What we miss when we focus on how hackers broke in

Welcome to FILED Newsletter, our monthly round-up of relevant news, opinion, guidance, and other useful links in the world of data, records and information management. This month:

• What can we learn from the response to the Medibank breach?
• Google settles its location data tracking for a record-breaking amount.
• Over the first seven months of 2022, Russian hackers stole 50M passwords from 111 countries

‍

If you only read one thing

When it comes to data breaches, focusing on the perimeter will never be enough

We’re more than a month on from the Medibank hack, and the hacker may be the only person who has drawn a line under the issue, last week announcing “case closed”, with a final 5GB dump of data on the dark web.

Everyone else—the victims, the government, and the business, security, and compliance community—is still grappling with the fallout.

Medibank CEO David Koczkar apologized again to customers and said it wasn’t “case closed” from Medibank’s perspective, and they were doing everything they could to remain vigilant and support customers. Meanwhile:

• APRA is “intensifying” its scrutiny of Medibank, as well as broadening its investigation into financial services security in general.
• The Office of the Australian Information Commissioner is also now investigating how Medibank handled personal data.

For Australian businesses, one of the biggest impacts will be the amendments to the Privacy Act.

Updated Privacy Act – bigger fines and more focus on data retention

Under the amended Privacy Act, the maximum penalty that can now be applied for a serious or repeated privacy breach will be increased from $2.22 million to the greater of:

• $50 million;  
• Three times the value of any benefit obtained; or  
• 30 percent of the company’s adjusted turnover in the relevant period.  

The amendment also strengthens aspects of Australia’s privacy regime, through greater powers for the Privacy Commissioner to resolve privacy breaches, seek information about notifiable data breaches, and publish or share information about its investigations with other regulators. The Bill will become law once assented to by the Governor-General.

While these changes have been prompted by several high-profile data breaches in recent months, the penalties apply to any serious or repeated breach of privacy, not only data breaches. This means a material failure to comply with any of the Australian Privacy Principles could attract the new penalties.

The terms ‘serious’ and ‘repeated’ are not defined in the Privacy Act, and some commentators have raised concerns that it is hard to be sure whether conduct meets the standard. We expect these terms to be further defined as part of the broader reforms of the Privacy Act (anticipated in 2023).

The OAIC has also published guidance on these terms, which can be seen here.

This is still only part of the solution

When it comes to the Medibank breach, the focus of reporting and investigation is often still on how the attacker gained access, and how that could have been prevented. Fewer people are asking why the business had so much data, from so many customers (and former customers), and why it was so poorly managed.

Focusing on the “fence” (security perimeter) when it comes to data security only gets you so far you need to keep your valuables “tidy and in a locked safe”.

No matter how secure your perimeter is, if you don’t know where your sensitive data is, if you’re not removing what you can, or if you have poor data access controls, all it takes is for someone with (often unnecessary) access to click on the wrong link.

🤫 Privacy and governance

During spiralling Covid-19 cases in 2020, the Victorian government sent citizens’ contact tracing data for potential use by controversial data mining firm Palantir.  

Related: the United Kingdom’s National Health Service is also poised to build one of the biggest health data platforms in the world with Palantir.

Google will pay US $392 million to 40 states in the largest ever US privacy settlement, after a 2018 investigation found the tech giant tracked user location even after they opted out. Google has since ceased these practices, and a result of the lawsuit the company says it will be more transparent with users over what it collects.

🔐 Security

According to estimates from researchers: three dozen groups of Russian hackers infected 890,000 user devices with malware, obtaining 50 million passwords—all within the first seven months of 2022.

Australia will establish a 100-person team to “hack the hackers”, starting with ransomware groups.  

A hacker capitalized on a TikTok challenge to spread malware. The trick used the promise of naked pictures to send unwitting users to download a malware package from source code hosting platform GitHub and join a “community” on chat platform Discord. This ingenious use of legitimate services is worrying security researchers.

A former cybersecurity expert and expert social engineer reflects on what’s missing in security, which he learned penetration testing some of the world’s largest organizations. He broke into one financial institution four years in a row by just walking through the front door and convincing staff he was an auditor.

‍

📣 The latest from RecordPoint

As technology shifts, your on-premises legacy EDRMS is likely growing more out of date. Learn how to choose the right pathway to move beyond this outdated situation.

Are you getting value from the data your business collects, or are you just collecting more of it? Data enrichment can streamline data minimization, save costs, and make it more likely you will provide the right data when needed.

Have you met Rex? If you’re following us on social media, you may have already seen our ongoing 12 Days of Rex series, but if not follow the #12daysofrex hashtag to see all the posts and learn more about our mascot.