Catagory:Privacy, Data Protection & Information Management

1
Blockchain Successfully Used in Commercial Leasing Transaction
2
Australia Affected By Global Ransomware Attacks
3
Law Firms Must Step Up Security or Risk Exposure: $8,895,560 Fine for Law Firm Hackers
4
The police are reading … a lot … more than half a million times last year
5
Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies
6
Draft law proposes security assessment of data exported out of China
7
McDonald’s India (inadvertently) delivering more than just burgers in India
8
Old-school data breach sees hospital investigated
9
Is your IoT device putting you at risk?
10
You are not alone! Rasomware attacks increase

Blockchain Successfully Used in Commercial Leasing Transaction

By Cameron Abbott and Edwin Tan

After years of research and development, ANZ and Westpac have succeeded in utilising blockchain technology for bank guarantees in a commercial leasing transaction. The banks teamed with IBM and shopping centre operator Scentre Group to digitise the paper-based process using distributed ledger technology.

Currently, bank guarantees are usually in the form of a physical letter is that printed on bank letterhead and signed for authenticity. The tenant surrenders the guarantee to the landlord, which the landlord later uses to demand payment from the bank in the event the tenant defaults. This process brings with it several difficulties, such as the requirement to keep the physical document safe from damage and theft, and the potential for forgery.

The use of blockchain technology will allow both parties to rely on the shared ledger as a single non-disputable source as to the existence and status of a bank guarantee, saving time and costs in document management and tracking of the guarantee’s status. Encryption of all records on the ledger ensures that only the parties to the transaction can view its contents, maintaining its confidentiality. In addition, the technology gives landlords the ability to request a new guarantee on behalf of the lender – for example, where incorrect names were provided to the bank, requiring rectification – something not available in the current paper-based process.

While this transaction was intentionally limited in scope as a proof-of-concept, its success means that the solution can be transferable to a broader context, such as the ASX’s plan to replace the CHESS equities settlement system with blockchain technology.

Read the full whitepaper here.

Australia Affected By Global Ransomware Attacks

By Cameron Abbott and Ling Zhu

Despite Australia seemingly avoiding the brunt of the attacks by the WannaCry ransomware crippling computer systems around the world last month, a few Australian organisations have not emerged unscathed.

Victoria Police has revealed 280 speed cameras around Victoria were exposed to WannaCry between June 6 and June 22. Although the cameras were not connected to the internet, the ransomware was unintentionally introduced to the system through a USB device during maintenance. The police reported that the ransomware caused the cameras to continually reboot, however it is unclear whether this resulted in inaccurate readings. Initially, only 55 speed and red-light cameras were thought to be infected, however that has since increased to 280 cameras. Subsequently, 1,673 infringement tickets will be withdrawn, with another 5,500 pending tickets to be embargoed. Now don’t get excited and start drag racing – the police intend to continue operating the cameras, with embargoed and new tickets to be issued once they confirm that cameras are taking accurate readings.

Meanwhile in Hobart, Cadbury chocolate factory has stopped production following its parent company, Mondelez International, being affected by the similar “Petya” ransomware. The US-based Mondelez International suffered a global IT outage overnight, with all network computers being infected. Australian workers were unable to begin production in the Cadbury factory on June 28, as many processes are automated and controlled by computers. It is uncertain when the global system will be restored.

Now speed cameras is one thing, but affecting chocolate production is way out of line!

A reminder that both WannaCry and Petya exploit vulnerabilities that have been patched – you just have to load those security releases. A call out to all the chocolate producers of the world – load your patches for the sake of us all!

Law Firms Must Step Up Security or Risk Exposure: $8,895,560 Fine for Law Firm Hackers

By Cameron Abbott and Edwin Tan

On 5 May 2017, a federal district court in New York ordered four people involved in breaching the networks of two law firms and stealing confidential information to pay approximately $8.9 million in fines.

According to the Securities and Exchange Commission, the hackers installed malware on the law firms’ networks, enabling them to view and copy data held by the law firms. The stolen data included emails revealing the details of clients considering mergers or acquisitions. Armed with this information, the hackers purchased shares in those companies ahead of public announcements, quickly amassing profits of almost $3 million.

There are concerns that hackers consider law firms as “low risk, high reward” targets, as a successful breach can reveal sensitive information about a multitude of clients such as trade secrets and financial data. These breaches can result in firm clients being exposed to massive commercial and legal risk.

One can be cynical at expenditure on security, let’s face it, it means less money in partners’ pockets – but cases like this are a salient warning of the hidden costs of getting security wrong!

The police are reading … a lot … more than half a million times last year

By Cameron Abbott and Edwin Tan

News Corp reported today that law enforcement agencies accessed the private data of Australian individuals about 541,300 times during the past 12 months. This is an estimated increase of about 60 percent compared to the previous year.

This is in addition to the Australian Federal Police (AFP) confirming on Friday that an officer had accessed phone records without a warrant earlier in the year. No action was taken against the officer.

The 2015 amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) made it mandatory for telecommunications companies and internet service providers to retain metadata. This metadata can be accessed without a warrant by 21 government agencies, including the AFP.

However, journalists’ telecommunications data cannot be accessed by agencies without first obtaining a “Journalist Information Warrant”. An agency must apply to a Federal Court judge or a nominated Administrative Appeals Tribunal member to be granted the warrant.

The breach has sparked calls for an independent and public inquiry into the AFP, with Senator Nick Xenophon calling the incident “a complete failure with no real explanation”.  Not the last we will hear about this issue we think.  Read more about this here.

