eevBLAB #52 - My Personal Data STOLEN from the Government!

[EEVblog]

All my personal data was STOLEN from the Western Australian Government's Perth Mint thanks to a third party data breach.
Obvious serious identity theft implications for customers as a result.

[WN1X]

So how are they going to help you out if/when someone actually uses the stolen info to steal your identity and mess up your life for many years to come? Sounds like a nasty law suit in the works.

[Muttley Snickers]

How do we even know you are the real Dave ?, you could have somehow used his private information to access his login and password details leaving all of us at the mercy of some unscrupulous fiend who's agenda is to cause mayhem and havoc about the place.     

[ttelectronic]

A few things bother me and it's the same anywhere. Why The F does anyone get away with not answering a single question, and why the hell aren't journalists asking the questions. This bullshit about security and not mentioning where the data was stolen from. It's OUR data, yet they won't even let us know who should be held accountable. WTF..... 

[TERRA Operative]

...leaving all of us at the mercy of some unscrupulous fiend who's agenda is to cause mayhem and havoc about the place.     

So, business as usual then?  

[Scottjd]

No point in trying anymore. Oh, my info was stolen so I get 1 year of free credit monitoring. Like the hackers won’t hold onto the info for 5 years before selling it or using it, really? Then again I had 6 years of free credit monitoring because at point 6 different companies were compromised one year after another. At this point just give up...unless you change the info used for verifying who you are like buying a different car, moving to another house, changing all credit cards then in 5 years the info would be outed  to be used for creating ID theft.. Since banks ask about what car you recently bought, the balance estimate on a credit card (I don’t keep balances so that’s pointless) and current and past addresses for verification then you will need to change all of these things every time you info is stolen, that’s not possible to do every year. Then let’s make it easier for them by making the home you bought public information, that’s needs to stop also. I give up at this point. It would be easier for me to create a new ID fake identity and start over then to try and prevent ID theft with how many times my information has been stolen. It not the question if it will happen anymore, but when will it happen these days.
And other on social media just give away infor for free making it even easier, wow.

Interesting fact, if the data compromised is encrypted then some companies don’t even need to let you know your information was stolen. So for every time your notified, 5 other companies probsbly didn’t tell you. How fast computers are getting with cluster networked systems it will only take a few years to break some encryptions. Or maybe they encryption is already compromised also, but you don’t know about it so you don’t know what encryption was even used.
Then you have some governments (US) requiring companies to follow certain regulations to protect customer information, and they turn around and let the IRS server get hacked that is NOT encrypted a decade after they made other companies encrypt their data. Can we say two faced?

[SeanB]

Give a hint as to the "third party", nobody ever got fired for using them. Now your info was in a database that was viewable by anybody with the right credentials. Password was "Password" and this was on a post it note on the notice board of an outsourced company, in the public lobby...... So the staff of the day could "Do the Needful".

[Chupacabras]

Good news is:
1) they discovered the breach
2) they notified the public

Yes, they made many "mistakes", but I bet there are many other organizations and many breaches they even didn't notice.

[EEVblog]

LOL! Comments disabled!

[Decoman]

I am reminded of something I vaguely remember having read about in my local news, many years ago. Something about how a record with the personal numbers (11 digit number afaik) of every citizen in norway, was lost on a cd that was displaced, and presumed lost in a public place. I don't think I am remembering this wrong, but its been so long and I don't have any copy of this.

Presumably, and I am speculating, it is all too easy for me to assume that, one way to circumvent local laws regarding privacy and data protection, is to simply circumvent the presumably very narrow legal language and white washing the illegal sharing of such data, by simply handing it over to other countries governments. Something similar could be done for monitoring traffic, in simply routing local data traffic over another country, thus allowing country B to monitor the local traffic in country A. Sweden is known for having laws that warrant internet traffic monitoring. "FRA" law iirc, or maybe it's just a military institution, unsure. And I think I've learned that the internet doesn't have data sent over the shortest connection based on geograprahpy, data might really go places before ending up at its final destination.

Btw, speaking of money, I remember a couple of times, I had made a small donation (some 10 usd) with my Visa card, and then the bank froze my bank account, which seems like an overreaction. I interpreted it as an act of intimidation simply because of who the money was supposed to go to (nothing criminal or violent or bad), and the bank said they did it because they didn't know who the money went to (money went to a foundation). I suppose I should be glad if my bank puts a stop to mysterious bank transactions, but it seems to me that it is about control, more than providing security. Presumably, banks in can/will be held accountable should money go places where other people don't want it to do, I guess that is sort of ok (if fraud is involved), but I don't know, I basically want to decide for myself where my money goes.

I like donating money on the internet, because if everybody chip in, things gets done. However, I am also conscious that this activity might as well be considered very limited, as it won't solve the world's poverty problems (not my donation activity anyway I would think, as I have limited money anyway), and also that I am no willing to donate too much either. Either way, I don't donate to feel better about myself, but to well help out when I feel it is ok.

[NivagSwerdna]

Seems there is some physical hacking going on too!

http://www.abc.net.au/news/2018-08-03/man-hid-stolen-perth-mint-gold-coins-in-computer-hard-drive/10070998

[Raj]

You haven't seen the worst yet.
Aadhar system in India is way worse. Afterall, you can't replace your eyes and fingerprints. F#($) Governments.

[madires]

As a victim of one official data breach (LinkedIn) I've experienced only more SPAM and additional verification measures when logging in on some shopping websites from time to time. The latter is caused by some crooks trying to use the data from the breach for free shopping. This is one of the reasons you should have a dedicated password for each account/login. It also tells me that the password was stored in clear text or only secured by a poor hashing algorithm.

