Posts by liu

Government’s dumb data disasters demonstrate decaying diligence

The Australian government’s habit of losing filing cabinets full of confidential documents is merely a symptom of much deeper problems, in both policy development and implementation.

As Oscar Wilde might have put it: “To lose one filing cabinet full of government documents may be regarded as a misfortune; to lose two looks like carelessness.”

Carelessness is something the Australian government seems to be quite good at these days.

News broke on Sunday that in 2013, confidential personnel files from the then Department of Families, Housing, Community Services and Indigenous Affairs (FaHCSIA), now part of the Department of Social Services, had gone walkies for several days.

Just like the secret cabinet files incident reported in January, these documents were discovered in a locked filing cabinet bought from a second-hand furniture store.

“The documents were personnel files which had all the personal details [of employees] like home addresses and phone numbers, as well as previous positions held, CVs, and security clearances,” the buyer told The Sunday Canberra Times.

“It was a two-drawer filing cabinet, and the bottom drawer was completely full,” he said.

The two incidents aren’t quite the same. Personnel files don’t have to be handled under the same security protocols as cabinet documents. But there’s plenty enough information in them to make identity theft or spearphishing a trivial pursuit.

Yes, this is carelessness.

Then there was the incident where a “classified notebook belonging to a top Defence official” was discovered, along with his ID … guess where?

“Initial inquiries indicate the items were inadvertently left in a piece of personal furniture recently disposed of by the Defence official,” The Canberra Times reported.

Three incidents involving lost documents in second-hand furniture doesn’t constitute a wave of incompetence, of course, no more than two or three robberies random clustered together constitute a crime wave. But these physical data leaks are being unearthed at a time when confidence in the government’s ability to manage data needs to be questioned, and questioned hard.

Do we need to repeat the now-familiar litany? The government’s recklessness with medical data. The omnishambles of the 2016 Census. The collapse of the Australian Taxation Office (ATO) storage system. The unthinking viciousness of Centrelink’s robodebt debacle.

Things are no better at the state level — the corruption of Victoria’s Ultranet project and NSW agencies struggling with the security basics, to name but two examples.

Do you detect a pattern? I do. So do former senior public servants, but in another way.

Last month, The Mandarin, a news site that covers leadership in the public sector, concluded that there’s an urgent need to recover the capacity for deep policy analysis in the Australian Public Service (APS).

Terry Moran, a former secretary of the Department of the Prime Minister and Cabinet (PM&C), was scathing.

“The APS is failing in areas of social policy because it has been stripped of specialist capability and service delivery experience. If it were a patient it would be in palliative care,” Moran said.

“Successive governments haven’t nurtured the APS: they’ve gutted it.”

David Borthwick, former secretary of the Department of Environment, Water, Heritage and the Arts, was concerned that a lack of resources meant that departments were flat out delivering their programs, with little time for anything else.

“The quality of the Australian Public Service is the foundation of good government. It must have the capacity — the skilled workforce and the resources — to undertake the strategic thinking which underpins longer-term reforms,” Borthwick said.

Highly-respected journalist Laura Tingle reported similar concerns in her Quarterly Essay from 2015, Political Amnesia: how we forgot how to govern.

“The blurring of boundaries between the public servant and the political adviser, and the relentless focus on message over substance, results in a diminution of the ‘space’ in which the independent adviser can operate,” Martin Parkinson, currently secretary of the Department of Prime Minister and Cabinet, said at the time.

“Today, in some institutions, smart people look around at their colleagues and find there is no one to talk to, to learn from, who has experience in delivering real reform.”

Ken Henry, a former secretary of the Commonwealth Treasury, said much the same thing in Tingle’s essay.

“I think many departments have lost the capacity to develop policy; but not just that, they have lost their memory. I seriously doubt there is any serious policy development going on in most government departments,” Henry said.

All this is about developing policy rather than implementing programs, of course. But aren’t they the exact two things that the government is actually for?

If Australia were struggling to do either one of them, then we’d be deep in the brown stuff. But we’re struggling with both.

The most worrying comment for me came from Peter Varghese, a former secretary of the Department of Foreign Affairs and Trade (DFAT).

“Deep policy thinking is an area where our system, at both the political and the public service levels, has struggled over the last decade,” The Mandarin quoted Varghese as saying.

“Recovering the capacity for deep policy analysis is urgent because we are at an inflection point in our history. It is not dissimilar to the period after the second world war when the nation had to set out in a new direction and when the political and public service leaderships worked so well together to chart that direction. Or the period from the early eighties when we set out to internationalise the Australian economy; or the nineties when tax and industrial relations policies had to be redefined.”

