Information Technology

Australia wants organisations to dig deeper for serious or repeated data privacy breaches, forking out maximum fines of up to AU$50 million ($31.57 million). The move to increase penalties for violations comes amidst a spate of cybersecurity incidents that compromised customer data, with the latest involving insurance group Medibank. Attorney-General Mark Dreyfus unveiled plans to introduce legislation in parliament this week would push financial punishment for privacy violators up from the current AU$2.22 million ($1.4 million). The new rules will be outlined in Australia’s Privacy Legislation Amendment  (Enforcement and Other Measures) Bill 2022, which can be applied under the Privacy Act 1988 for “serious or repeated” privacy breaches. Following the update, companies found to have committed the breaches will be fined AU$50 million, or three times the value of any benefit it obtained through the misuse of information, or 30% of the company’s adjusted turnover in the relevant period, whichever is greater. The Bill also will afford the Australian Information Commissioner “greater power” to resolve privacy breaches as well as strengthen the Notifiable Data Breaches scheme, which will provide the Commissioner with full knowledge of information that compromised in a breach so it can assess the risks of harm to affected individuals. In addition, the Commissioner as and Australian Communications and Media Authority will be better empowered to share information in the event of a data breach. Dreyfus said: “When Australians are asked to hand over their personal data they have a right to expect it will be protected. Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”We need better laws to regulate how companies manage the huge amount of data they collect and bigger penalties to incentivise better behaviour,” he said. Australian policy makers earlier had pushed for more severe fines to be meted out following a major breach involving local telco Optus, which compromised the data of 9.8 million customers including email addresses, phone numbers, and other personal identification information. Medibank breach compromises health recordsIn another breach that followed Optus’, Medibank on October 13 revealed it detected “unusual activity” on its network that was later found to have compromised the personal data of customers under its subsidiary, ahm, as well as international student customers. In a statement yesterday, it had received files from the alleged hacker that contained 1,100 ahm policy records comprising personal and health claims data, and some Medibank and further ahm and international student customer information. One of Australia’s largest health insurance companies, Medibank last week said the hacker claimed to have stolen 200GB worth of data that included customer names, addresses, dates of birth, and policy numbers. Compromised data concerning customer claims included the location at which the customer received medical services and codes related to their diagnosis and procedures. The hacker also said it had data related to credit card security, though, Medibank said it had yet to verify this. “Given the complexity of what we have received, it is too soon to determine the full extent of the customer data that has been stolen,” it said. “We will continue to analyse what we have received to understand the total number of customers impacted and, specifically, which information has been stolen.”The insurance company added that the breach currently was under criminal investigation by the Australian Federal Police. It also was working with cybersecurity vendors, the Australian Cyber Security Centre, and other relevant government agencies, it said.Medibank said: “As we continue to investigate the scale of this cybercrime, we expect the number of affected customers to grow as this unfolds.”Financial services regulator Australian Prudential Regulation Authority (APRA) on Monday released a statement reminding industry players to put in place data security controls and ensure they complied with sectoral regulations. Pointing to requirements outlined in Prudential Standard CPS234 Information Security, the government agency said APRA-regulated entities should have clearly defined cybersecurity roles and responsibilities held by their boards, senior management, governing bodies as well as individuals.  They also had to maintain an information security capability in line with the size and extent of threats to its data assets as well as deploy controls to safeguard their data assets and run systematic tests to ensure the effectiveness of such controls. APRA added that the recent security breaches served as a reminder that such threats continued to escalate. It underscored the need for regulated entities to review and regularly test incident response plans. RELATED COVERAGE More

Image: Oscar Wong/Getty Images Secure Shell (SSH) is the de facto standard for gaining access to remote Linux machines. SSH took the place of telnet long ago, to add a much-needed layer of security for remote logins. That doesn’t mean, however, that the default SSH configuration is the best option for those who are a […] More

