March 26, 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up: 

In this week’s roundup, we hear about sweeping changes to Australia’s Privacy Act including the hefty increase in funding for the Australian Information Commissioner. We see how property valuation firm LandMark White is faring in its efforts to rebuild trust after a recent data breach. Some might argue the trust ship has already sailed for Facebook – if so, this week’s news of another glaring security bungle at the social network only sees that ship even further out from shore.

Key articles: 

Tech giants face fines upwards of $100 million under changes to Australia’s Privacy Act

Summary: The Attorney-General has announced that sweeping changes are proposed to Australia’s Privacy Act, including hefty increases to penalties, empowerment for individuals and bolstered powers and funding for the Australian Information Commissioner

Key risk takeaway: If your company trades in personal information without respecting the rights of individuals, your days are likely to be numbered. Under proposed changes to the Privacy Act, you could be fined up to three times the value of any benefit obtained by misusing information or 10 per cent of annual domestic turnover, depending on which figure is greatest. Under the proposed changes, the Australian Information Commissioner’s powers may extend to being able to issue infringement notices for those who fail to cooperate to resolve minor data breaches. The government also wants to give the commissioner more options to ensure breaches are addressed, including through reviews and publishing public statements about specific breaches. Legislation to make the changes will be drafted ahead of community consultation in the second half of the year.

Tags: #privacy #trust 

Facebook Mistakenly Stored ‘Hundreds of Millions’ of User Passwords as Plaintext

Summary: The social network confirmed it kept hundreds of millions of user passwords in a readable format by engineers and other employees, but said no passwords were exposed outside Facebook.

Key risk takeaway: This story, and all-too-common revelations of data breaches in which account credentials are leaked, are a prompter for added vigilance around password security. Facebook users are advised to reset their passwords, turn on multi-factor authentication and enable alerts for any unrecognised logins. Given the prevalence of password reuse, it’s possible some Facebook users re-use their social networking password for work accounts. Businesses might consider reminding staff about the dangers of this practice and issuing guidance on how to create a secure password.

Tags: #securityawareness #passwords

Australia’s Commonwealth Games blocked 176,000 pieces of malware

Summary: Security teams at last year’s Commonwealth Games blocked 40,000 command-and-control connection attempts and identified 39,000 distinct pieces of malware.

Key risk takeaway: Nestled in this (seemingly vendor-driven) case study is a tale about the potential risks posed by unmanaged devices to an enterprise network. Bring-Your-Own-Device, or BYOD, has gained favour as a workplace trend in recent years, given the convenience and flexibility it provides employees that want to use a phone or laptop of their choice. However, these “unmanaged” devices – or devices not under the control and visibility of IT/security teams – can be a source of cyber threats including malware. Companies should consider their tolerance for risk in relation to use of mobile devices by staff, and reflect this in their policies.

Tags: #cyberrisk #layereddefence #mobilesecurity

CBA assures itself of LandMark White’s post-breach infosec

Summary: LandMark White anticipates lenders will start using its services again this week after news of a breach in January, although it estimates it could take several weeks for revenues to return to “pre-incident levels”.

Key risk takeaway: Trends including the fragility of trust and moves to more active supplier governance are evident in this post-mortem of the LandMark White breach. In order to re-build confidence and resume commercial arrangements, the land valuer appears to have invested considerably in security in order to “meet or exceed” the expectations of key clients. This is isn’t unusual – we observe many companies now facing exhaustive privacy and security assurance checks by clients, both routinely and when applying for new business. A proactive approach by suppliers to demonstrating their security posture can project confidence and reduce the overhead and duplication of reactively managing these requests.

Tags: #trust #securityassurance #suppliergovernance

Email scammers stole more than $150K from defense contractors and a university, FBI says

Summary: Cybercriminals defrauded two defense contractors and a university out of more than US$150,000 through email scams last year.

Key risk takeaway: Any business today can expect to be targeted by email-based fraud scam. Authorities have repeatedly observed that Business Email Compromise (BEC) – a particular form of this scam – has been highly lucrative for attackers in recent years. BEC scam emails are convincingly crafted payment requests – they typically don’t contain malicious links or attachments and so are often not blocked by mail gateways. Educating staff – particularly those in finance and procurement roles – to detect these emails is critical.

Tags: #securityawareness

Education and Science Giant Elsevier Left Users’ Passwords Exposed Online

Summary: In separate incidents, an education and science publisher and a health tech company were found to have left sensitive data unsecured.

Key risk takeaway: Businesses that adopt cloud-based services must be aware of what data will be stored in the cloud, and enforce configuration settings to protect that data appropriately. Regrettably, in the past two years researchers have repeatedly discovered organisations’ sensitive data in cloud storage volumes (particularly poorly configured “S3 buckets” in Amazon Web Services).

Tags: #cloudsecurity #dataprotection