Yes, the Australian government is struggling, both with policy development and with the implementation of data-enabled programs, at the exact moment in history when such things are needed.

The government is even having to hire consultants to teach it how to do basic government stuff like organisational development.

Parliament is currently running an inquiry into how the government uses contractors, with wide-ranging terms of reference. Stay tuned, but remember that this inquiry will only scratch the surface.


Pennsylvania attorney general sues Uber over delayed data breach notification

The state could seek as much as $13.5 million in penalties from the ride-hailing firm for its response to the 2016 breach.

Pennsylvania Attorney General Josh Shapiro is suing Uber for taking more than a year to notify thousands of drivers in the
Keystone State that their information was stolen in 2016.

In December, it came to light that hackers in 2016 stole data pertaining to 57 million Uber riders worldwide, as well data on more
than 7 million drivers. Uber concealed the breach for more than a year.

That data breach impacted at least 13,500 Pennsylvania Uber drivers, according to Shapiro’s office. Under the Pennsylvania Breach
of Personal Information Notification Act, Uber should have notified those drivers of the breach within a “reasonable” time frame.

“Uber violated Pennsylvania law by failing to put our residents on timely notice of this massive data breach,” Shapiro said in a
statement. He noted that instead of notifying impacted riders and drivers of the incident, Uber reportedly paid a hacker to keep
it under wraps.

Shapiro called this “outrageous corporate misconduct.”

Under Pennsylvania’s data breach law, the attorney general can sue Uber for up to $1,000 for each violation. With at least 13,500
Pennsylvanians, impacted, it could seek up to $13.5 million from the ride-hailing firm.

Shapiro is one of 43 state attorneys general investigating the data breach, his office said.

The data breach came to light just a few months after Dara Khosrowshahi stepped up as the new CEO of the embattled business. In a
statement to CNET, an Uber spokesperson said the company’s new leadership “has taken a series of steps to be accountable and
respond responsibly” to the breach. “While we dispute the accuracy of some of the characterizations in the Pennsylvania Attorney
General’s lawsuit, we will continue to cooperate with them and ask only that we be treated fairly.”


Overcoming the challenges: Back-up and storage for banks

Now is a good time for banks to think audit their back-up and storage to achieve both cost-savings and regulatory compliance.

A gambling and gaming company has achieved 75% in cost-savings with Amazon Web Services (AWS). The return on investment (ROI) it
has achieved is incredible and, more importantly, it can be replicated by banks and other financial services organisations at a
time when the European Union’s General Data Protection Regulation (GDPR) are just around the corner – coming into force on May

So, now is a good time for banks to think audit their back-up and storage to achieve both cost-savings and regulatory compliance.

The other key challenges include:

data locality;
bandwidth and data change rate that needs replication to a remote site hosting the cloud;
The gambling and gaming company is keeping some of its data on-site and some of it resides in the cloud. To improve the speed at
which it can back up and restore its data, the firm has used a data acceleration to reduce the time it takes to back up its data.
The less time it takes to back up data, the more it can save financially – and that’s despite growing data volumes. The larger the
data volume, the more challenging companies, including banks, find it to move data to and from the cloud.

David Trossell, CEO and CTO of data acceleration company Bridgeworks, explains: “The rush to put everything in the cloud and run
the organisation from there has had an impact on internal service-level agreements (SLAs). An example is of the gaming company.
After migrating everything to the cloud, the response for the HQ staff accessing the database in the cloud became unacceptable:
this is purely down to the time it takes to get from the HQ to the cloud, a factor of the speed of light.

“This has been the experience of many cloud-only strategies where databases have been involved. This forced the pendulum back to
what is now a more acceptable model of a hybrid cloud strategy where the critical data still on-premise, but the non-critical data
along with Backup-as-a-Service (BaaS) and Disaster-Recovery-as-a-Service (DRaaS) residing in the cloud.”

So, unlike WAN optimisation, which can’t handle encrypted data, WAN and data acceleration optimise the velocity of data transfers.
Data acceleration also mitigates the impact of data and network latency, which can even have a negative impact on DRaaS. Beyond
data acceleration, the trouble is that there is no efficient traditional way of moving the data around, and the options are often
limited for customers.


Lack of funding exposes US federal agencies to high data breach risks

Budget cuts and other restraints are hampering the government from effectively protecting itself against cyberattacks.

