Welcome to the tenth edition of our quarterly Digital Governance, Cyber and Privacy newsletter.

Since our last update, there have been a number of developments in the regulatory space, with the long awaited changes to the first tranche of the Privacy Act being unveiled. This coupled with the Digital ID Act, the AI Safety Standards and the yet to be revealed Cyber Security Bill will see a substantial shift in the digital governance landscape in the coming 12 - 18 months.

We will continue to keep you updated with changes which may impact you and your business.

Until then, here is your roundup of relevant news from around the world:

Australia is the no.10 most targeted country for phishing attacks

Zscaler has released its Zscaler ThreatLabz 2024 Phishing Report. Australia ranks second in the Asia-Pacific and Japan region, with 29,427,987 attacks, behind only India. Over 12 per cent of all attacks in the region target Australians or Australian entities. At the heart of many of the attacks is AI-generated content, contributing in part to a 60 per cent increase in phishing attacks globally.

Medibank faces civil penalties case

Australia’s privacy watchdog the OAIC has filed proceedings in the Federal Court against Medibank Private for failing to protect the medical details of 9.7 million Australians; with the potential penalty being up to AU$21.5 trillion.

Singtel Optus Pty Ltd v Robertson - [2024] FCAFC 58

In November 2023, we published an article on the Federal Court's decision on whether the forensic IT report prepared for Optus during its cyber attack was subject to legal professional privilege (LPP). Optus was not successful, and launched an appeal. The appeal was rejected, and the report was found to not be covered by LPP.

In dismissing Optus’ application, the Court found there was no error at first instance where the primary judge held Optus failed to discharge its onus in establishing LPP. Specifically, Optus failed to establish that the dominant purpose in obtaining the report was for legal advice or use in litigation, rather than litigation being one of a number of purposes.

Digital ID Act enacted

In May 2024, Parliament passed the Digital ID Bill 2024 and Digital ID (Transitional and Consequential Provisions) Bill 2024. The Act is anticipated to commence on 1 December 2024, seeks to create an economy-wide Digital ID system, increasing privacy and security safeguards.

APT40 tracked

The Australian Signals Directorate (ASD) has worked with its partner agencies from the Five Eyes - Britain, USA, New Zealand and Canada - to track the group APT40. ASD says that APT40 "uses compromised devices, including small-office/home-office (SOHO) devices, to launch attacks that blend in with legitimate traffic, challenging network defenders."

Directions under the Protective Security Policy Framework (PSPF)

Three further directions have been issued under the PSPF. The most recent direction 003-2024 "requires Australian Government entities using threat intelligence sharing platforms to share cyber threat information with the Australian Signals Directorate." Other directions include restricting the use of Tik Tok on government devices.

ACMA claims Optus cyber attack could have been prevented

The ACMA has commenced proceedings against Optus in the Federal Court for failing to properly protect its customers information, claiming that Optus' failure was due to a coding error which it did not detect during (and for four years prior to) the cyber attack.

Fix NHS gaps or face more attacks - ex cyber chief

A leading cybersecurity expert has warned that the NHS remains vulnerable to further cyber-attacks unless it updates its computer systems. This stark assessment comes in the wake of a major ransomware attack that has severely disrupted healthcare services across London. The Russian-based hacking group Qilin, believed to be part of a Kremlin-protected cyber army, demanded a £40m ransom. When the NHS refused to pay, the group published stolen data on the dark web.

Reform UK warns members over Nigel Farage online scam

Reform UK has sent out a warning over a recent scam that has encouraged party supporters to donate to become a 'VIP Member'. Individuals who have been contacted by the account are encouraged to report the activity to the police.

Google violated anti-trust laws

On 5 August 2024, Google was found liable for violating s2 of the Sherman Act in the anti-trust case United States v Google LLC which focused on the agreement between Google and Apple and Mozilla, for Google to be the default search engine on devices such as iPhones

Nissan data breach exposed Social Security numbers of thousands of employees

In May 2024, Nissan disclosed that the data breach suffered in November 2023 exposed the Social Security numbers of thousands of former and current employees. The threat actor attacked the companies virtual private network and demanded a ransom sum.

Romance scams cost consumers $1.14 billion last year

According to the Federal Trade Commission, median losses per person amounted to $2,000, the highest reported losses for any form of imposter scam. 

White House report on USA cybersecurity posture

In a report issued by the White House, the 4 key trends said to have emerged in a retrospective of 2023, were evolving risks to critical infrastructure, ransomware as a persistent threat, supply chain exploitation and commercial spyware. 

Cyber Command

The US Cyber Command has indicated a plan to integrate AI into military cyber operations.

Europe's digital identity wallet framework entered into force

On 20 May 2024, the EY established its European Digital Identify Framework which requires member states to offer at least one EU digital identify wallet to all citizens and residents by 2026. The EU Commission has invested €46million so that the digital wallet can be used by citizens to identify themselves to public and private online services as well as store, present and share digital documents. 

Staff documents stolen in EU Parliament data breach

Identity cards, passports, excerpts of criminal records, and work experience documents were among the personal data of European Parliament employees compromised in a data breach of a HR tool.

Europe’s cybersecurity chief says disruptive attacks have doubled in 2024

Disruptive digital attacks, many linked to Russian-backed groups, have doubled in the European Union in recent months and are also targeting election-related services, according to the EU’s top cybersecurity official. Juhan Lepassaar, head of the European Union Agency for Cybersecurity said that attack methods — while not always successful — were often tried in Ukraine before being expanded to other EU countries.

Biometric data at airports

Air Canada launched a pilot program in 2023 that allows select passengers flying out of Vancouver to board a flight without showing their passport using facial recognition. While airlines and airports say facial recognition can make air travel more efficient and seamless, privacy advocates argue the use of biometric data is fraught and open to abuse. 

Data Protection Board Opinion 11/2024 on the use of facial recognition on airport passengers

The European Data Protection Board has ruled that the use of facial recognition to streamline air travel only complies with Europe’s data protection regulation in certain circumstances. To be compatible with the regulation, the data must be passenger controlled rather than in the hands of the airport operator, or the cloud. 

We hope that you have enjoyed reading this roundup.

If you would like more information on any of these issues, please contact our team.

Until next quarter.