Privacy commissioner Timothy Pilgrim has issued a direct warning
to business and government agencies that they must take steps to
protect citizens' personal information from the most recently
discovered computer bug or risk breaching the Privacy Act.
The bug – dubbed Shellshock – was found in the
Bourne Again SHell (Bash). It is a security hole that could be used
by hackers to access or manipulate the data held in vulnerable
systems. Bash is a widely deployed system, providing the coding
framework for many applications developed for Linux, some Unix and
potentially Apple computers.
Under Australian Privacy Principles, organisations must take
reasonable steps to protect the information they hold from misuse
and loss and from unauthorised access, modification or disclosure.
Last year, the Australian Privacy Commissioner found AAPT Limited
breached the Privacy Act for failing to adequately protect customer
data from unauthorised access after customer data held on servers
hosted by IT contractor Melbourne IT, was hacked and published
The traditional response to a computer bug that might render
organisations' information systems vulnerable is that the
tech-guys start billing overtime as they plug holes and patch
software. But this time around the Privacy Commissioner has bought
into the debate, signaling to senior executives that they can't
abdicate responsibility to their tech teams.
Commissioner Pilgrim issued an alert within days of Shellshock
being identified that reminded all organisations of their
obligations under the Privacy Act 1988. These obligations
include regularly monitoring the operation and effectiveness of ICT
security measures to ensure they remain responsive to changing
threats, vulnerabilities and other issues that may impact the
security of personal information. Where a vulnerability has been
identified, patches and software upgrades should be rolled-out as
soon as possible," he noted, advising companies also to keep a
close eye on the recommendations from CERT Australia, the
nation's computer emergency response team.
However at time of writing, not all the Shellshock patches have
proved entirely successful and some organisations are still
vulnerable. Even if watertight patches are developed for
Shellshock, there will be other bugs and new vulnerabilities
uncovered in the future.
At the same time targeted and malicious attacks on enterprise
computer systems are becoming more widespread.
Organisations are still getting over the Heartbleed bug first
disclosed in April 2014, which allowed hackers to hijack passwords
and access what had been considered secure records.
In September hundreds of small businesses around Australia
ground to a halt when unsuspecting employees clicked on links in
emails that appeared to have come from legitimate sources, such as
Australia Post. The links contained malware, which then effectively
locked up computer systems and sent a demand for ransom in return
for restored access.
A bogus email, purporting to have emanated from Apple then did
the rounds, suggesting that an account had been suspended and
inviting users to click on a link that launched a virus on to their
system. Similar suspect emails supposedly from banks are a daily
hazard for the unwary.
Meanwhile a concerted attack by hackers recently saw them hijack
misconfigured computers in New Zealand to launch a distributed
denial of service attack on a range of organisations across Europe,
bringing some organisations to their knees.
Most modern enterprises are reliant on their information systems
to conduct day-to-day operations. They also face rising compliance
burdens from a variety of regulators regarding the integrity of
those information systems, particularly regarding data privacy and
Not surprisingly computer security is now a boardroom issue for
enterprises of all sizes in all sectors.
A recent Fortinet global survey of 1,600 IT leaders found that
two thirds rated senior executives' awareness of IT security as
"high" or "very high" compared to just 40 per
cent a year earlier. Data privacy was identified as a particular
concern with 83 per cent of IT leaders saying that planned to
revise their approach to data protection as a result.
There is also mounting evidence that information security fears
are starting to stifle corporate innovation. The Fortinet survey
also discovered that 55 per cent of organisations had abandoned or
delayed at least one new business initiative because of IT security
But as Timothy Pilgrim reminded Australian organisations, this
issue demands eternal vigilance, high levels of technology scrutiny
and investment, and ongoing training and awareness campaigns to
ensure all staff are aware of the risks and consequences of data
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Differences in the expectations of suppliers and customers regarding the development of bespoke software, frequently lead to disputes regarding development timeframes, scope, cost, and intellectual property ownership.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).