US federal agencies suffer the highest volume of data breaches out of government agencies worldwide and budgets are part of the
problem, new research suggests.

On Thursday, cybersecurity firm Thales, in conjunction with analyst firm 451 Research, revealed the results of a new study into
the security practices and effectiveness of government entities.

The 2018 Thales Data Threat Report, Federal Edition, suggests that US federal agencies are experiencing a rise in data breaches
not only from past years but are also reporting higher rates in comparison to non-US government counterparts.

According to the survey, based on the responses of IT professionals working in the federal sector, 57 percent of federal agencies
experienced a data breach in the past year, in comparison to only 26 percent of non-US government agencies worldwide.

This is a vast jump from an estimated 34 percent in 2016 – 2017, and 18 percent in 2015 – 2016.

In addition, 68 percent of respondents say their agencies are “very” or “extremely” vulnerable to the cybersecurity challenges of
today, while only 48 percent of global counterparts admit to the same.

The US government is pushing for IT modernization as part of the Trump Administration’s Executive Order 13800. The order has been
met with mixed reviews due to a demand for a full-scale review in a very short timeframe and a lack of concrete requirements to
modernize cybersecurity.

The problem is one faced not only by government agencies but the enterprise at large today. There is a critical need to revamp
systems and reduce the risk of data breaches and successful cyberattacks, but legacy systems, antiquated software and a lack of
funding can make adequate security an impossible task.

Thales suggests that funding is an issue for federal agencies, too.

The overall federal IT budget dropped by roughly $6.2 billion in 2017, and while the White House has set aside investment for over
4,000 IT projects in mission delivery, administrative services, and support systems, IT infrastructure, security, and IT
management, according to Thales, cuts are anticipated over the coming year which may impact basic IT budgetary needs.

According to the federal 2018 budget (.PDF), from 2015 through 2018, government-wide legacy spending as a percentage of total IT
spending rose from 68 percent to 70.3 percent.

With such a large percentage being taken over just to maintain old, insecure, legacy systems, it is no wonder that many employees
in the federal sector have concerns over adequate security.

“Aging legacy systems may pose efficiency and mission risk issues, such as ever-rising costs to maintain and an inability to meet
current or expected mission requirements,” the budget reads. “Legacy systems may also operate with known security vulnerabilities
that are either technically difficult or prohibitively expensive to address and thus may hinder agencies’ ability to comply with
critical statutory and policy cybersecurity requirements.”

Perhaps in order to maintain the balance sheet, federal agencies are turning towards cloud services, with 45 percent of
respondents saying that their agency uses more than five Infrastructure-as-a-Service (IaaS) vendors.

In addition, 48 percent of those surveyed said over 100 Software-as-a-Service (SaaS) applications are in use.

With the weight of legacy systems pushing on their shoulders and the need to work with new, more innovative technologies and
services at the same time, over two-thirds — 72 percent — of respondents said that they are becoming increasingly concerned over
vulnerabilities spawned from shared infrastructures.

A further 62 percent were concerned about who has access to encryption keys, and where.

In total, 68 percent of those surveyed added that they are concerned about potential data breaches stemming from the cloud.

“The massive adoption of cloud computing does not correlate with implementations of data security tools suited to protect these
new environments,” said Garrett Bekker, Principal Analyst for Information Security at 451 Research. “Although 78 percent view
data-in-motion and 77 percent view data-at-rest encryption as the most effective tools for protecting data, only 23 percent of US
respondents have implemented encryption in the cloud. Additionally, only 31 percent claimed cloud computing security was a top
spending priority.”

Despite these worries, 93 percent of respondents said that security spending will be increased over the coming year within their
IT budgets. In total, 56 percent plan to spend their budgets by focusing on endpoint security, 48 percent will hone in on network
security, and 19 percent view data-centric security as a focal point.

Related coverage: Government agrees to up Medicare card privacy and security controls | Homeland Security orders federal agencies
to start encrypting sites, emails | Kaspersky hauling Homeland Security to court to overturn federal ban | Microsoft to expand
Azure Government Secret cloud option for handling classified data | US government subcontractor leaks confidential military
personnel data

According to the survey respondents, complexity, business impact, and a lack of funding are all adoption barriers to modern
cybersecurity protection.

However, federal IT employees and agencies as a whole remain motivated to do more. In total, 53 percent of survey respondents said
the implementation of best practices and the avoidance of penalties are key motivators for change.

In addition, compliance scored highly at 43 percent.

