameron Abbott and Rebecca Gill

Australian businesses and consumers were duped into paying scammers with nearly half a billion dollars in 2018 according to the ACCC’s Targeting Scams: Report of the ACCC on scam activity 2018 (Report). The Report also highlights the use of sophisticated technology by scammers.

According to the Report, the most financially harmful scam affecting Australian businesses was the ‘business email compromise’ (BEC) scam. This involved a scammer gaining access to a business’s entire email or IT system. The scammer would then impersonate the business and send emails to suppliers and customers of the business, advising changes to payment details.

The losses from BEC scams exceeded $60 million in 2018, which is a 170 per cent increase from 2017. The global loss from BEC scams between 2013 and 2018 is estimated at US$12.5 billion. Other scams affecting businesses included investment scams and phishing.

A key, and worrying, trend identified in the Report was the increasing use of sophisticated technology by scammers. For instance, victims were tricked into investing in various cryptocurrencies through scammers’ fraudulent software platforms. The reported losses from cryptocurrency investments totalled $6.1 million in 2018, which is a 190 per cent increase from 2017.

Scammers also demanded payments from victims through unusual methods to avoid detection by money laundering systems. Such methods included payments in cryptocurrencies, Google Play cards and iTunes cards. The gift card numbers were then sold on the black market and turned into money.

This provides yet another reminder that your employees are your first line of defence to cyber-attacks and education and consistent reinforcing of warnings is now a critical part of any cyber security plan. Many of our clients are also adopting far tighter verification procedures before implementing any change to vendor payments details.


By Cameron Abbott, Rob Pulham and Rebecca Gill

Telstra’s 2019 Security Report has found that majority of the respondents who have been victims of ransomware attacks have paid the attackers to unlock files. Many of these respondents successfully retrieved their data after paying the ransom.

Of the 320 Australian respondents, 51 per cent said that they had paid ransomware attackers to regain access to encrypted files. Further, the Report found that 77 per cent of Australian businesses that had paid a ransom were able to retrieve their data after making the payment. Whilst this was the lowest rate of data retrieval post-payment out of the 13 countries in the survey, 79 per cent of the Australian respondents still said that they would pay the ransom again if they had no back-up files available.

The Report also found that the number of ransomware attacks on Australian businesses was relatively higher than other developed countries such as the United Kingdom, Germany and France. Thirty two per cent of the Australian respondents indicated that their business had been interrupted ‘on a weekly or monthly basis’ from ransomware attacks.

It explains why ransomware is such a lucrative business for hackers, though we’d recommend having clear and tested backup and recovery processes, and strong cybersecurity measures, as your best fall-back in the event of a ransomware attack – and to save your cryptocurrency for the next market rise!

A copy of the full Report can be accessed here.


By Cameron Abbott and Rebecca Gill

In light of concerns over how personal data is being used by social media platforms and tech companies, the Commonwealth Government has proposed amendments to the Privacy Act in order to more harshly penalise companies for privacy breaches. The new regime, which aims to update Australia’s privacy laws in line with increased social media use, will see tougher penalties for all entities that are subject to the Privacy Act, not just the headline companies like Google and Facebook.

The Commonwealth Government proposes to increase the penalties for serious or repeated breaches by such entities from $2.1 million to $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of a company’s annual domestic turnover – whichever is the greater value.

Further, the Office of the Australian Information Commissioner (OAIC) will be given greater powers to pursue and impose penalties on such entities under these reforms. These include the power to issue infringement notices with penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches.

The OAIC will also employ other methods to address breaches effectively, such as third-party reviews and published notices advising of specific breaches. The OAIC could also direct social media and online platforms to stop using or disclosing an individual’s personal information upon request.

The OAIC has welcomed the proposed changes with open arms. The Commonwealth Government and the OAIC hope that these reforms will result in greater accountability and transparency from social media and online platforms without hindering innovation in the online world.

The Attorney-General, Mr Christian Porter, and the Minister for Communications and the Arts, Mr Mitch Fifield, will draft legislation for consultation in the second half of 2019. These reforms will have a wide impact and organisations should consider making submissions during the consultation period given the harsh penalties that can apply. The flood of privacy breaches makes these reforms a significant risk to all corporates.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.