Pacnet security breach could spur interest from a number of Asian privacy watchdogs, says expert

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2015/may/pacnet-security-breach-could-spur-interest-from-a-number-of-asian-privacy-watchdogs-says-expert/

Telstra, the Australia-based telecoms giant and owner of Pacnet, has
reported that a hacker gained unauthorised access to Pacnet's "corporate IT
network" after using malicious software to exploit a weakness in the
company's IT security. The breach "ultimately led to the theft of admin and
user credentials",Telstra's chief information security officer Mike Burgess
said in a statement.

Hong Kong-based technology law expert Peter Bullock of Pinsent Masons, the
law firm behind Out-Law.com, said there had been a "significant delay" in
the publicising of the breach.

Telstra said it only became aware of the breach "shortly after" completing
its takeover of Pacnet in mid-April. It said it took "immediate action to
investigate and respond to the breach". However, despite conducting a
"detailed assessment of Pacnet’s network security and engaging an expert
external incident response team to assist with our monitoring and
protective measures", Telstra said it is unsure about who carried out the
attack. It said, though, that the company has "removed all known malicious
software and put in place additional monitoring and incident response
capabilities" following the breach.

"There clearly has been a significant delay in Pacnet and Telstra
publicising the breach in this instance," Bullock said. "Ideally, some form
of statement should be issued within 48 to 96 hours of a data breach,
although this will depend on the complexity of the incident companies
falling victim to data breaches have to deal with. The fact that Pacnet and
Telstra were finalising a corporate transaction between themselves in part
explains, but does not excuse, the apparent delay in this case."

Bullock said that the office of Hong Kong's privacy commissioner (PCO) has
established a code of practice which "encourages data users and controllers
to report data breaches to both the PCO and the affected data subjects
timeously". However, data breach notification in Hong Kong is not a legal
requirement and there is "currently no legal sanction specifically for
failing to notify a data breach", he said.

Bullock said, though, that the PCO has some enforcement powers available to
it when data breach incidents affecting Hong Kong citizens come into the
public domain.

"Once publicised, if a breach has resulted from an earlier lapse in
compliance with a data privacy principle – and one such principle is that
personal data is kept secure – then enforcement notices will swiftly
follow," Bullock said. "If data exposed in a breach is not personal data
then this takes it out of the jurisdiction of the privacy commissioner, and
private law remedies only would be brought into play."

Bullock said that other data protection authorities elsewhere in the Asia
Pacific region could show interest in the Pacnet data breach if the hacker
gained access to personal data in the attack.

"An area of great interest, and complexity, is which national laws are
brought into play following a data breach," Bullock said. "A jurisdiction
is legally relevant if the data was collected in that jurisdiction; a data
subject suffered loss in that jurisdiction; or conceivably if the data was
wrongfully processed in that jurisdiction. Given the nature of Pacnet’s
business is, in part, providing cloud computing services, the prospect of
very widely distributed loss of data would appear to be a possibility in
this case."

Bryan Tan, expert in data protection law at Pinsent Masons MPillay, the
Singapore joint law venture partner of Pinsent Masons, said that
Singapore's Personal Data Protection Commission (PDPC) indicated in recent
guidelines that companies that fail to inform it that they have experienced
a data breach are more likely to be considered to have failed to adequately
protect the security of that data under Singapore's data protection regime.

The PDPC's guidelines said: "Notifications made by organisations or the
lack of notification, as well as whether organisations have adequate
recovery procedures in place, will affect PDPC’s decision on whether an
organisation has reasonably protected the personal data under its control
or possession."

Tan said there is a question over whether the PDPC would apply those to
data breach incidents that occurred prior to the guidelines being issued.
He said it is also unclear "how they apply to organisations which are also
regulated by an industry regulator".

Mike Burgess of Telstra said that Pacnet's systems are kept separate from
Telstra's and that there had been "no evidence" of a hacker gaining
unauthorised access to Telstra’s networks.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!