In January, the United States Department of Homeland Security (DHS) confirmed that a data breach took place at the DHS Office of
Inspector General (OIG), leading to sensitive data belonging to 247,167 employees being exposed.


Equifax says more private data was stolen in 2017 breach than first revealed

The credit rating agency said it didn’t originally announce “potential” data points, like tax identification numbers, that “may
have been accessed” by hackers.

Hackers stole more data from Equifax in a breach last year than initially thought.

In September, the Atlanta, GA-based credit giant revealed a huge data breach, including names, social security numbers, birth
dates, home addresses, and in some cases driver’s license numbers. It was later confirmed over 145 million were affected,
primarily Americans, but also some Canadians and British citizens.

The hack became the largest single data breach reported in 2017.

But documents seen by members of the Senate Banking Committee suggest the types of data stolen were wider than the company first

A letter published Friday by committee member Sen. Elizabeth Warren (D-MA) to acting Equifax chief executive Paulino do Rego
Barros summarized the senator’s five-month investigation into the Equifax breach, which said exposure of tax identification
numbers (TINs), email addresses, and additional license information — such as issue dates and by which state — was not
originally disclosed.

The news of the documents was first reported by The Wall Street Journal.

Tax identification numbers are usually issued by the Internal Revenue Service to workers who aren’t eligible for a Social Security
number, like foreign nationals, in order to report income and file tax returns.

Tax identification numbers were likely exposed because they were found in the same portion of the database where other tax
numbers, like Social Security numbers, were stored.

Commenting in several tweets, Warren said: “In October, when I asked the CEO about the precise extent of the breach, he couldn’t
give me a straight answer. So for five months, I investigated it myself.”

“My investigation revealed the depth of the breach and cover-up at Equifax,” she added. “And since I published the report, Equifax
has confirmed it is even worse than they told us.”

When reached, an Equifax spokesperson called the Journal’s headline “extremely misleading,” but confirmed that some additional
data points were impacted by the breach.

“We are fully aware — and have been — of the data that was stolen,” said spokesperson Meredith Griffanti in an email to ZDNet.

The company said it has always been up front about the data “primarily included” in the breach, but recently gave the Senate
Banking Committee data points “that may have been accessed that we categorized and analyzed in the forensic investigation.”

“Some of these were impacted — and some, like passports or [card verification numbers] for example, were not,” said Griffanti.

“We sent direct mail notices to those consumers whose credit card numbers or dispute documents with [personal data] were
impacted,” the spokesperson confirmed.


PSA: Stop uploading your bitcoin wallet keys and credit cards to file-sharing sites

You’d be surprised at how many people do it daily.

What’s the first thing you do with a new credit card?

Peel off the sticky label on the front and activate it? Rush to the store to try it out for the first time? Or, do you post a
photo of it (both sides!) to social media for the world to see?

One of those answers was a big “no-no.”

That said, you’d be surprised at how many people do it daily.

In the past week, we were alerted to a high-profile file sharing site, which lets anyone search other users’ uploaded files. You
name it — it’s there — and credit cards are just the tip of the iceberg of sensitive files.

We spent a few hours searching the site with common search terms, and we found a ton of sensitive information — beyond credit
cards — including completed tax returns (with names, addresses, financial information, and Social Security numbers), scanned
passport photos, and password lists, which, if used, could allow an attacker access to online accounts. We even found bitcoin
wallet private keys, making it easy to hijack entire wallets full of bitcoin and other cryptocurrency. The results would regularly
include explicit images, regardless of search terms.

That kind of exposed data puts anyone whose information is out there at risk of theft, credit card and tax return fraud, identity
theft or impersonation, and extortion.

We’re not naming the site, because the sensitive data remains online. The site did not respond to a request for comment prior to

File-sharing sites have long been a semi-lawless corner of the internet where almost anything goes. Many previously popular sites
no longer exist — often shutdown for violating piracy laws for taking an unmoderated and lax approach to removing copyrighted
movies and music. Others preemptively pulled the plug on their own accord, for fear of also facing criminal charges.

Of the few that still exist, nearly all have been at the center of privacy breaches. More often than not, it’s been as a result of
careless uploading by the user themselves.

I know — hell, even you know — this shouldn’t need to be said, but please stop putting your personals on the internet.

With enough exposed data out there already, don’t make it any easier for the criminals.


Japan punishes Coincheck after $530m cryptocurrency theft

Coincheck has been ordered by Japan’s financial regulator to get its act together after hackers stole $530 million worth of
digital money from its exchange.

