Cyber Forte

Australia will now fine firms up to AU$50 million for data breaches

harshang.shah — Thu, 28 Sep 2023 10:48:42 +0000

The Australian parliament has approved a bill to amend the country’s privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches.

The financial penalty introduced by the new bill is set to whichever is greater:

- AU$50 million

- Three times the value of any benefit obtained through the misuse of information

- 30% of a company’s adjusted turnover in the relevant period

Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms.

The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country.

“The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month,” reads the media announcement.

“These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect.”

The most notable incidents were the Optus telecommunication provider data breach that impacted 11 million people and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million.

“Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.” – Australian Government.

Apart from setting higher fines, the new bill also gives greater powers to the Office of the Australian Information Commissioner (OAIC) to get more involved in the privacy breach resolution and scope determination process.

OAIC has welcomed the passing of the amendment and promised Australians that it would use its enhanced role to protect individuals and the country’s economy better.

“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation,” stated Commissioner Angelene Falk.

“In seeking penalties or taking regulatory action, our approach will continue to be pragmatic, evidence-based, and proportionate.”

For comparison, Europe’s GDPR sets fines of up to 10 million Euros or (whichever is higher) up to 2% of the global turnover of the preceding fiscal year.

For “especially severe violations,” the above is doubled to 20 million Euros and 4% of the annual turnover.

Latitude Financial counts the cost of cyber attack

harshang.shah — Mon, 25 Sep 2023 11:20:27 +0000

Latitude Financial is forecasting a first-half statutory loss of between $95 million and $105 million after a cyber attack “closed or severely restricted” its ability to earn income for five weeks.

The anticipated financial hit from the cyber attack and ensuing large-scale data breach, which occurred back in mid-March, covers its inability to collect payments or accept new sign-ups for five weeks, as well as a “provision” for remediation costs.

The company provides credit cards as well as personal loans via retailers.

In an ASX filing [pdf], Latitude said that “new account originations and collections were closed or severely restricted for a period of approximately five weeks”, meaning it had lost income for the period, although it added that “regular commercial operations are now fully restored”.

The company is setting aside approximately $53 million after tax in the first half “for costs associated with the cyber incident”.

It suggested that this included about $7 million in costs already incurred, and an additional $46 million after tax for other remediation costs.

The provision, however, did not cover “the potential for regulatory fines, class actions, future system enhancements or an assumption of insurance proceeds,” Latitude Financial said, meaning the total cost of the incident is still unknown.

The company forecast statutory losses for both the half-year and full-year, and said it was “unlikely” to declare a dividend for the six months to June 30.

The attack led to the breach of some 14 million records containing personally-identifiable information. Latitude said it is continuing to support impacted customers, both current and former.

The company said the incident remained under federal police investigation.

It said it is also cooperating with a joint privacy investigation by Australian and New Zealand authorities, and warned that “extensive further enquiries from regulators are expected over the coming months.”

The company’s share price was down 6.56 percent at the time of publication.

Pizza Hut hacked, customer data and orders taken

harshang.shah — Mon, 25 Sep 2023 04:31:43 +0000

Hackers claim to have stolen personal data from Pizza Hut customers in a cyberattack they say also netted them information on 30 million orders for Margheritas, Hawaiians and Meat Lover’s products.

The number of Australians who had personal information taken is substantially smaller than the order information claimed: the hacker’s unverified claim was of obtaining data on 1 million people; Pizza Hut said 193,000 were affected.

Pizza Hut Australia boss Phil Reed has reassured customers the chain is still operating normally. Oscar Coleman

A hacking group called ShinyHunters claimed responsibility for the breach earlier this month, via the anonymous industry site Data Breaches. The group demanded a $US300,000 ($464,000) ransom, the site reported. Pizza Hut confirmed the intrusion in an email to customers on Wednesday.

The chain’s Australian chief executive, Phil Reed, apologised to customers for “any concern that this incident may have caused”.

Investigations by the company to date had confirmed the exposed information included customer names, delivery addresses, emails, phone numbers and “unusable masked credit card data”.

He said that “only a small proportion of customers on our database” had their information taken and the chain, which was recently purchased by the US food giant Flynn Restaurant Group from its previous private equity owners Allegro Funds, had informed the Office of the Australian Information Commissioner.

A Pizza Hut spokeswoman said there was no evidence to suggest the misuse of any customer information.

“It is also worth noting that Pizza Hut Australia does not collect any government identity documents or sensitive information and secures all account user passwords with strong one-way encryption,” she said.

Hacking groups sometimes overstate the extent of their attacks to generate fear in their targets, but it is also common for the size of a breach to grow as investigations proceed.

Many Australians’ personal data has already been exposed online as part of the massive Medibank, Latitude Financial and Optus hacks, which included much more sensitive information than the Pizza Hut breach.

The federal government’s official advice for companies is to not pay ransoms on the basis that it encourages further hacking attempts.

The government is working on a new cybersecurity strategy that is due to be released later this year. Cybersecurity Minister Clare O’Neil has said she wants Australia to be among the most digitally secure by the end of the decade, pledging to work with its partners in the Quad grouping of countries to create incentives for safer software.