It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.Read More
A new year, and a new hacking incident – this time, it was the Early Warning Network (EWN) – a text and email service used by councils around Australia to warn locals of emergency situations.
On its Facebook page, EWN stated that a hacker was able to access its system, sending out messages via text, email and landline stating that EWN had been hacked and that the receiver’s personal data was not safe. The message also included links to support email addresses and a website.
EWN said that the hack was quickly identified and systems shut down, with no-one’s personal information compromised during the attack. The attack is believed to have originated within Australia, involving compromised login details.
While EWN said that personal information was not compromised by this incident, it serves as a timely reminder for businesses to check and test their information security processes and data breach response plans – and if one isn’t in place, to implement one. The Office of the Australian Information Commissioner reported that it received 550 notifications of data breaches from the time the notifiable data breach legislation commenced on 22 February 2018 to 30 September 2018.
The Office of the Australian Information Commissioner (OAIC) has released its third quarterly report of notifiable data breaches. This is the second OAIC report to be released covering a full quarter.
The report revealed that OAIC received 245 notifications of data breaches, marginally up from 242 notifications in the second quarterly report.
Some interesting figures from the OAIC’s report are as follows:
- 18% of notifications were from health service providers, 14% were from the finance sector; 14% were from the legal, accounting and management services sector; 7% were from the private education sector, and 5% were from the personal services sector;
- 85% of data breaches involved individual’s contact details, 45% involved financial details, 35% involved identity details, 22% involved health details, 22% involved tax file numbers, and 7% involved other types of personal information; and
- 57% of data breaches were due to malicious or criminal attack, with 37% due to human error, and 6% due to system faults, with cyber incidents, namely compromised credentials or phishing being the main the cause of
Of the 245 data breaches, 58 affected only one individual – however, 7 affected more than 10,000 individuals.
These figures are a clear reminder of the need to ensure that your business is equipped to deal with data breaches. To learn more about this, take a look at this 60-second video by Cameron Abbott. With professional services ranking a solid third, we’ll take some of our own advice too!
The Office of the Australian Information Commissioner (OAIC) has released its second quarterly report of notifiable data breaches. This report is of particular significance as it, unlike the first “quarterly” report, covers a full quarter and therefore depicts a more accurate account of data breaches over a calendar quarter.
In 2017 Andie Fox, a recipient of Centrelink benefits, wrote a highly critical opinion piece on Centrelink’s debt recovery system, alleging that she was being pursued for a non-existent debt. In response Centrelink provided Ms Fox’s personal information, previous communications and claims history to a journalist who published an article claiming that Centrelink had been ‘unfairly castigated’ by Fox. The OAIC commenced an investigation into the release and has controversially confirmed Centrelink’s disclosure as permitted under the Privacy Act.
Up to 8000 clients of Family Planning New South Wales have been affected by a ransomware attack on the NGO’s website. No the sort of records people every want to see disclosed.
The website was hacked on ANZAC Day, with the personal information of clients who had contacted FPNSW in the past 2 and a half years compromised – including details such as names, contact details and reasons for enquiries.
It’s been just over 6 weeks since the government’s notifiable data breach scheme came into force and the Office of the Australian Information Commissioner (OAIC) has revealed it has received 63 reports of data breaches since the scheme’s start date of February 22. The figure released as part of the OAIC’s first quarterly report on the scheme.
This is somewhat of a stark contrast to the 114 voluntary notifications for data breaches received by the OAIC in the 2016-17 financial year, before the scheme was in place.
Over the last few weeks we’ve been blogging about the data “sharing” scandal that has rocked Facebook, and has lead to a boycott of the popular social media site, and sent CEO Mark Zuckerberg to face the music on Capitol Hill.
In case you’d missed the story (which you can read about here, here and here), Facebook estimated 87 million people globally, including 300,000 Australians, had their data shared with Cambridge Analytica, a political consultancy firm used by US President Donald Trump in his 2016 election campaign.
By Cameron Abbott and Rebecca Murray
The hugely popular Pokémon GO app is at the centre of privacy and security concerns after recent media reports noted that its installation required access to a significant amount of users’ personal information. This prompted Australian Privacy Commissioner, Timothy Pilgrim to make enquiries with the developer of the app, Niantic Labs, to “ensure the personal information of users is being managed in accordance with the Australian Privacy Act.” Read the OAIC statement here.
Available on iOS and Android platforms, the smash-hit game uses augmented reality technology and your smart-phone GPS and camera to display fictional Pokémon which users then aim to find and capture.
Privacy concerns arose after users noted that installing the iOS version of the app required full access to users’ Google accounts. In response, Niantic Labs reported that the access was requested erroneously and that Google would reduce Pokémon GO’s permission to only the basic profile data that it needs. Niantic and Google have since corrected the permissions. Read Niantic’s statement here.
Commissioner Timothy Pilgrim warned that the security scare was a “timely reminder that people need to read the privacy policies of all smartphone apps before signing up. This way people can make an informed decision about if they want to use an app.” However, we will wager that 99% of people just click “accept”.