Japan’s financial regulator has ordered Coincheck to get its act together after hackers stole $530 million worth of digital money
from its exchange, jolting the nation’s cryptocurrency market in one of the biggest cyber heists.

The theft highlights the vulnerabilities in trading an asset that global policymakers are struggling to regulate and the broader
risks for Japan as it aims to leverage the fintech industry to stimulate economic growth.

The Financial Services Agency (FSA) said on Monday it has ordered improvements to operations at Tokyo-based Coincheck, which on
Friday suspended trading in all cryptocurrencies except bitcoin after hackers stole 58 billion yen of NEM coins.

Coincheck said on Sunday it would return about 90 percent with internal funds, though it has yet to figure out how or when.

Japan started to require cryptocurrency exchange operators to register with the government in April 2017, allowing pre-existing
operators such as Coincheck to continue offering services ahead of formal registration.

The FSA has registered 16 cryptocurrency exchanges so far, and another 16 or so are still awaiting approval while continuing to

Coincheck has said its NEM coins were stored in a “hot wallet” instead of the more secure “cold wallet”, outside the internet.

NEM fell to $0.78 from $1.01 on Friday, before recovering to around $0.97 on Monday, according to CoinMarketCap.

Singapore-based NEM Foundation said it had a tracing system on the NEM blockchain and that it had “a full account” of all of
Coincheck’s lost NEM coins.

It added that the hacker had not moved any of the funds to any exchange or personal accounts but that it had no way to
independently return the stolen funds to its owners.

World leaders meeting in Davos last week issued fresh warnings about the dangers of cryptocurrencies, with US Treasury Secretary
Steven Mnuchin relating Washington’s concern about the money being used for illicit activity.

Within the world of cryptocurrencies, theft is as regular as investors declaring “this time it is different” and “this is good for

Last week, a report from Ernst & Young said over 10 percent of all funds exchanged during initial coin offerings were finding
their way into the hands of criminals. This works out to roughly $400 million in cryptocurrency from $3.7 billion in funding
between 2015 and 2017.

In December, bitcoin mining platform and exchange NiceHash was hit, with 4,736.42 in bitcoin disappearing in the attack. At the
time, the bitcoin was worth around $68 million, but the price of the cryptocurrency has dropped since.

Security firm SecureWorks said in December it had uncovered a spearphishing campaign targeting employees at cryptocurrency firms
in a bid to steal bitcoin. The attacks are thought to be the work of The Lazarus Group, a hacking operation believed to be
associated with North Korea.

“Our inference based on previous activity is that this is the goal of the attack, particularly in light of recent reporting from
other sources that North Korea has an increased focus on bitcoin and obtaining bitcoin,” Rafe Pilling, senior security researcher
at SecureWorks, told ZDNet at the time.

Due to the pseudonymous nature of bitcoin, criminals have been looking at other more anonymous digital currencies such as Monero
and Zcash.

A new technique for cryptocurrency mining has appeared in the form of JavaScript served up to website visitors, typically through
ad units that spike CPU usage. One of the most popular scripts is from Coinhive, which in October asked that site owners make
users aware of what is going on.

“We’re a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users
what’s going on, let alone asking for their permission,” the company said. “We believe there’s so much more potential for our
solution, but we have to be respectful to our end users.”


With businesses fumbling, Singapore must take more care in data aspirations

Singapore government has been opening up user data access to ease information exchange and business transactions, but it should observe some caution as major organisations continue to slip up over security.

The Singapore government has been opening up access to citizen data to facilitate business transactions and information exchange, but with organisations fumbling over security including major global firms, it needs to take a step back and seriously assess the implications.

Its efforts were touted as essential in the country’s smart nation drive, where emphasis had been placed on providing data to spur the development of new citizen services and support data analytics and Internet of Things (IoT).

However, with businesses losing customer data to hackers and resorting to questionable practices in managing such data, the Singapore government needs to take a step back and evaluate potential risks it may be introducing to citizens in opening up access to their data.

My own concerns here were compounded when I recently changed banks in refinancing a home loan. After almost two frustrating months of back and forth as the bank, to which I was moving the loan, asked for supporting documents and other details, the transfer was finally approved and I was asked to make a visit to sign the final application form.

Only then was I informed that, as a condition of taking on the bank’s loan, I would have to purchase my home insurance coverage from its insurance partner–even though I already had an existing one from another provider. I also was required to buy a mortgage insurance policy from, again, its preferred partner.

