2017 – Page 3 – Cyber Law Watch

Privacy risks in collecting donations

Aug 06 2017

By Cameron Abbott and Olivia Coburn

Charities are increasingly employing commercial approaches to funding, lobbying and fundraising to fuel their invaluable work. In doing so, charities need to be cautious of mishandling the donor’s personal information that they collect together with the donation.

Donors are frequently being asked to provide information such as home address, email address and their mobile phone number. In some instances charities will not accept money unless this personal information is also provided.

EMPLOYEES CELEBRATE CHIP PARTY: Embedding RFID Chips – would you agree to this?

Aug 04 2017

By Cameron Abbott and Olivia Coburn

On 1 August 2017, employees of a Wisconsin-based technology company enjoyed a “Chip Party” – but not the salty kind. 21 of Three Square Market’s 85 employees agreed to allow their employer to embed radio frequency identification chips in their bodies. We are familiar with the Internet of Things, is this the Internet of People?

Three Square Market (known as 32M) highlighted the convenience of microchipping their employees, reporting that they will be able to use the RFID chip to make purchases in the company break room, open doors, access copy machines and log in to their computers.

Elon Musk Acquires X.com

Jul 25 2017

By Cameron Abbott and Olivia Coburn

Elon Musk has repurchased X.com, a website he created 18 years ago in 1999, although his intentions for the purpose of the domain remain unclear.

X.com was one of the world’s first online banks, insured by FDIC and partnered with Barclays. X.com was initially intended to be full service online financial institution, but could not overcome regulatory challenges. At that time, financial regulatory systems were not equipped to deal with the products that X.com was offering, which included online savings accounts, brokerage services and insurance products.

Blockchain Successfully Used in Commercial Leasing Transaction

Jul 24 2017

By Cameron Abbott and Edwin Tan

After years of research and development, ANZ and Westpac have succeeded in utilising blockchain technology for bank guarantees in a commercial leasing transaction. The banks teamed with IBM and shopping centre operator Scentre Group to digitise the paper-based process using distributed ledger technology.

Currently, bank guarantees are usually in the form of a physical letter is that printed on bank letterhead and signed for authenticity. The tenant surrenders the guarantee to the landlord, which the landlord later uses to demand payment from the bank in the event the tenant defaults. This process brings with it several difficulties, such as the requirement to keep the physical document safe from damage and theft, and the potential for forgery.

The use of blockchain technology will allow both parties to rely on the shared ledger as a single non-disputable source as to the existence and status of a bank guarantee, saving time and costs in document management and tracking of the guarantee’s status. Encryption of all records on the ledger ensures that only the parties to the transaction can view its contents, maintaining its confidentiality. In addition, the technology gives landlords the ability to request a new guarantee on behalf of the lender – for example, where incorrect names were provided to the bank, requiring rectification – something not available in the current paper-based process.

While this transaction was intentionally limited in scope as a proof-of-concept, its success means that the solution can be transferable to a broader context, such as the ASX’s plan to replace the CHESS equities settlement system with blockchain technology.

Read the full whitepaper here.

Australia Affected By Global Ransomware Attacks

Jun 30 2017

By Cameron Abbott and Ling Zhu

Despite Australia seemingly avoiding the brunt of the attacks by the WannaCry ransomware crippling computer systems around the world last month, a few Australian organisations have not emerged unscathed.

Victoria Police has revealed 280 speed cameras around Victoria were exposed to WannaCry between June 6 and June 22. Although the cameras were not connected to the internet, the ransomware was unintentionally introduced to the system through a USB device during maintenance. The police reported that the ransomware caused the cameras to continually reboot, however it is unclear whether this resulted in inaccurate readings. Initially, only 55 speed and red-light cameras were thought to be infected, however that has since increased to 280 cameras. Subsequently, 1,673 infringement tickets will be withdrawn, with another 5,500 pending tickets to be embargoed. Now don’t get excited and start drag racing – the police intend to continue operating the cameras, with embargoed and new tickets to be issued once they confirm that cameras are taking accurate readings.

Meanwhile in Hobart, Cadbury chocolate factory has stopped production following its parent company, Mondelez International, being affected by the similar “Petya” ransomware. The US-based Mondelez International suffered a global IT outage overnight, with all network computers being infected. Australian workers were unable to begin production in the Cadbury factory on June 28, as many processes are automated and controlled by computers. It is uncertain when the global system will be restored.

Now speed cameras is one thing, but affecting chocolate production is way out of line!

A reminder that both WannaCry and Petya exploit vulnerabilities that have been patched – you just have to load those security releases. A call out to all the chocolate producers of the world – load your patches for the sake of us all!

