Information Security Law This Month - July 2012
In the news this month:
- Medvet in breach of data security principle according to Privacy Commissioner -
- New discussion paper issued on communications surveillance and regulation in Aus including new data retention obligations is met by resistance from Greens and GetUp – to name a few …
- And Anonymous Hackers hit the AAPT Server and government websites in protest over the proposals
- Privacy Commissioner questions proposed Privacy Act Amendments
- Billabong and Yahoo among biggest hacks for the month
- Global Payments breach costs company $84.4m so far
- EU and U.S. FFIEC issue Cloud Computing Guidance
- Some advice on how to deal with Hacktivism
CASES AND LEGISLATION
Privacy Commissioner finds Medvet Breached Privacy Act
After an investigation, the Australian privacy commissioner has found that Medvet Labratories breached the Privacy Act for failing to protect its customers' personal information, ZDNet reports. Billing and shipping details were exposed because of multiple security flaws in the software used for its online store, the privacy commissioner found. However, the commissioner has said the company's actions following the breach were positive steps. They have improved security systems, advertised the violation in newspapers and placed notices on their website. Story here
Patco ACH Fraud Case Reversed on Appeal
A U.S. Federal Court of Appeals decision may make it easier for small businesses owners victimized by cyberheists to successfully recover stolen funds by suing their bank, at least in the U.S. The appeals court sent specific aspects of the earlier decision back to the lower court for review, but it encouraged both parties to settle the matter out of court.Story here.
Countrywide Data Breach Case Dismissed
Another U.S. decision dismissing a claim for amounts incurred in anticipation of future losses (e.g. credit monitoring costs) on the basis of there being no recoverable injury. Story here.
Discussion paper on Telecommunications Interception, Data Retention and Increased Regulation of Telco’s released
In July 2012, the Commonwealth Attorney-General's Department issued a discussion paper to accompany consideration by the Parliamentary Joint Committee on Intelligence and Security of a package of national security ideas comprising proposals for telecommunications interception reform, telecommunications sector security reform and Australian intelligence community legislation reform. The paper, entitled Equipping Australia against Emerging and Evolving Threats, addresses the challenges to national security which are raised by developments in telecommunications technology whilst acknowledging the need to implement appropriate safeguards for the protection of individual privacy.
View the discussion paper.
Among the proposals raised in the discussion paper is the controversial new requirement that data be retained for up to two years and agencies given increased access to social media sites such as Facebook and Twitter. As well, Australians would be forced to hand over their computer passwords.
Assistant Treasurer David Bradbury said it was important for the nation's intelligence agencies to have access to information they needed to protect the nation. Story here.
As did the Australian Federal Police (AFP) assistant commissioner who said that law enforcement agencies in Australia will continue to be stymied in their efforts to combat cyber crime unless measures such as proposed two year online data retention laws are passed. Story here.
However – there is resistance. Here and here. From the Centre of Independent Studies – here.
Getup has put together an “informative video” on the proposal – available here.
And the Australian Intelligence watchdog, Inspector-General of Intelligence and Security, Vivienne Thom has announced that she is on the lookout to determine for whether the proposal will lead to an imbalance between state power and private rights. Dr Thom said she would be providing a submission to the committee focusing on whether the proposals contained oversight mechanisms, risks to legality and propriety and whether they protected human rights. Story here.
Meanwhile Anonymous Hackers hit the AAPT Server in response to Proposed Data Retention Legislation
Members of Anonymous temporarily interrupted services from 10 Government websites and stole customer data from Australian ISP AAPT to protest and demonstrate the dangers of the proposed Australian data retention law. AAPT's David Yuile said Melbourne IT, who hosted the compromised servers, alerted his company to the security incident, and "AAPT immediately instructed Melbourne IT to shut down the servers when we were notified of the incident. He said preliminary findings suggested that two files were compromised and that the data was "historic, with limited personal customer information". Further, he said the servers on which the files were stored had not been used or connected to AAPT for at least 12 months. "We are undertaking a thorough investigation into the incident with Melbourne IT and the relevant authorities to establish exactly the type and extent of data that has been compromised, how the security incident happened and what further measures are required to prevent any future incidents."
In a statement, Attorney-General Nicola Roxon urged interested parties to avoid "hysteria" and contribute to the Parliamentary Joint Committee on Intelligence and Security inquiry instead.
The hackers involved in the attacks told SC Magazine they broke into the dedicated server, through an unpatched Adobe Cold Fusion vulnerability. Melbourne IT confirmed that it is investigating the data breach – and AAPT subsequently confirmed that the server had been breached.
Story here, here, here and here.
Confirmation of breach – here and here.
U.S Cybersecurity Bill Still Being Discussed: Showdown Arrives in Senate
Legislation in the U.S. which is intended to introduce similar changes to the type of communications that can be intercepted and the extended retention requirements to assist access by law enforcement and other government agencies is still being discussed in the U.S. Story here.
