5 November 2020

News round-up Nov 2020 – Privacy Act review, ICO fines British Airways £20m over data breach and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

Privacy is well and truly in the frame this month – not least because of the Government’s review of the Privacy Act. It’s a big deal and we’ll have a bit to say about it – starting with our summary below. As the number of COVID-19 cases ease, attention is now also shifting towards the privacy provisions of COVID-19 check-in services. And turning to cyber, if you felt ransomware wasn’t nasty enough, attackers have dug deep and found more evil to draw on.   

Key articles:

Govt kicks off long-awaited Privacy Act review

Summary: The Federal Government has commenced a review of the Privacy Act 1988, with the release of terms of reference and an issues paper 

Key risk takeaway: The Government’s newly announced review of the Act will likely have significant implications for how privacy is managed in Australia, with the terms of reference calling on individuals and organisations to shape the way personal information is collected, stored, used and even defined over the next several years. The Privacy Act is Australia’s main piece of legislation governing digital information handling practices and intersects with freedom of information, national archives, health records, direct marketing and spam legislation and many other frameworks. Any organisation that interacts with personal information will need to pay close attention to changes that emerge from this process. Read our blog post for a more detailed analysis and to learn about our upcoming briefings and webinars on this topic. The review of the Privacy Act comes as the consultation period closes on the Government’s exposure draft of the Data Availability and Transparency Bill. elevenM joined with other industry figures and academics to provide this submission on the Bill. 

Tags: #privacy

Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts 

Summary: Fallout from a data breach at a Finnish psychotherapy company spread as hackers began demanding ransoms directly from patients. 

Key risk takeaway: The attack on Finnish psychotherapy company Vastaamo reveals a disturbing escalation in the extortion tactics associated with ransomware. The release of patient data after the company refused to pay 450,000 euros to protect approximately 40,000 patient records may have seemed cruel enough, but the direct extortion of affected patients is a new and worrying trend. As ransomware attacks continue to increase in volume, frequency and severity – other recent attacks include on Hackney Council in the UK and a series of US medical facilities  – organisations will need to prepare themselves for this new playbook of tactics. We’re increasingly aware of organisations simulating ransomware scenarios as part of exercises in order to test their appetite for responses. The firing of Vastaamo’s CEO after it emerged he had failed to disclose a second data breach  further underscores to expectations of boards of a proactive and transparent approach to ransomware and cyber incidents more generally.

Tags: #ransomware #executiveawareness

The QR code has turned COVID-19 check-ins into a golden opportunity for marketing and data companies

Summary: Thousands of businesses that rushed to outsource COVID check-in obligations could be facing data privacy issues.  

Key risk takeaway: Businesses using third-party data collection for COVID-19 tracking could face privacy repercussions after allegations that data is being used for marketing. While they were a somewhat rapid response measure to the pandemic, organisations must ensure they’re meeting data handling obligations around check-ins exactly as they would in any other data collection situation – the COVID-19 crisis doesn’t negate privacy responsibilities (as we learned during the discussion around the CovidSafe app). To provide the check-in functionality, many businesses are reportedly using services run by companies whose business model is the monetisation of data – raising concerns the data will be used for marketing (a Tasmanian MP claimed to receive marketing material from a venue after signing in via a QR code). Consumer sensitivity to targeted data-driven advertising was also reflected last month in moves by the EU looks to tighten control on microtargeting and online data collection for the purposes of advertising 

Tags: #privacy #COVID-19 #advertising

British Airways fined £20m over data breach 

Summary: British Airways has been fined £20m for the 2018 hack that exposed the credit card and personal information of approximately 400,000 customers.  

Key risk takeaway: While the fine has been reduced, in announcing it the ICO made plain its expectation that businesses have basic security measures in place – an expectation that we increasingly now see being shared by the media, general public and investors. The Information Commissioner underscored this view by signalling that business should use regulations to drive investment in security and privacy capabilites, stating: “The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security”. Regrettably for BA, the ICO noted it had not met its security obligations at the time of the hack, failing to use security measures (such as multi-factor authentication) that were available through the operating system they were using.

Tags: #privacy #regulation #fine #securityhygiene

The 2020 Election was attacked, but not severely disrupted. Here’s how 

Summary: American officials have cautiously noted they made it through the election cycle without major hacks, but say that it’s due to increased vigilance and resilience, not a decrease in attacks.   

Key risk takeaway: This outcomes is a testament to increased understanding that high-profile events (especially elections) are high risk for hacking and data breaches, and to the value of learning lessons from prior breaches (notably the 2016 US election). In the lead-up to the 2020 election, US cyber security and infrastructure security officials worked hard to increase resilience to attacks, apparently to considerable success.  That said, a week before election day Wisconsin Republicans were hurt by mail fraud. While business email compromise may not have been the election cyber threat everyone was worried about, given the hackers made off with $2.3m arguably it should have been more central to discussions.

Tags: #electionsecurity #BEC