12 January 2021

News round-up Jan 2021 — SolarWinds hack, the need for robust external security assurance, and a community demand for privacy

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

As Understanding of Russian Hacking Grows, So Does Alarm

Summary: The Russian hacking of more than 250 US agencies and businesses that started with the compromise of software provider SolarWinds and was detected by cyber security company FireEye has left a lot of questions in its wake, and will continue to have consequences for months to come.

Key risk takeaway: In one of the most significant cyber-attacks we’ve seen in a while, the US Government, FireEye (one of the biggest cyber security firms), and Microsoft were all exposed due to vulnerabilities in their supply chain. SolarWinds, a software provider with a poor history of security, was targeted as the entry point. It appears that the hackers identified a range of vulnerabilities and potential weaknesses, including timing the attack when US Government cyber security agencies were focussed on the election. The hackers also used US servers and IP addresses, which evade the National Security Agency’s attention. The reach of the attack is a sobering lesson for organisations that the security of their data and systems is only as good as the security of its supply chain.

Govt agencies face annual cyber security audits for next five years

Summary: A parliamentary committee has called for annual cyber security reviews of Federal Government entities by the ANAO.

Key risk takeaway: This story reflects a trend of oversight bodies in both the public and private sectors seeking greater levels of evidence and assurance of robust cyber security processes within organisations. This can be seen in the foreshadowing of regular cyber security audits and mandatory compliance with the Essential Eight for Federal Government agencies, after a series of mediocre cyber resilience audit results. The committee report also criticised existing accountability mechanisms – largely based on self-assessments – as being ‘limited’. A shift away from accepting ‘best efforts’ is a familiar refrain in the private sector too: APRA is asking banks to complete an external audit of compliance with their prudential standard on cyber security, saying too many boards “fail to grasp why urgent action is required”, while the Council of Financial Regulators is insisting that banks, insurers and super funds comply with a framework for simulated cyber-attacks.

Apple Implements Privacy “Nutrition Label” for Apps

Summary: Apple is now requiring all new or updated apps to provide a ‘privacy nutrition’ label.

Key risk takeaway: This development is a reflection of the global trend of consumers expecting companies to take greater responsibility for ethical data handling. The automatically generated label may force app developers not just to be more upfront about data collection, but also to be more privacy conscious in the first place. The label is automatically generated based on a series of questions about the types of data that the app collects, how the data is used, whether it is linked to the user and whether it is used for tracking. It will be most effective if a series of ‘poor privacy nutrition’ labels cause a drop in the popularity of some common apps. Watch this space.

‘We’ve heard the feedback…’ Microsoft 365 axes per-user productivity monitoring after privacy backlash

Summary: Microsoft has wound back the functionality of Productivity Score so that it no longer provides individual user data, after outcry from privacy advocates and subscribers alike.

Key risk takeaway: New workplace technologies that help employers as they adapt to having less physical visibility of their workforce can be expected to come under the privacy microscope. Nominally designed to provide data on organisational uptake of technology solutions, Microsoft’s Productivity Score was decried as being yet another way for organisations to virtually stand over employees and judge their productivity. After attempting to defend the product, Microsoft has now wound back the functionality, so that metrics are not provided on an individual level. The ‘assurance vs privacy invasion’ issue is popping up in a range of situations, including in the recent filing of complaints against five online exam proctoring services, for being privacy intrusive in a situation where students have no capacity to refuse consent.  

Facebook dragged to court by ACCC over deceptive VPN conduct allegations

Summary: The ACCC is taking Facebook to court over “false, misleading, or deceptive conduct” when promoting the Onavo Protect VPN app.

Key risk takeaway: While this is a consumer law (rather than privacy law) case, it revolves around data handling and is another example in the growing trend of consumers expecting privacy. This is particularly noteworthy in this case, as the consumers had downloaded a VPN app and so could be assumed to want their privacy protected. With the Privacy Commissioner pushing for the introduction of a ‘fair and reasonable use’ test, this is a good reminder to companies that just because the data is there, doesn’t mean it’s acceptable to exploit it.

WhatsApp Has Shared Your Data With Facebook for Years, Actually

Summary: WhatsApp has updated its Privacy Policy, removing the option to not have your data shared with Facebook. What looked like a change in policy is reportedly a reflection of data sharing practices that have been occurring since 2016.

Key risk takeaway: Data governance heightens its importance as a discipline, as companies seek to maximise innovative use of data through greater sharing of data among its business arms. In this instance, the revelation that WhatsApp has been sharing a range of data with Facebook including device identifiers, device details (eg. IP address, operating system, browser details), payment data, cookies, and location information evidently didn’t sit well with some Whatsapp users. The revelation of this data sharing also highlights risks in the use of WhatsApp for workplace communications and the importance of reminding employees to only use authorised communications channels.