DATA BREACHES
Billabong Suffers Data Breach
Hackers have stolen and published 21,485 clear text passwords from a Billabong customer database in what the Aussie surfwear icon has described as an "extremely serious matter".
The clear-text passwords were uploaded to a codepaste site for #WikiBoatWednesday, an event popular in hacktivist Twitter circles, for which groups publish stolen data caches online. The hackers also released administrator database tables and other information, including hashed passwords.
Billabong was unaware of the breach until notified by iTnews' sister publication SC Magazine last week. A spokesperson noted that the breached customer database contained "personal information of certain customers of the website, but no financial data.” Story here and here.
Yahoo Data Breach Compromises Login Credentials of450000 Users
Yahoo confirmed Thursday that hackers broke into the company’s network and stole the login information of about 450,000 individuals who use Yahoo and other popular Internet email services, including as Google Inc.’s Gmail, AOL, Verizon.net, and MSN.
The hacker group, which calls itself D33D, broke into a list of the email addresses and passwords of people signed up for the Yahoo Contributor Network, a place for budding writers, photographers, and videographers to publish their work on the Internet. Because users can opt to use an outside email address to join the network, the stolen information included user names and passwords for accounts on a number of email services. Reports:
The compromise involved a basic SQL-injection attack against an exposed Yahoo server (dbb1.ac.bf1.yahoo.com), where the account data was reportedly stored in an unencrypted state. Most recently LinkedIn and eHarmony were in the news with similar issues. More information here.
7 lessons learned from Yahoo’s password breach. Start with encrypting stored passwords. Here.
Global Payments Says Breach Cost $84.4m
The transaction processor reported taking an $84.4 million dollar pre-tax charge as a result of the massive data breach that came to light in late March. Story here.
But some question whether sufficient information about the breach has been revealed. Story here.
Months-long hacking spree exposes 8.7 million Koreans
South Korea's second-largest wireless service provider KT Corp apologised on Sunday after the personal data of millions of mobile phone subscribers was hacked. It is the latest in a string of large-scale personal information hacking cases in one of the world's most wired countries.
Police said two computer programmers had been arrested for hacking personal data of about 8.7 million KT subscribers. KT claims a mobile service subscription membership of 16 million. Police also arrested, but did not detain, seven others suspected of having purchased and used the hacked KT data, which included names, resident registration numbers and phone numbers. Story here.
Dropbox: Password Breach Led to Spam (Author: BrianKrebs)
PRIVACY
New Aus Privacy laws 'place digital economy in jeopardy'
INTERNET giants Facebook, Google and Yahoo!7 fear proposed laws aimed at bringing privacy into the online age will stymie local participation in the "global digital economy". Their concern seems to focus on the new rules for credit information and the cross border transfer of data. Story here.
And weaken consumer rights
The Australian Privacy Foundation with some support from the Australian Privacy Commissioner raises issues with the Privacy Act amendments, including the new data transfer provisions and the exception where organisations “reasonably believe” there are equivalent protections in the transferee jurisdiction. The Senate hearings into the proposed amendments are scheduled for August 10 and 13. Story here. and Story on the Commissioner’s submissions available here.
While the Press Coverage of Molly Lord’s Death Makes the Case for a Statutory Right of Action for Breach of Privacy. Her parents are currently left with little legal recourse following the intrusive reporting of their family tragedy - as covered in a recent blog post. Story here.
U.S. Joins APEC Cross Border Privacy Rules
Acting U.S. Commerce Secretary Rebecca Blank has announced the United States’ participation in the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules. The rules aim to provide a framework to facilitate cross-border data flows by allowing for interoperability through various jurisdictions’ privacy regimes. Blank said U.S. participation “is a significant milestone in international data protection and is an important step in the implementation of the global privacy strategy outlined in the Obama administration’s February 2012 Data Privacy Blueprint,” adding, “We are committed to working with our trading partners in APEC to help maximize its implementation throughout the region.” APEC plans to launch the system within six months. Story here.
Irish Data Protection Commissioner to Conduct Second Facebook Audit
The Office of the Data Protection Commissioner (DPC) has said he will determine by early October whether to take legal action against Facebook, RTE News reports. The DPC will soon conduct a second audit to ensure Facebook is complying with EU laws. Amidst reports it had cut ties with Europe v. Facebook—the Austrian group that has been working with the DPC and which has been successful in convincing Facebook to release information about the data it collects from users—the office said in a statement this week that “Europe v. Facebook performed a useful public service in highlighting the specific issues raised in its complaints.” Story here.
Utah Gov. Fires Tech Director, Hires Ombudsman
Following a data breach affecting 780,000 individuals, Utah Gov. Gary Herbert has fired the director of the Department of Technology Services and has created a new "health data security ombudsman" to facilitate redress for victims, The Salt Lake Tribune reports. Herbert said, "The people of Utah rightly believe that the government will protect them, their families and their personal data...As a state government we have failed to honor that commitment." The new ombudsman said she will act as a "portal for victims." Story here.