Abbott Labs makes a costly mistake as FDA targets cybersecurity deficiencies

By Cameron Abbott and Giles Whittaker

The Food and Drug Administration (FDA), after a previous warning in 2014, threatens legal action against Abbott Labs if the company fails to address safety and security issues in implanted cardiac devices sold by St Jude Medical – a recent subsidiary acquired by Abbott Labs. The internet of things takes a much more serious tenure when it’s a medical device compared to your fridge!

The company recently purchased St. Jude Medical, which makes implanted cardiac devices that have been the subject of cybersecurity concerns. A warning letter issued by the FDA gives Abbott Labs 15 days to submit a plan to address errors in the products’ design that could allow hackers to tamper with the settings and drain the batteries of the devices. Many of the cybersecurity concerns first came to light after medical device security research firm MedSec submitted a report outlining a variety of alleged security flaws in St. Jude products to investment firm Muddy Waters Research (MWR). MWR subsequently publically announced the product design failures while short-selling St. Jude Medical’s stock in order to capitalise on the expected market response.

As the public increases its awareness of cybersecurity issues it becomes apparent that a failure to adequately consider these issues – as a day to day function of operating a business or prior to the acquisition of a new business – can result in significant damage to a company’s bottom line. The recent short-selling by MWR indicates the necessity for cybersecurity considerations to form central in a company’s business model, otherwise risk having its inadequacies called out in a public forum. And we are not even thinking about what litigation liability risk these sorts of issues might raise.

Draft law proposes security assessment of data exported out of China

By Cameron Abbott and Allison Wallace

The Cyberspace Administration of China has released a draft law that would impose an annual security assessment on firms exporting data out of China.

The proposed legislation would apply to any business which transfers more than 1000 gigabytes of data, or which affects more than 500,000 users, and is the latest of several safeguards announced in recent times against threats such as hacking and terrorism.

Under the draft law, economic, technological or scientific data whose transfer would post a threat to public or security interests would be banned, and there would be extra scrutiny of sensitive geographic data.

Businesses would also have to obtain the consent of users before transmitting it overseas.

The draft law follows another passed in November 2016 which formalised a range of controls over firms that handle data in industries the Chinese government labels critical to national interests.

McDonald’s India (inadvertently) delivering more than just burgers in India

By Cameron Abbott and Allison Wallace

McDonald’s has fallen foul of customer expectations after its McDelivery app leaked the personal information of about 2.2 million users.

Access to the names, emails, home addresses and phone numbers of users was made readily available due to a poorly configured server, according to security firm Fallible.

The fast food giant told the Times of India that the app is safe to use – but Fallible tested the app again after McDonald’s said it had updated it to fix the issue, and found that it was still leaking data.

Old-school data breach sees hospital investigated

By Cameron Abbott and Allison Wallace

While health institutions around the world work to secure patients’ personal information and prevent the hacking or leaking of data from their systems, one Melbourne hospital is being investigated after medical records were found lying in a gutter in a nearby street.

Fairfax Media reports Australia’s Privacy Commissioner Timothy Pilgrim is investigating how the paper records of 31 patients of the John Fawkner Private Hospital were removed from the premises last month.

The documents, which were found by a local resident, were sent to both the Privacy Commissioner, and Victoria’s Health Complaints Commissioner.

Under current legislation, there is no obligation for the hospital to notify the affected patients that their privacy has been breached. All this will change under the new data breach notification laws, which were passed by the Australian government last month, and are expected to come into force within the next 12 months.

This breach is a timely reminder for all businesses, government agencies and other organisations covered by Australia’s privacy laws to take stock of how they store personal information – whether it be in a filing cabinet, on a hard-drive, or in a cloud – and ensure it is secure.

Is your IoT device putting you at risk?

By Cameron Abbott and Giles Whittaker

As the uptake of IoT (Internet of Things) devices increases, industry experts question whether adequate cybersecurity measures are in place. While we are not surprised with the results of a recent survey, it has been confirmed that IoT devices represent the next big cybersecurity threat.

A Tripwire study found 96% of surveyed IT pros expect to see an increase in security attacks on IoT. The study acknowledges the promise of these devices in facilitating tasks and bringing convenience, but also notes the risk they pose as they’re not always built with security in mind. The study found the industries facing the biggest threat include energy, utilities, government, healthcare and finance with devices connecting the Industrial Internet of Things viewed as susceptible to serious consequences. David Meltzer, COO at Tripwire, says there must be a change in the level of preparation for such attacks or the realization of these risks will be experienced.

You are not alone! Rasomware attacks increase

By Cameron Abbott and Giles Whittaker

While no one likes to admit that they have been caught out or victimised by cyber-attacks such as ransomware, what appears to be true is that a lot of organisations are. The lesson is that it is quite likely to happen so design your IT systems to give you a recovery option. No good having your back up encrypted as well!

A survey (reg. req.) of IT security decision makers by CyberEdge found that a whopping 61% of respondents’ organizations were victimized by ransomware in 2016. Among those hit by ransomware, 33% paid the ransom to recover their data, 54% refused to pay but recovered their data anyway, and 13% refused to pay and lost their data. In general, the report found the percentage of organizations being hit by successful cyber-attacks continues to rise, from 62% in 2014 to 70% in 2015, 76% in 2016, and 79% in 2017. Three in five respondents believe a successful cyber-attack is likely in the coming year.

 

Copyright © 2024, K&L Gates LLP. All Rights Reserved.