Data security breaches

[Frank Bunn]

We are being pushed by governments and corporations to conduct all our affairs online but at the same time our data seems to be less and less secure. Australia has suffered six major cybersecurity breaches in five weeks. And these are just the ones we know about. Some companies might have opted to pay off the hackers.

Medibank say hackers have provided a sample of records for 100 policies including names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, details of medical services received. They claim to have taken other information, including data related to credit card security. Medibank say they started making direct contact with the affected customers. In truth, they don't know which customers have been impacted and what data has been accessed.

I would be cancelling the credit card given to any company who report a breach and be looking to them for compensation for any late payment fees, and the inconvenience of setting up all the direct debits again. I imagine there will be class actions if people have had sensitive information leaked, such as medical history.

There's no going back from the online world but what's the answer to this problem?

 

[Messenger]

Part of the issue is the volume of information they hold. Why should should Optus hold an image of a passport when they could verify the passport number directly with the Commonwealth?

Could the typical “100 point“ verification be done through myGov or similar?

 

[HairyO]

Part of the issue is the volume of information they hold. Why should should Optus hold an image of a passport when they could verify the passport number directly with the Commonwealth?

Could the typical “100 point“ verification be done through myGov or similar?

Delete the data after passing the 100 point test and add a note that it was provided.

Or actually encrypt it and store it somewhere not accessible to 13 year olds with scripts they downloaded off 4 chan.

The penalties have been way too small. Make them enormous and companies will care. Sack CTOs with cause and no payout or even charge them so they actually earn the million dollar salaries.

 

[Gralin]

This is why we need strong privacy laws including the right to be forgotten.

 

[Rob R]

Delete the data after passing the 100 point test and add a note that it was provided.

Or actually encrypt it and store it somewhere not accessible to 13 year olds with scripts they downloaded off 4 chan.

The penalties have been way too small. Make them enormous and companies will care. Sack CTOs with cause and no payout or even charge them so they actually earn the million dollar salaries.

And stop holding the data overseas or where that rule exists crack down on the work around that some unis have applied where the servers are in Australia but all the IT work on them is done remotely by foreign companies making it even easier to hack in.

On SM-A125F using BigFooty.com mobile app

 

[Power Raid]

Delete the data after passing the 100 point test and add a note that it was provided.

Or actually encrypt it and store it somewhere not accessible to 13 year olds with scripts they downloaded off 4 chan.

The penalties have been way too small. Make them enormous and companies will care. Sack CTOs with cause and no payout or even charge them so they actually earn the million dollar salaries.

AFSL licences requires the storage of data and client files, so it can't be deleted

but save and back up on a computer not connected to the net

 

[Power Raid]

Part of the issue is the volume of information they hold. Why should should Optus hold an image of a passport when they could verify the passport number directly with the Commonwealth?

Could the typical “100 point“ verification be done through myGov or similar?

The Department of Veterans Affairs asked me last month, to update my 20 year old account with them. They requested a pay slip (they didn't provide pay slips back then), signal of discharge (an email sent by canberra to the base (not to me)) and my certificate of enlistment.

You'd thin a govt dept could simply request authorisation from me to request this from the dept of defence and dept of taxation.



good news though, I now get a $6 a month pension! The beers are on me in a month or two!

 

[Messenger]

The Department of Veterans Affairs asked me last month, to update my 20 year old account with them. They requested a pay slip (they didn't provide pay slips back then), signal of discharge (an email sent by canberra to the base (not to me)) and my certificate of enlistment.

You'd thin a govt dept could simply request authorisation from me to request this from the dept of defence and dept of taxation.



good news though, I now get a $6 a month pension! The beers are on me in a month or two!

Don‘t spend it all at once!

 

[the_interloper]

And stop holding the data overseas or where that rule exists crack down on the work around that some unis have applied where the servers are in Australia but all the IT work on them is done remotely by foreign companies making it even easier to hack in.

On SM-A125F using BigFooty.com mobile app

I guess we need something like the GDPR laws they have in the EU, but it relates to the world. I work in the tech industry and this had relevance to us, seems like an interesting and messy area of international law.

What is GDPR, the EU’s new data protection law? - GDPR.eu

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help...

gdpr.eu

 

[Power Raid]

I can’t wait for the days ahead where facial recognition is used as an automatic payment system.

