Australia to Impose Penalties on Firms 'Lacking Data Security'

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://au.ibtimes.com/articles/557580/20140701/australia-data-security-verizon-privacy.htm#.U7LXaZRX-uY

Australia will be setting tougher measures for all violators of data
protection, especially those related to personal data security.

Privacy Commissioner Timothy Pilgrim has announced he will take a serious
view of any business failing to protect personal data. For stringent
actions, he is now armed with the legal teeth of the privacy law effective
March 2014 to punish the offenders.

Data Breach

The security issues took a serious turn after the data breach in 2013 at
the Australian dating site of Cupid Media Pty Ltd. That opened the can of
worms on data security.

Pilgrim publicly said Cupid's information security practices were seen
deemed by the provisions of the new Privacy Act in force.

Cupid's story is one of unpatched vulnerabilities and compromises of
customer database with personal data stolen and made public. So names,
dates of birth, email addresses and passwords of 2,000,000 plus active
Australian customers were exposed.

Password Encryption

The commissioner observed that password encryption strategies were already
available to all firms. They include safeguard measures like hashing and
salting and could have been used by Cupid to prevent unauthorized access to
user accounts. There was abject failure in taking simple and effective
steps and abide by the reasonable security steps required by the privacy
law.

Penalty

If Cupid's data breach occurred after March 12, the day Australia's privacy
law came into force would have given the privacy commissioner the teeth to
impose huge financial penalties on the offending firm. Although Cupid
escaped the penalty, the commissioner asked the company to behave and
follow collaborative approach by working with the Office of the Australian
Information Commissioner and avoid recurrence of such incidents.

Timely Reminder

The incident was a timely reminder that personal data is much more
explosive than financial data. The serious warning of Pilgrim reminds that
the non-technical managers of online businesses will have to stay alert and
be proactive with their technical staff.

Verizon Remedy Initiative

With data breaches making news, the Verizon 2014 Data Breach Investigations
Report finds two-thirds of breaches happening in lost/stolen user
credentials. But business can offset the risk by using a single credential
for both the physical and virtual worlds. Verizon will be offering a new
service called Smart Credential shortly usable as a single trusted identity
to connect the online and physical world.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!