Image: Getty/Cristina_Annibali_Krinaphoto The International Criminal Police Organization, aka Interpol, has launched its ‘global police Metaverse’ as part of an effort to train members how to police in a virtual world.  Last week, Interpol unveiled what it says is the “the first ever Metaverse specifically designed for law enforcement worldwide.” It says the “Interpol Metaverse” gives […] More

The FBI and other agencies are warning of a rise in Daixin Team ransomware and data extortion attacks on healthcare providers.   The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) has issued a joint warning about Daixin Team activity against the healthcare and public […] More

Shutterstock/MS_studio ZDNET Recommends Attention, all Android phone users: Keeping your phone secure is important.  These days, it’s sadly easy for malicious hackers to drain your bank account or steal your data.  Keeping up with your security practices on the front end makes it a lot less likely you’ll have to spend time, energy, and maybe […] More

When the dark web is mentioned online, it is usually in tandem with criminal marketplaces and arrests made by law enforcement agencies. Drugs, weapons, and stolen IP and data are all hot businesses in the dark web, with hundreds of terabytes of information on offer. Traders cash in on stolen credit card data dumps, initial access points to vulnerable systems, credentials, and intellectual property belonging to companies comprised during cyberattacks. According to Kela’s 2022 Threat Intelligence report (PDF), 48% of organizations have no documented dark web threat intelligence policy in place, despite the obvious danger. However, the dark web has far more uses for organizations and individuals than what a small subset of criminals do under its umbrella.To access a dark web address, you must use a VPN and a suitable browser (it should be Tor). The aim is to reduce your online footprint as much as possible, anonymize your traffic, and disguise your location. There are many legitimate uses for dark web services and communication. For example, this can include tools hosted for combating censorship — critical services for individuals in countries with stringent government surveillance and control, as well as privacy-enhancing anonymous email and whistleblower drop boxes.Also: What is torrenting and how does it work?Some media outlets also maintain an online presence via the dark web when their surface websites are blocked, and other websites do the same when they are banned at the ISP level by countries during unrest and protests. Yes, the dark web has an unsavory reputation. However, remaining anonymous can be invaluable to protesters, civil rights groups, journalists, lawyers, and other vulnerable groups. More

A woman looking thoughtful while looking at her smartphone. Image: Getty/Guido Mieth Sixteen Android apps downloaded by a combined total of over 20 million users have been removed from the Google Play store after it was discovered they contained malware which uses up data and drains batteries.   The malware has been discovered by cybersecurity […] More