When I expressed my displeasure that I wasn’t told about this before I started the application process and, more importantly, over the lack of consumer choice, the bank said I could still decide not to go ahead with the transfer. However, after spending two months pushing through the process, I certainly wasn’t ready to waste another two months sourcing for and signing up with another bank.

Also, buried inside the fine print, the bank stated it was able to share my personal data with the partner, which also had the option to use my data to send me marketing mailers, amongst others.

Presumably, because it is a major market player, the bank has included these service terms legally and within the confines of Singapore’s personal data protection laws.

If that is the case, consumers like me should have more cause for concern especially as more partnerships between different industry sectors are established–and more of our data face the possibility of being “cross-pollinated”.

Sign up as a bank customer and you’ll receive marketing messages from insurance companies you’re not a customer of, or buy a cup of latte and get a push message from an online furniture shop to purchase the chair you’re sitting on in the cafe.

And that’s just cause for minor irritation, compared to the heightened risk consumers then will face with their data increasingly exposed as more and more companies gain access to it.

As it is, even global companies including Uber and AXA Insurance have fallen prey to cyber hackers, resulting in customer data including those in Singapore being compromised. The Singapore government itself has suffered security breaches and uncovered lapses in its IT system control.

More worrying, cybersecurity still isn’t a top priority in boardroom discussions despite most companies in this region having experienced a security breach.

The Singapore government has assured that citizen data are safely protected across its agencies’ databases and systems, but that alone isn’t enough. With businesses sharing customer data amongst their partners, including the likes of Google that continue to collect information without consent, the government needs to also ensure access to citizen data serves only to facilitate a specific transaction and to the citizen’s benefit.

Organisations that are given access should have their systems and security measures audited, and they must adhere to guidelines on how citizen data should be managed and used.

Easing data access to improve service delivery is a good thing, but this should be carried out alongside strict policies to make sure businesses do not step out of line. One wrong step and citizens will lose confidence in the system, and Singapore’s smart nation drive will face a serious roadblock.


Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Australia’s Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.


Australia’s Notifiable Data Breaches (NDB) scheme comes into effect on February 22, 2018, and as the legislative direction is aimed at protecting the individual, there’s a lot of responsibility on each organisation to secure the data it holds.

The NDB scheme falls under Part IIIC of the Australian Privacy Act 1988 and establishes requirements for entities in responding to data breaches.

What that means is all agencies and organisations in Australia that are covered by the Privacy Act will be required to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.

Tax file number (TFN) recipients, to the extent that TFN information is involved in a data breach, must also comply with the NDB.

In addition to notifying individuals affected, under the scheme, organisations must provide recommendations on how those affected should respond, as well as what to do now their information is in the wild. The Australian Information Commissioner, currently Timothy Pilgrim, must also be notified of the breach.

“The NDB scheme formalises an existing community expectation for transparency when a data breach occurs,” Pilgrim told ZDNet. “Notification provides individuals with an opportunity to take steps to protect their personal information, and to minimise their risk of experiencing harm.”

Intelligence agencies, not-for-profit organisations or small businesses with turnover of less than AU$3 million annually, credit reporting bodies, and political parties are exempt from the NDB.


In general terms, an eligible data breach refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

Examples of a data breach include when a device containing customers’ personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.

An employee browsing sensitive customer records without any legitimate purpose could constitute a data breach as they do not have authorised access to the information in question.

The NDB scheme uses the phrase “eligible data breaches” to specify that not all breaches require reporting. An example of this is where Commonwealth law prohibits or regulates the use or disclosure of information.

An enforcement body — such as the Australian Federal Police (AFP), the police force or service of a state or a territory, the Australian Crime Commission, and the Australian Securities and Investments Commission — does not need to notify individuals about an eligible data breach if its CEO believes on reasonable grounds that notifying individuals would be likely to prejudice an enforcement-related activity conducted by, or on behalf of, the enforcement body.

Although not required all the time to disclose a breach, a spokesperson for the AFP told ZDNet the AFP would be complying with its notification obligations in all circumstances where there are no relevant exemptions under the Act.

If the Australian Information Commissioner rules the breach is not bound by the NDB scheme, organisations may not have to disclose it any further.

In addition, data breaches that are notified under s75 of the My Health Records Act 2012 do not need to be notified under the NDB scheme as they have their own binding process to follow, which also lies under the umbrella of the OAIC.


As the NDB dictates an objective benchmark in that the scheme requires a “reasonable person” to conclude that the access or disclosure is “likely to result in serious harm”, Melissa Fai, special counsel at Gilbert + Tobin, told ZDNet that in assessing the breach, an organisation should interpret the term “likely” to mean more probable than not — as opposed to merely possible.

