It’s been a little over a year since the notifiable data breach scheme was introduced in Australia. The Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report on 13 May 2019, detailing its insights to come out of the scheme’s operation over the past 12 months. As regular readers would no doubt be aware, the health sector was one of the top industry sectors to report breaches in the first 12 months of the scheme’s operation.Read More
Unfortunately for all of us, Privacy Awareness Week doesn’t mean a chance to take a break from seemingly endless data breach notifications and social media vulnerabilities.
This week it’s WhatsApp’s turn, with reports that hackers, or as WhatsApp described as “an advanced cyber-actor”, have been able to remotely install surveillance software on phones and other devices of select targets, likely to be lawyers, journalists, activists and human rights defenders. The hackers were able to compromise the devices by using WhatsApp’s call function to ring the devices. The surveillance software was still installed even if the call was not picked up and the call reportedly would disappear from the compromised device’s call log. This means the malware could be installed without any action from the compromised user – and potentially without them even being able to determine that they had been compromised.Read More
Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).
Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.Read More