The Asean Regional Computer Emergency Response Team (CERT) has been formally established, operating as a virtual centre comprising analysts and incident respondents from across member states. It is tipped to play a key role in beefing up the region’s cyber resilience amidst a threat landscape that is increasingly complex.It would deepen collaboration between CERTs amongst Asean member states and boost the region’s cybersecurity posture, said Minister for Communications and Information Josephine Teo, who was speaking at the Asean ministerial conference held Thursday in Singapore.  Noting that the region already had conducted annual CERT incident drills since 2006 to boost the readiness of CERTs within the individual countries, Teo said setting up the Asean CERT was an important step in building regional cyber resilience. There currently are 10 Asean member states including Singapore, Indonesia, Thailand, Malaysia, and the Philippines. The region in September 2018 agreed on the need for a formal framework to coordinate cybersecurity efforts, outlining cyber diplomacy, policy, and operational issues. Analysts and incident respondents in the regional CERT would ensure timely information exchange when a cybersecurity incident, such as a supply chain attack, occurred in any of the member state. The CERT held eight functions, including facilitating coordination and information sharing between national CERTs and developing partnerships with industry players and academia. These served to boost Asean’s operational readiness in dealing with the changing cyber landscape through stronger regional incident response coordination and collaboration in critical information infrastructure (CII) protection. The latter would include cross-border CII, such as aviation, maritime, and banking and finance. “Regional CERT analysts would rapidly share information from their own countries and jointly develop advisories when needed,” Teo said. “We are weaving a tighter net that will hopefully help prevent cyber attackers from getting through too easily.”She said the regional CERT now would need to be operationalised, adding that Singapore had distributed a draft operational framework and was seeing feedback from member states.This document detailed the purpose, scope, functions, mechanism, as well as composition and partners of the Asean Regional CERT. The facility is targeted to be established by 2024, after both the operational framework and financing model have been agreed upon by member states. For the Asean CERT to be effective, every member state would have to be onboard and share information freely, said Alex Lei, Asia-Pacific Japan senior vice president at security vendor ProofPoint. While it was still early days to assess its effectiveness, establishing a cross-national CERT was a positive step forward, Lei said in an interview with ZDNET on the sidelines of the conference, which was held in conjunction with Singapore International Cyber Week. He noted the competitive landscape in cyber was “lopsided”, with the “defenders” such as organisations and nations often working in silos, while the attackers operated in a marketplace where there were no national divisions. Ransomware attacks also were offered as as service and hacking tools were freely sold, he said, with hackers all working together. Defenders, on the other hand, were concerned about their proprietary data, he added, but noted that this was starting to change with more willingness now to exchange threat intel. “So for the Asean CERT to work…the free exchange of ideas and information is important or you’ll lose leverage from what you’re seeing [in the threat landscape],” he said. Teo also pointed to the need to implement “rules, norms, and principles” of responsible state behaviour in cyberspace. Asean, she said, remained the first and only regional group to have subscribed, in principle, to the United Nations’ (UN) 11 voluntary, non-binding norms of responsible state behaviour in the use of ICTs. “All of us in Asean appreciate the importance of an open, secure, stable and interoperable cyberspace, based on mutual trust and confidence,” she said. “Developing the ‘rules of the road’ for cyberspace requires deliberate and consistent effort. We need to actively implement the 11 voluntary and non-binding norms.”She noted that a plan of action to put these principles into practice was endorsed last year, outlining concrete steps Asean members could take as well as specific areas they could focus on to drive capacity building. Importance of clarity, readiness in incident responseDetailing clear steps to take was especially important to better guide businesses in mitigating security risks and incidents, said Imperva CTO Kunal Anand in an interview with ZDNET. He noted that companies were overwhelmed by the deluge of tools, concepts, and frameworks being thrown at them by security vendors. Market players also were touting different messaging on ways to address security risks, making it even more confusing for organisations, Anand said. It could be difficult for companies to really understand their risks, know what to invest in, and who to hire, he said, noting that this should be addressed by providing businesses with playbooks that offered clear steps to take to protect themselves.Pointing to Singapore’s CII supply chain guide, he noted that the document currently was not prescriptive and offered little as a constructive playbook for businesses to implement if they experienced a supply chain attack. Released by the Cyber Security Agency (CSA), the CII Supply Chain Programme Paper aimed to mitigate supply chain risks through five key areas, including a toolkit for CII owners to identify and rate supply chain risks. If there was another Log4j, for instance, CII operators needed to know how they should respond to a supply chain vulnerability, the steps to take, and how they should communicate and talk about it with their ecosystem, Anand said. The paper instead took on a high-level view and did not go into detail concrete steps companies should take to mitigate and address supply chain risks. He also pointed to the need to connect cybersecurity risks with financial risks. “We need to be more prescriptive so companies know where to begin and what to do,” he said, adding that Singapore could codify core principles and actions into such playbooks. That said, he noted that the Asian nation was amongst the most advanced in cybersecurity preparedness, with CSA availing many collaterals and guidelines such as the supply chain paper to support the local industry.  SolarWinds’ head geek Sascha Giese also underscored the need for businesses to know exactly what they had to be done in the event of a breach. Asked about gaps that needed to be plugged. Giese said companies still lacked preparation for worst-case scenarios, with their employees insufficiently trained on what they had to do in the event of a breach. Running incident response drills, for example, would allow organisations to finetune policies and steps their staff should take, including public statements the company should make when a breach occurred. “Preparation is everything. You don’t place a fire extinguisher at the door only when a fire breaks out,” he said. “That’s what still missing even in big enterprises today.”RELATED COVERAGE More