Category: Privacy, Data Protection & Information Management

1
Scary statistics reveal 39,000 reported cybercrime incidents in 2015
2
Malware attacks a Melbourne hospital’s outdated IT system
3
Microsoft cuts support for Internet Explorer 8, 9 and 10
4
Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy
5
Hotel Industry Payment Systems Under Attack
6
Victorian Racing Integrity Commissioner Seeks Access to Metadata
7
European Court of Justice Declares EU/US Safe Harbour Decision Invalid

Scary statistics reveal 39,000 reported cybercrime incidents in 2015

By Cameron Abbott and Meg Aitken

Following its launch in November 2014, the Australian Cyber Online Reporting Network (ACORN) has revealed it fielded 39,000 reports of cybercrime from individuals and organisations in 2015. Fraud was the most commonly reported cybercrime, with 19,232 reports being made to ACORN last year.

Prominent data analytics group and credit bureau, Veda revealed similarly worrying statistics in the Veda 2015 Cybercrime and Fraud Report, noting that in 2015, 1 in 4 Australians reported being a victim of identity theft at some stage, up 7% from 2014. The report also suggests that Australians are becoming increasingly concerned about the risk of cybercrime and identity theft.

Veda has projected that 2016 will see even greater numbers of cybercrime attacks on individuals, firms and government agencies as the ‘Internet of Things’ further develops, reliance on social media grows and a profound amount of personal information and data continues to be collected.

Read the ACORN quarterly statistics reports here.

Malware attacks a Melbourne hospital’s outdated IT system

By Cameron Abbott and Meg Aitken

Don’t say we (and Microsoft) didn’t warn you, a prominent Melbourne hospital’s IT system that runs on an outdated and unsupported Windows operating system, Microsoft XP, was hacked last week.

Microsoft recently activated the end-of-life phase for Windows 8, 9 and 10 and encouraged users to transition to the company’s supported operating systems in order to prevent security incidents. The same process was undertaken for Microsoft XP in 2014; however the hospital continued to use the platform in some departments.

The pathology department was the primary victim of the attack and staff were reportedly forced to manually process blood tissue and urine samples while the electronic system was compromised. Fortunately, highly sensitive patient information is not believed to have been accessed by the hackers.

It has been reported that the hospital is now expediting plans to upgrade its IT systems.

Access the media release here.

Microsoft cuts support for Internet Explorer 8, 9 and 10

By Cameron Abbott and Meg Aitken

Today, Microsoft will initiate the ‘end-of-life’ phase for the company’s older Web browsers, Internet Explorer 8, 9, and 10. Customers using the outdated browsers will be sent an ‘end-of-life upgrade notification’ as technical support and security updates have now ceased.

Microsoft has encouraged the several hundred million users who currently operate the outdated browsers to upgrade to Internet Explorer 11 or Microsoft Edge, which they suggest offers better-quality security and improved performance.

While users currently running Internet Explorer 8, 9 and 10 will still be able to use their browsers, Microsoft has warned there is a significant security risk of continuing to run the outdated versions. Without the periodic security updates and routine technical support, the outdated browsers will be vulnerable to cyber-attacks, malware and other security threats.

Australian Corporations have an obligation to keep materials secure under the Privacy Act 1988 (Cth) and should therefore consider the risk that using the unsupported browsers may not be sufficient to meet this requirement.

Access the Microsoft release here.

Complex ModPOS Malware Infects Point-of-Sale Terminals in Lead up to Christmas Spend Frenzy

By Cameron Abbott and Meg Aitken

While the festive season approaches and retailers prepare for their busiest time of the year, a sophisticated form of point-of-sale malware, known as ‘ModPOS’, has reared its ugly head and is targeting payment terminals in the U.S.

It is estimated that the first ModPOS data hacks occurred in 2013 and that millions of credit and debit cards used at a broad variety of U.S. retailers have since been compromised. The unique complexity of the code, which experts say has never been seen before in malware, made it tricky to decipher.

Cyber security experts have warned that ModPOS has the ability to not only “scrape” credit and debit card numbers from the memory of point-of-sale terminals, but that the multifaceted code also records keystrokes of computer operators and transmits stolen data. If that isn’t enough, the malware is particularly difficult to detect and is reportedly capable of infiltrating despite security software and data controls.

More details about ModPOS malware can be found here.

Hotel Industry Payment Systems Under Attack

By Cameron Abbott and Meg Aitken

Stayed at one of Hilton Worldwide Holdings’ (Hilton) hotels between 18 November – 5 December 2014 or 21 April – 27 July 2015? Check your bank statement.

Within the same week, both the Hilton and Starwood Hotels & Resorts Worldwide Inc. (Starwood) have discovered the point-of-sale terminals at a number of hotels across the globe have been infected with malware.

The malicious malware has enabled hackers to pinch the credit and debit card information of Starwood and Hilton customers, however there is apparently no evidence that personal contact information provided as part of the hotels’ guest-reservation system or loyalty rewards program was stolen.

While the attack on Starwood was confined to 54 of its hotels in North America, the Hilton attack affected the chain’s hotels globally, including Australian establishments. The number of cards compromised has not been revealed by either hotel.

Starwood and Hilton hotels are not the only luxury hotel chains to be affected by data hacks in 2015. The Mandarin Oriental and Trump International have also reported data security breaches involving intrusive malware this year. In the case of Starwood the hack occurred over eight months without detection showing how sophisticated some of these attacks are.

Starwood’s media release can be found here. Hilton’s media release can be accessed here.

European Court of Justice Declares EU/US Safe Harbour Decision Invalid

By Cameron Abbott and Melanie Long

The European Court of Justice has declared a decision by the European Commission on the legitimacy of the EU/US safe harbour scheme (safe harbour decision), invalid. In the wake of the Snowden scandal, Austrian citizen, Maximilian Schrems, lodged a complaint against Facebook with the Data Protection Commissioner in Ireland (the location of Facebook’s European headquarters). The Irish supervisory authority rejected Mr Schrems’ complaint on the basis of the safe harbour decision. In invalidating the safe harbour decision, the European Court of Justice declared that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” Further, that the safe harbour scheme, by not providing for an individual to pursue legal remedies in order to have access to personal data relating to them, or to obtain the rectification or erasure of such data, compromised, “the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.”

The consequence of this decision is that the EU/US safe harbour scheme is contrary to the Data Protection Directive, which provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The European Court of Justice’s press release can be found here.

To read the full judgment of the European Court of Justice click here.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.