“Serious harm” is not defined in the Privacy Act; but in the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm.

Information about an individual’s health; documents commonly used for identity fraud including a Medicare card, driver’s licence, and passport details; financial information; and a combination of types of personal information — rather than a single piece of personal information — that allows more to be known about an individuals can cause serious harm.

In assessing the risk of serious harm, entities should consider the broad range of potential kinds of harm that may follow a data breach.


Agencies and organisations that suspect an eligible data breach may have occurred must undertake a “reasonable and expeditious assessment” based on the above guidelines to determine if the data breach is likely to result in serious harm to any individual affected.

If an entity is aware of reasonable grounds to believe that there has been an eligible data breach, it must promptly notify individuals at risk of serious harm and the commissioner about the breach.

The notification to affected individuals and the commissioner must include the following information: The identity and contact details of the organisation, a description of the data breach, the kinds of information concerned, and recommendations about the steps individuals should take in response to the data breach.

Entities have 30 days to conduct an assessment if they are unsure a breach meets the threshold of an eligible data breach. As soon as they believe a breach is an eligible data breach, they must notify individuals and the commissioner as soon as practicable.

The NDB scheme, however, provides entities with the opportunity to take steps to address a data breach in a timely manner, and avoid the need to further notify — including notifying individuals whose data has been somewhat exposed.


Failure to comply with the NDB scheme will be “deemed to be an interference with the privacy of an individual” and there will be consequences.

Gilbert + Tobin’s Fai explained that if an organisation is found to have hidden an eligible data breach, or is otherwise found to have failed to report an eligible data breach, such failure will be considered an interference with the privacy of an individual affected by the eligible data breach, and serious or repeated interferences with the privacy of an individual can give rise to civil penalties under the Privacy Act.

If the data breach that the organisation has failed to report is serious, or if the organisation has failed to report an eligible data breach on two or more separate occasions, Fai explained the OAIC has the ability to seek a civil penalty order against the organisation of up to AU$2.1 million, depending on the significance and likely harm that may result from the data breach.

“Of course, an organisation must also consider the risk of reputational damage to its brand and the commercial damage that might flow from that, particularly given the growing importance to an organisation’s bottom line of consumer trust in an organisation’s data management policies and processes and its ability to respond quickly, effectively, and with integrity to data breaches,” Fai added.

“The effects of the data breach on Equifax last year and its response are a case in point.”


The commissioner has a number of roles under the NDB scheme, which includes receiving notifications of eligible data breaches; encouraging compliance with the scheme, including by handling complaints, conducting investigations, and taking other regulatory action in response to instances of non-compliance; and offering advice and guidance to regulated organisations, and providing information to the community about the operation of the scheme.

The OAIC has published guidelines on the scheme, which also includes information on how to deal with the aftermath of a breach.


The federal government finally passed the data breach notification laws at its third attempt in February 2017.

A data breach notification scheme was recommended by the Joint Parliamentary Committee on Intelligence and Security in February 2015, prior to Australia’s mandatory data-retention laws being implemented.


According to Gilbert + Tobin, organisations should be at the very least getting familiar with what data they have, where it is kept, and who has access to it.

Assessing existing data privacy and security policies and procedures to make sure organisations are in a position to respond appropriately and quickly in the event of a data breach is also important.

“This should include a data breach response plan which works across diverse stakeholders in an organisation and quickly brings the right people — such as from IT, legal, cybersecurity, public relations, management, and HR — together to respond effectively,” Fai told ZDNet.

It wouldn’t hurt to continuously audit and strengthen cybersecurity strategies, protection, and tools to avoid and prevent data breaches.

“It is also important that an organisation’s personnel are aware of the NDB scheme. Personnel need appropriate training, including to identify when an eligible data breach may have occurred and how to follow an entity’s policies and procedures on what to do next,” Fai explained, adding this also extends to suppliers and other third-parties that process personal information on their behalf.


From May this year, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The GDPR and the Australian Privacy Act share many common requirements, but there are a bunch of differences, with one crucial element being the time to disclose a breach.

Under the NDB scheme, organisations have a maximum of 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

“In sum, if an Australian organisation is subject to the GDPR regime when it comes into effect in May this year, it needs to comply with its obligations under both regimes — although the two regimes contain different requirements, they are not mutually exclusive,” Fai added. “However, when it comes to data breaches, the high watermark of compliance is complying with the European regime.”