Company Defends Wi-Fi Collection Practices
Speaking at a privacy conference, Euclid Elements Co-Founder Will Smith said the company's new product that tracks retail shoppers via their smartphone MAC addresses should not raise privacy concerns, CNET News reports. The company offers retailers a sensor that "passively detects smartphones that come near the store," Smith said. The company currently employs an opt-out model; MAC addresses are stored for 18 months and only aggregate information is available to retailers, the report states. Story here.
Google Fails to Delete all Streetview Data in UK
Google disclosed in an email to the U.K. Information Commissioner's Office that it had not yet deleted all user data collected by its Street View vehicles, as it had agreed to more than 18 months ago. Story here.
FTC Recognised as Main Privacy Enforcer in the U.S.
The Obama administration is pushing Congress to enact federal privacy legislation, but in the meantime, the Federal Trade Commission (FTC) has stepped into the role of the "main government agency focused on online privacy protection," reports The Hill. FTC Chairman Jon Leibowitz has referred to the agency as the "nation's privacy protection agency," and in the last year, the agency settled charges with Google, Facebook and Myspace under its jurisdiction over "unfair or deceptive" trade practices, citing privacy agreement violations. In March, the FTC released its online privacy report. Story here.
SURVEYS
Businesses risk privacy in dumping documents
Thousands of Australian businesses are dumping personal documents into commercial rubbish bins that can be easily accessed by the public and identity thieves. A survey commissioned by the National Association for Information Destruction showed three in 10 organisations were unaware of their obligations when it came to destroying personal information - notwithstanding that just over half of them had formal destruction and security policies.
Acting Victorian Privacy Commissioner Anthony Bendall said that the recent focus on online data security meant some organisations had become complacent about paper records. Story here.
Index of Cybersecurity Rises
It's been just over a year since Dan Geer and Mukul Pareek teamed up to create the Index of Cybersecurity, which measures IT security and information risk practitioners' perception of cybersecurity risk (see New Index Measures Cyberspace Safety). Since its debut, the index has risen by nearly 30 percent, from a base value of 1,000 in March 2011 to 1,292 in April 2012, averaging about 2 percent a month. Last month, the index grew by 2.2 percent. The clear takeaway of 13 months of surveys is that those in the trenches of IT security - chief information security officers, chief risk officers, academicians engaged in field work and chief scientists at security product vendors - are getting more apprehensive about safeguarding IT. Story here.
CISOs Becoming Influencers Rather than Responders: new study by IBM
Finding a strategic voice, a study by IBM’s Center for Applied Insights identifies three ‘types’ of CISO: influencers, protectors and responders. The report finds that evolution towards the ‘influencer’ role is necessary, and happening. Security is now seen as a vital aspect of business, and the role and influence of the chief information security officer is correspondingly rising. The primary driver, suggests IBM, is that security is now recognised as a business rather than just a technology imperative. Story here.
CLOUD COMPUTING
Warning about Dangerous Assumptions re U.S. Patriot Act and U.S. CSPs
A recent article points out that European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data. In fact, France's anti-terrorism law has been said to make the Patriot Act look "namby-pamby" by comparison. Story here.
International DPA Working Group Publishes Working Paper on Privacy Issues in Cloud Computing
The International Working Group on Data Protection in Telecommunications (the “Working Group”), led by the Berlin Commissioner for Data Protection and Freedom of Information, issued a Working Paper that focuses on privacy and data protection issues related to the use of cloud computing in the international context. The Working Paper aims to reduce uncertainty regarding the definition of cloud computing and how the technology intersects with privacy, data protection and other legal issues. Story here.
Victorian Privacy Commissioner: Cloud Providers Should Adopt Privacy By Design
Speaking to the Local Government Forum in Melbourne in April, acting Victorian Privacy Commissioner Anthony Bendall said cloud providers should use Privacy by Design when creating services for government use, iTNews reports. Bendall added, "If private organisations want to come to the cloud computing party and provide services to government, they should ensure they are compliant with privacy laws, because ultimately, if something happens, it is the government organisation or council's data (and reputation) that is at stake." Story here.
FFIEC Releases Statement on Outsourced Cloud Computing Activites
On July 10, 2012, the Federal Financial Institutions Examination Council released a statement on outsourced cloud computing activities, discussing key risk considerations associated with using third-party vendors to implement cloud computing solutions and identifying applicable risk mitigation considerations contained in the FFIEC IT Examination Handbook. Story here.
OTHER NEWS
EU to Banks: Assume All PCs Are Infected
Don’t use MS Windows for Banking – from Brian Krebs
Black Hat 2012: There’s not enough smart people in information security, says DHS
Don't believe the Skype: it may not be as private as you might think