Get on a bus and scan. Buy a beer and scan.

The joys ahead

 

[The Passenger]

Replace phrases related to car manufacturing with phrases related to IT security and you'll have the exact same scenario.

“Wherever I'm going, I'll be there to apply the formula. I'll keep the secret intact.
It's simple arithmetic.
It's a story problem.
If a new car built by my company leaves Chicago traveling west at 60 miles per hour, and the rear differential locks up, and the car crashes and burns with everyone trapped inside, does my company initiate a recall?
You take the population of vehicles in the field (A) and multiply it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C).
A times B times C equals X. This is what it will cost if we don't initiate a recall.
If X is greater than the cost of a recall, we recall the cars and no one gets hurt.
If X is less than the cost of a recall, then we don't recall.”

 

[Orange Agent]

Optus emailed me and told me my driver's licence info was part of their hack. It's an old licence as I'd moved to another state so I didn't bother doing anything about it. So any easy fix could be getting rid of 10 year driver's licences, 3 years is enough, it's straight fwd to get it renewed. Then a few days ago AHM sent a email about their breach and they were directly contacting those affected. Again Medicare cards don't have to have a 10 year expiry date, don't even need a photo to get renew it. Why does any form of ID need to have such a long period before it expires?

 

[Sinjin Smith]

Australia has the Critical Infrastructure Act and now SLACIP (Security Legislation Amendment Critical Infrastructure Act). where the DHA can register your service/infrastructure as a SoNS (Systems of National Significance). In short the Act enforces new obligations focussing on cyber security practices and control and producing an effective risk management program. Problem is they leave it to entities to produce what they think are effective security measures, the government wont mandate standards and frameworks themselves because if an organisation is hit, they can point the finger back at DHA/ Gov for responsibility.

The DHA can declare an organisation a SoNs on a whim and if you are breached or even subject to an audit fail they send in a spook to requiring all access to your systems/networks/applications/infrastructure......scary stuff if I'm a CEO/CIO. Back to it, building effective security controls, playbooks, patterns and response plans is hard, ploughing through industry best practice such as NIST, MITRE etc is a time and resource consuming process though worth it compared to the fallout Optus and Medibank will cop. Worse off there are always people smarter than your staff doing all and sundry to get your critical data.

​

 

[Frank Bunn]

Oh dear!

The Australian Institute of Company Directors (AIDC) had some solid names lending support to the launch of the institute’s new set of “cybersecurity governance principles” – a very hot topic in the wake of the Optus and Medibank Private hacks – including the federal minister in charge Clare O’Neil and Cyber Security Cooperative Research Centre CEO Rachael Falk.​

​

Thousands of would-be participants began to get antsy when they tried to log on for a 1pm start and the conference didn’t go live on schedule.​

​

As the comments from the waiting participants began to mount, a fake Eventbrite link – which many unsuspecting users clicked upon – was posted in the LinkedIn chat function asking for credit card details, leading the institute to plead with participants not to try to use any links posted in the chat.​

​

When an official-looking AICD link appeared to the event, some users who hadn’t learned their lesson the first time round tried to follow it, only to complain that it didn’t work and eventually, about 30 minutes into the debacle, the institute bowed to the inevitable and cancelled the event.​

Hackers hit cybersecurity conference

The Australian Institute of Company Directors launch of its new set of “cybersecurity governance principles” was left with a bit of a PR problem.

www.theage.com.au

 

[Gough]

Pity the poor IT tech guys who'll have barely slept for a fortnight.

 

[Footyence]

Pity the poor IT tech guys who'll have barely slept for a fortnight.

And who'll likely get requests to both design a system that will simultaneously save all personal information whilst also deleting it...

 

[the_interloper]

Pity the poor IT tech guys who'll have barely slept for a fortnight.

Because of work or a bender?

 

[FRUMPY]

Because of work or a bender?

world of warcraft all nighter?

 

[Mofra]

I guess we need something like the GDPR laws they have in the EU, but it relates to the world. I work in the tech industry and this had relevance to us, seems like an interesting and messy area of international law.