Any organisation that has purchased a security solution from a vendor knows that there is no silver bullet to completely secure an organisation.

“When it comes to data breaches, everybody is looking for something, a product, a process, a standard to prevent them completely. Unfortunately, this isn’t possible,” Symantec CTO for Australia, New Zealand, and Japan Nick Savvides told ZDNet.

“The first thing any organisation should do is understand that data breaches are not always preventable but they are mitigatable. Whether the data breach is a result of a compromise, malicious insider, or even a well-meaning insider accidentally leaking information, mitigations exist.”

Breaking the mitigations into three parts, Savvides said the first is dealing with a malicious attacker, the second is having information-centric security which he said applies to all scenarios, and the third mitigation category is the response plan.

“Most organisations don’t have very effective response plans for a data breach event. They might have a plan, but from what has been seen, the plans are generally very academic in nature rather than practical and often get bypassed in the case of a real event,” he explained.

“Organisations need to have processes for having incidents reported, a clear plan on who to involve, what process to follow, and a clear PR message.

Savvides said it is clear that users value transparency and clear speech rather than ambiguous legalese responses some organisations have produced.

“The commencement of the scheme is also a timely opportunity for organisations to take stock of the personal information they collect and hold, and how it is managed,” Pilgrim added. “By ensuring personal information is secured and managed appropriately, organisations can reduce the likelihood of a data breach occurring in the first place.”


Business must tone down its lust for big data

Privacy is a human right, and businesses need to remember that. So do governments.

It should come as no surprise that when key industry bodies write submissions to government consultations they’re self-serving. That’s what such lobby groups are for, right?

But in its submission to the current consultation on developing a national Digital Economy Strategy, the Australian Chamber of Commerce and Industry (ACCI) has gone beyond the usual bleatings about tax breaks, more “flexible” employment conditions, and a call for the the government to pay for the vocational training that businesses have long since stopped doing for themselves.

The ACCI wants more access to government data.

“Other governments, such as the United Kingdom and Canada, are ahead of the Australian government in terms of open data,” the ACCI writes in its submission [PDF].

“It is vital for businesses to have access to cohesive and complete public datasets. Datasets provided by the government that are more complete can, in turn, produce more accurate analytics, drive efficiencies and productivity in both the public and private sectors. If the range and breadth of raw government data increased, it would encourage digital integration between the public and private sector in Australia.”

Leaving aside the question of whether such access really is “vital” rather than merely “useful”, we should remember that it has been collected at taxpayers’ expense. Nowhere does the ACCI suggest that businesses might pay for it, however. Nor do they suggest a modest increase in the corporate tax rate. Of course.

The ACCI also calls for more system integration and interoperability between government agencies, so that “data would be requested from businesses only once … This could also be expanded to include data exchange capabilities between different international jurisdictions”.

There are barriers to overcome, of course. The ACCI identifies, for example, “legislative restrictions; a culture of risk aversion; lack of national leadership for data sharing and release; and, [that] the extent of productive linking and integration of datasets varies substantially across jurisdictions.”

Yet nowhere in the ACCI’s submission is the word “privacy”.

Nowhere is the phrase “data breach”.

That’s a worry, especially given the rapidly increasing ease but little-understood risks of the re-identification of supposedly de-identified data. Look no further than the recent re-identification of Australian health data that the government had published.

Privacy has taken a back seat to a lust for big data, according to Steve Wilson, vice-president and principal analyst with Constellation Research.

“Data scientists seem to think they can tick a privacy box and just get on with their analyses, perhaps because some consultant has said ‘privacy is a positive sum game’,” Wilson told ZDNet.

“Well no, privacy is about restraint. Privacy is mostly not about what we do with data, but what we don’t do with data. Privacy considerations mean that the risk of some of big data’s grand missions might just not be worth it.”

Wilson believes that some people have a “fetish for data and open data”, a largely unproven faith that all this data will lead to better evidence-based policy.

I agree.

“Big data is a dangerous, faith-based ideology. It’s fuelled by hubris, it’s ignorant of history, and it’s trashing decades of progress in social justice,” I wrote in 2014.

Since then little has changed, although it’s possible that the increasing public awareness of the scale and scope of data collection, and the expanding news coverage given to data breaches, may change that. Australia’s mandatory data breach notification laws come into force in just a few weeks. Wait and see.

“I don’t believe we have properly accounted for the privacy risks,” Wilson said.

“People have a human right to privacy, but I am not aware of any basic business right to obtain and process data.”


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.