New Petya Ransomware Attacks Global Law Firm

Jun 27 2017

By Cameron Abbott and Edwin Tan

Just a month after the WannaCry ransomware infected devices around the globe, a new strain calling itself Petya has struck overnight. Petya looks and operates the same way as WannaCry, locking out users from their systems and demanding a ransom of US$300 in order to decrypt files stored on the device. To spread across devices, Petya utilises exactly the same vulnerability used in WannaCry, patched by Microsoft in March 2017.

Organisations in Europe have been the worst hit, with the ransomware slowly spreading to the United States, and to Australia this morning as organisations boot up their computers. The Prime Minister of Ukraine has called the attack on his country “unprecedented”, with the government’s computer network going down, and the state power distributor being disrupted.

A global law firm has also been hit by Petya, with its offices in the UK, Europe, the Middle East and the US all affected by the attack. This continues a worrying trend of law firms being breached as of late, potentially exposing thousands of clients to commercial and legal risk.

We cannot emphasise enough the importance of keeping all devices and systems patched and up-to-date. Unfortunately, it seems that organisations around the globe, even those professing to be experts in cybersecurity, are still unprepared to deal with cyber-attacks and mitigate their risks.

The UK National Cyber Security Center has released guidance to help both home users and organisations limit the impact of ransomware attacks. It can be read here.

Time is Running Out – Compliance with new EU Data Protection Rules (GDPR)

Jun 22 2017

By Cameron Abbott and Edwin Tan

Companies are failing to prepare adequately for the new EU General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, less than a year from today.

A partner at Crowe Horwarth was quoted in the Financial Times as saying that a recent survey found that over 60% of financial services companies were only just starting to get ready for GDPR, or were still trying to understand the gaps they needed to address. This is a particular concern as long timeframes may be needed to remedy any identified gaps, particularly where legacy IT systems are used. In addition, other companies are viewing the GDPR as a “nuisance”, treating it as a check-box ticking exercise rather than a serious compliance issue.

The GDPR will require companies to adopt much stricter procedures and processes when handling customer data. The maximum fine for non-compliance is 4 percent of the previous year’s annual global turnover, or €20 million, whichever is the greater. In addition, company executives can also face criminal penalties if deemed responsible for data breaches.

Companies must start work immediately on implementing changes required by the GDPR in order to avoid exposure to significant liability. Read more about the GDPR here.

DDoS Attacks On The Rise

Jun 20 2017

By Cameron Abbott and Edwin Tan

Distributed Denial of Service (DDoS) attacks leverage compromised devices to generate a flood of traffic, overwhelming online services and rendering them unresponsive. DDoS services are widely available on the internet, with research by Trend Micro finding that the small cost of US$150 can buy a DDoS attack for a week. (It also brings organised crime into your life – but that’s a different point!)

The latest statistics from Cisco reveal that the number of DDoS attacks grew by 172% in 2016. Combine this with an average DDoS attack size of 1.2Gbps, capable of taking most organisations offline, and there is real cause for concern among cyber security experts. It is hard to trace DDoS attacks to their proprietors, as the majority of devices used in attacks belong to innocent users.

Organisations must understand the risk and impact posed by DDoS attacks, and implement mitigation strategies that promote business continuity in the face of these attacks. Industry peers must share knowledge where appropriate, and keep government agencies adequately informed, to deter hackers from launching a DDoS attack.

Cisco expects that the number of DDoS attacks in the future will only get worse, with 3.1 million predicted attacks in 2021 globally. Read Cisco’s press release here.

Apple Distributors Arrested for Allegedly Selling Customer Personal Information

Jun 09 2017

By Cameron Abbott and Edwin Tan

On Wednesday, police in China’s Zhejiang province released a statement reporting the arrest of 22 third-party Apple distributors for allegedly selling customer data on the black market. Officials claim that the suspects searched an internal Apple database to obtain sensitive information, such as names, Apple IDs and phone numbers.

Each sale was for between 10 yuan to 180 yuan (A$1.95 to A$35.17). The entire scam was reportedly worth more than 50 million yuan (about A$9.8 million).

It is presently unclear whether there were victims outside of China, or how many people were affected by the breach.

No doubt these events will raise concerns worldwide about distributors’ access to customer data when it flows through the supply chain. Companies will need to have strong guarantees in place with their distributors, in relation to the handling and security of data, in order to reduce their risk of breaches when data leaves their control.

Users wishing to add an extra layer of security to their Apple ID can try utilising two-factor authentication, as set out by Apple here.

Together we are stronger – Australia and Singapore partner up on cybersecurity

Jun 06 2017

By Cameron Abbott and Allison Wallace

A freshly inked Memorandum of Understanding between Australia and Singapore will see the two countries strengthen their cybersecurity through a joint effort to build a secure and resilient cyber space.

The two-year partnership which was signed last week, will see Singapore’s Cyber Security Agency work with the Australian government to conduct regular information exchanges on cyber threats, share best practices to promote innovation in cyber security, and build cyber security capabilities. Read More

Archive:2017