What is GDPR, the EU’s new data protection law? - GDPR.eu

What is the GDPR? Europe’s new data privacy and security law includes hundreds of pages’ worth of new requirements for organizations around the world. This GDPR overview will help...

gdpr.eu

The NPPs aren't dissimilar (Privacy Act) - we also have a host of other data security legislation (e.g. Critical Infrastructure Act).
Interestingly the US doesn't have an equivalent national legislative regime (most companies there just use California's privacy legal framework).

In reality, we have so much data storage that crosses international boundaries that it seems impossible to silo ourselves off from the rest of the world, even using sovereign cloud systems and all manner of security protocols.

I'd assume you deal with the CIC a bit? Do you find they add much value? In my (admittedly few) dealings with them, I remain unconvinced.

 

[Mofra]

The Department of Veterans Affairs asked me last month, to update my 20 year old account with them. They requested a pay slip (they didn't provide pay slips back then), signal of discharge (an email sent by canberra to the base (not to me)) and my certificate of enlistment.

You'd thin a govt dept could simply request authorisation from me to request this from the dept of defence and dept of taxation.



good news though, I now get a $6 a month pension! The beers are on me in a month or two!

What's the pension? I was told I'm eligible for about $6 a fortnight but the last person I spoke to at DVA wasn't sure

 

[the_interloper]

The NPPs aren't dissimilar (Privacy Act) - we also have a host of other data security legislation (e.g. Critical Infrastructure Act).
Interestingly the US doesn't have an equivalent national legislative regime (most companies there just use California's privacy legal framework).

In reality, we have so much data storage that crosses international boundaries that it seems impossible to silo ourselves off from the rest of the world, even using sovereign cloud systems and all manner of security protocols.

I'd assume you deal with the CIC a bit? Do you find they add much value? In my (admittedly few) dealings with them, I remain unconvinced.

I actually haven't dealt with the CIC, I used to work for a global mob so this GDPR was certainly a topic of convo amongst everyone. But yes like you say with the cloud you don't really know where the data would be so this is basically an international standard.

For us (we're a data center integrator) we advise at a high level about the issues around data and where it's stored and encourage them to seek advice from an expert.

This below issue has been an ongoing discussion point in the DC industry for some time, think the move still hasn't been complete yet. I do have more info if you're interested (via PM of course)

Defence extends contract for storage of sensitive military files with Chinese-owned company rather than ending it

Federal MPs are alarmed the Defence Department has quietly extended a contract with Chinese-owned company Global Switch to continue storing data in its Sydney facilities, despite a push to end the arrangement by 2020.

www.abc.net.au

 

[Power Raid]

What's the pension? I was told I'm eligible for about $6 a fortnight but the last person I spoke to at DVA wasn't sure

They just sent me a letter yesterday explaining they have been paying me $6 "in the case" I need medicine.

 

[Power Raid]

What's the pension? I was told I'm eligible for about $6 a fortnight but the last person I spoke to at DVA wasn't sure

FYI - I have no medical needs relating to defence, 7 years full time and 5 years part time

Probably worth getting enrolled, not for now but for actual retirement

 

[Frank Bunn]

As I thought, Medibank don't know what data was accessed but it appears the hackers got to all their customer's data. They claim that there is no evidence that credit card data has been removed. The truth is that they don't know. Anyone with Medibank should be cancelling their cards.

Medibank confirms hacker had access to data of all 3.9 million customers

Data breach, which exposed all Medibank, ahm and international student data, could cost health insurer $35m

www.theguardian.com

 

[Frank Bunn]

Medibank have publicly stated that they won't be paying the hackers.

Perhaps it should be made illegal to pay a ransom for a data breach? It would encourage companies to make sure their systems are secure, in the knowledge that they can't buy their way out of it after the event. Anyhow, there's no guarantee that paying up will ensure the data will not be released or passed on to other criminals. And it might deter the hackers, knowing they are not going to get a big pay day.

The Medibank hackers, or whoever they sold the data to, are now targeting individual customers by calling them with knowledge of their medical claims, and saying they have unpaid bills. They will catch a few people out but it's not something a company should consider paying a ransom for.

Ransomware is a different category of scam. A business not having access to its systems or data can shut it down, possibly permanently. There's a cost benefit analysis involved. And there's a greater probability that once the ransom has been paid and the hack removed that the threat will be over. Apparently 43% of Australian companies paid ransoms after ransomware attacks.