2Sep 08

Australian security: the lucky country

Posted by Liam Tung @ 12:14 7 comments

Does anyone seriously believe that Australian businesses and government agencies manage security any better than the US or UK?

Apparently the people that influence Australia's privacy laws do, which is why the government has given itself four years, or until 2012, to start reviewing the Australian Law Reform Commission's recommendation to include "mandatory" data breach notification measures in Australia's Privacy Act.

In the meantime Australians will have to settle for softer initiatives, like the Office of the Privacy Commissioner's (OPC) Privacy Awareness Week, which recognises "good" privacy practices by organisations, but doesn't ferret out bad security and privacy practices.

In this state of affairs, if Australian Customs were to suffer a breach where people disguised as EDS staff stole two mainframes from its high security centre, which also contained sensitive details about you, Customs won't tell you.

Until 2012 we can celebrate privacy while the US clocks up another two billion data breach notifications — the number of notices issued to its citizens since 2002, Microsoft's chief privacy officer Peter Cullen tells me.

The first areas of the Privacy Act the government has promised to tackle are health information and privacy, which is sensible since health costs impact the public purse more than anyone's right to know when your personal information is exposed.

Data security and its relationship to privacy has been put on the back burner due to one fact: no one, not the ALRC, not politicians, not the Privacy Commissioner, and especially not the public, have the foggiest idea about the extent to which data breaches have affected Australians.

We could be lucky, or perhaps have supreme intellects, which has helped Australia avoid HMRC-style mass breaches that exposed 25 million UK citizens' personal records. The Australian Taxation Office at least recognised the reality of the risk. The HMRC breach inspired a security review that found overall good practices, but significant security holes which could result in a data breach.

This was quite rare indeed. According to a recent survey by analyst firm Intelligent Business Research Services of 99 local IT managers — half came from organisations with more than 1,000 staff — many organisations could haemorrhage data without realising it, just like TJX. Asked "How would you know if an unauthorised person were to access sensitive data?", 45 per cent agreed "It's possible we would not know if this occurred".

So that's the situation. The politicians don't know, organisations that hold your information don't know and the pubic doesn't know. If ignorance is bliss, then who the bloody hell am I to question Australia as being the lucky country?

She will, as we say, be right.

Talkback 7 comments

Privacy laws without teeth Carl Terrantroy -- 02/09/08

Hi Liam i could not agree more with you on this. The public really has no idea what a mess we could easily be in. Having worked in IT and Security for 20 years i have seen first hand on a number of occasions how bad some of our leading organisations are when it comes to data privacy. Encryption of backups when still using tapes i find is almost non existent. Another area i have seen where significant threats exists is around development systems. These systems need to use real data but a lot of orgs dont hash / scramble this data. And even worse dont apply significant security to the data once it leaves the production systems.

PCI is another area that is also struggling for acceptance in organisations. Its hard to understand the softly approach to data disclosure by all forms of government in Australia especially since the CASB1386 Bill was so applauded in the US.

Well i am sure laptops are been stolen as we speak from cars, smart phones are been left on taxi seats and DVD's are been lost. All with our personal information on them.

maintain the rage James -- 03/09/08

Keep the spotlight on this issue Liam, our privacy is inextricably linked to the accountability of the organisations which handle our personal information. "Sunlight is the best disinfectant" (Louis Brandeis).

ARC-QUT Project: "A New Legal Framework for Identifying and Reporting Australian Professor Bill Lane -- 03/09/08

This project is investigating data security breaches in Australia. Key issues arising from the operation of the different US legal models for data security breach reporting are being examined, having regard to the legal, social and corporate situation in Australia and the ALRC recommendation.

Here Here! Anonymous -- 03/09/08

Australian Politicians and the ALRC are spineless wimps with their heads deeply entrenched in the sand. Identity theft is the fastest growing crime in the world, and to believe that companies would voluntarily admit to data beaches of their customer data is just silly. Keep up the fight - you're not alone. Only until companies are held directly accountable will they focus any time or money on protecting data that directly affects each and every one of us.

National Security and Identity Theft Brian Wyborne-Huntley Esq N.A.I.S. -- 03/09/08 (in reply to #320111200)

I would not go as far as suggesting that they are spineless wimps.
However I would fully agree that it is the fastest growing crime in the world.
With a the loss of "Billions of Dollars".
It must be rembered that first and foremost it is the government departments that are supposed to play the leading role in the security of the nation and it's people, it is paramount that they are seen playing an active role in securing the identity of the data bases and the access to such data under their control, in order to ensure that national security is not compromised.
It is they who are the keeper of, the keeper of the keys.
As there are over 150,000 dead people, "still active" on the medicare data-base then medicare know who they are, their names etc. so they do have the power to de-comission the data.
If an Australian leaves contry for a fixed-period then that persons Identity should be de-activated until their return.
Producing Substantial Identity to re-enter.
Obviously the system is not infallable. as non is.
There will allways be room for improvement.

Known unknowns Big Galoot -- 04/09/08

Great article, Liam.

As to the question - how well our government & businesses manage our private information, there is really only one definitive answer:

"As we know,
There are known knowns.
There are things we know we know.
We also know
There are known unknowns.
That is to say
We know there are some things
We do not know.
But there are also unknown unknowns,
The ones we don't know
We don't know."

-Don Rumsfeld

Lax internal protocols Anonymous -- 24/09/08

Protocols around external (customer) identifty management and subsequent access are quite tight.

Where I see significant challenge and risk is with internal identity management - employees. It is farcial and quite frightenting how lax many organisations are in failing to adequately validate and determine the identity of their employees before issuing passwords and granting access to data.

The issue is not just one of a disgruntled employee or ex employee gaining access but one of employee identity theft and practicies to mitigate that leaves the security door wide open...This will be costly in the future, for us consumers and customers but alt also for the company that is breached..

Liam Tung

Journalist

1) Apple iPhone 3GS 32GB	35 plans	6%
2) Apple iPhone 3GS 16GB	35 plans	1%
3) Apple iPhone 8GB	41 plans	5%
4) Blackberry Curve 8520	6 plans	1%
5) Sony Ericsson Satio	12 plans	1%

1) Apple mobile phones	12%
2) Sony Ericsson mobile phones	1%
3) Nokia mobile phones	7%
4) Blackberry mobile phones	1%
5) Samsung mobile phones	5%

Securify This! by Liam Tung

Australian security: the lucky country

Talkback 7 comments