The week in security: Privacy Act changes kick in as Telstra, Immigration busted

New requirements around the handling of personally identifiable information came into effect after months of preparation, although many companies were still trying to figure out the implications of the Privacy Act 1988 changes.

Experts warned that healthcare and point-of-sale vulnerabilities would be tested under the new laws, which came into effect even as European politicians approved a new data-protection law – although critics were quick to point out that the law falls short of making large companies report breaches.

Every public and private-sector organisation needs to consider the ICT security controls required to ensure compliance with the new regulations, with one high-profile chief privacy officer warning that it must be a multi-disciplinary effort across IT, engineering, legal and business organisations. And, for its part, Australian firm Ground Labs launched Data Recon, a tool for finding personally identifiable information hidden in corporate networks.

The potential consequences of a breach became painfully clear after dozens of asylum seekers announced they would sue Australia's Department of Immigration and Citizenship after it leaked their personal details online. A UK citizen-action group was up in arms after a healthcare provider uploaded sensitive healthcare data to a Google cloud service for analysis. And, a Symantec security expert revealed, criminals are still trying to trick Web users into loading malware using digital certificates stolen from now-defunct certificate authority DigiNotar in 2011.

Telstra released its first transparency report and revealed it had received around 40,000 requests for customers' personal information in 2013. Yet it was Telstra's own significant breach of personal data, feted by the Office of the Australian Information Commissioner (OAIC) on the eve of the new privacy laws, that got the carrier even more attention.

A report from FireEye – which announced a $US460 million ($A510 million) secondary offering to fund expansion – found that email attacks have given way to Web malware, which is now favoured 5 to 1 by cybercriminals. Figures from Twitter confirmed the trend as email-borne attacks dropped from 110 million per day to a few thousand. Many of the growing number of Web attacks are in the form of malware-bearing Web ads, which outpaced pornography for the first time to become this year's biggest threat to mobile users.

Little wonder, with malicious advertising offering a broad reach and quick rewards for malware authors. Yet malware is only one part of the online criminal profile, with the 'dark web' rising in profile and seediness.

Compromised Bitcoin exchange Mt Gox filed for bankruptcy in the US even as revelations suggested it had stayed open despite knowledge of large-scale theft from its Bitcoin reserves. The incident has many people wondering whether digital currencies can ever be secure.

Meanwhile, compromised ex-NSA employee Edward Snowden called on attendees at SXSW to do whatever they can to make the NSA's job a bit harder. The security staff at US retailer Target might have done more of the same, with McAfee suggesting the hackers had detailed knowledge about its network. Target also revealed, tellingly, that it had detected but dismissed early signs of the breach.

A California court ordered that phone records collected by the government not be destroyed until further notice, contradicting the recent order of that country's secret Federal Intelligence Surveillance Court. Ironically, big data is still a new frontier for most public-sector authorities, experts note.

Malware, however, is apparently not, as the NSA faced accusations it was planning to intentionally infect millions of computers with surveillance software, although US lawmakers declined to quiz the new head of the NSA about the allegations.

Even where lawmakers were clamping down on alleged computer fraud, the allegations were shaky, one legal expert warned.

Meanwhile, the world watched as Malaysia Airlines flight MH370 seemingly disappeared into thin air with numerous tech executives aboard, as some experts warned that the episode showed technology is the weakest link in air transport.

Closer to home, a large DDoS attack capitalised on WordPress's pingback feature even as experts warned that DDoS attacks are still a significant threat and likely to grow further as hackers plan massive NTP amplification attacks.

Also in security, researchers said they had figured out how to bypass secured Internet connections to access personal information. Others figured out how to bypass a security protection in Apple's iOS 7. Such breaches are likely to become even more common for organisations that decide to stick with Windows XP – which was revealed to be even more vulnerable in the latest Patch Tuesday update – after Microsoft withdraws support for the operating system next month. Yet hackers are already doing pretty well with current software, pocketing over $US400,000 ($A443,000) on the first day of the Pwn2Own hacking contest and managing to compromise all major browsers.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleFireEyeGoogleGround LabsMalaysia AirlinesMcAfee AustraliaMicrosoftNSASymantecTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place