There are also unofficial data breaches, mostly when an employee copies customer data for some extra income. I had a subscription of an electronics magazine. One day I received a newsletter from a Dutch audio magazine which is owned by the same publisher. I asked them to remove me from their list and they told me that someone has ticked the wrong box. No drama, things like this happen. But after that some shady marketer started to send me Dutch SPAM and still does. Luckily most of the SPAM is rejected by my MTAs (I run my own mail servers), so it doesn't bother me much. This looks like some employee is selling customer data, doesn't it?

[Bud]

Article on Amazon employees making extra cash selling insider information including customer email addresses

https://www.theverge.com/2018/9/16/17867358/amazon-investigation-employee-seller-bribery-internal-data-deleting-negative-reviews

[HeywoodFloyd]

Any idea if the identity theft monitoring is worth the risk/effort/cost?
My data was stolen in the recent British Airways data breach. BA offered me monitoring for 1yr but I note the monitoring company asks for way more information than BA had, and their privacy policy says they share it with third parties and keep it for six years after my account closes. Having monitoring may be a greater risk than not having it 

[NivagSwerdna]

...I note the monitoring company asks for way more information than BA had, and their privacy policy says they share it with third parties and keep it for six years after my account closes. Having monitoring may be a greater risk than not having it 

I noticed that too... I think I was offered Garlik after a breach but I notice that Garlik is really Experian... funny it keeps asking me for my bank and credit card details... 

[madires]

Identity theft monitoring is just a placebo to keep the victims calm. It doesn't help when a bank turns up suddenly and asks you to pay for a  credit you never signed, or when a debt collection service demands the money for some expensive toys you never ordered. Those are typical cases of identity theft, and you would have to hire a lawyer to deal with them. I wouldn't accept any cheap monitoring service, I'd demand that the company pays my lawyer for dealing with the real problems and some compensation for the stress and time wasted.

[vodka]

I am reminded of something I vaguely remember having read about in my local news, many years ago. Something about how a record with the personal numbers (11 digit number afaik) of every citizen in norway, was lost on a cd that was displaced, and presumed lost in a public place. I don't think I am remembering this wrong, but its been so long and I don't have any copy of this.

Presumably, and I am speculating, it is all too easy for me to assume that, one way to circumvent local laws regarding privacy and data protection, is to simply circumvent the presumably very narrow legal language and white washing the illegal sharing of such data, by simply handing it over to other countries governments. Something similar could be done for monitoring traffic, in simply routing local data traffic over another country, thus allowing country B to monitor the local traffic in country A. Sweden is known for having laws that warrant internet traffic monitoring. "FRA" law iirc, or maybe it's just a military institution, unsure. And I think I've learned that the internet doesn't have data sent over the shortest connection based on geograprahpy, data might really go places before ending up at its final destination.

Btw, speaking of money, I remember a couple of times, I had made a small donation (some 10 usd) with my Visa card, and then the bank froze my bank account, which seems like an overreaction. I interpreted it as an act of intimidation simply because of who the money was supposed to go to (nothing criminal or violent or bad), and the bank said they did it because they didn't know who the money went to (money went to a foundation). I suppose I should be glad if my bank puts a stop to mysterious bank transactions, but it seems to me that it is about control, more than providing security. Presumably, banks in can/will be held accountable should money go places where other people don't want it to do, I guess that is sort of ok (if fraud is involved), but I don't know, I basically want to decide for myself where my money goes.

I like donating money on the internet, because if everybody chip in, things gets done. However, I am also conscious that this activity might as well be considered very limited, as it won't solve the world's poverty problems (not my donation activity anyway I would think, as I have limited money anyway), and also that I am no willing to donate too much either. Either way, I don't donate to feel better about myself, but to well help out when I feel it is ok.

Our case is quite worse, it is the own goverment,concretly, the "Generalitat" of Catalonia who stolen our privacy data for doing an illegal referendum.

https://youtu.be/ud-MCpHjTtw

Here the transciption:

Santiago Vidal, judge and Spanish Senator of ERC explaining the State Coup

<They mounted 19 chiringuitos with our money)>

At the moment,there are 31 actuation ambits,19 expert teams working under the coordination from exvicepresident of the Supreme Court,mr Carlos Viver Pi Sunyer and there are 141 specifical measures.

We have ambit of Healthcare,Education,Media,Railway Structures,Roads .

<Obfuscated and with our money>

But there are too a budget line of almost 400M€,i didn't say you what epigraph in particular, it is at the budgets because duly camouflaged, destinated to release of the referendum and absolutely prepared

the 19 structured of state. We already have all the software, that cost many money.

<Violating our privacy right>

At the moment,the goverment of "Generalitat" of Catalonia have all tax informations. And this serves by the electoral census. And this serves by many stuffs and so others things.

Everybody are controlled. All.(1:20)

<Violating the law>

 this it is legal? Of course, no. Because this is protected by the Spanish law of the databases protection.
I don't tell you like we have achieved it,because we have achieved it, absolutely of illegal form. And a judge can't talk of how is made the things illegally.


<They want to force to give them own money>
 
It will arrive a day ,the next year , you will recieve a letter on your home. A signed letter by the "Generalitat" Goverment that you will say:

"I report you what the next tax finishes ...and we remember  your duty to pay (because it already will be have  adopted the law of own Treasury for paying to Generalitat Treasury Department )"

When a catalonian, as the mr.Bonet de Freixenet,by example, he goes to the bank and he say:"I come to pay the VAT tax,corporation tax , and income tax , but epps, i am very spanish.
This money ,above all, goes to Spanish Treasury".

The employment that is behind of check-in counter has to respond him: See , i am sorry but the system don't allow me .

<They want to exhaust us>

Will you pay more ? Surely yes, on the new catalonia. You will pay more taxes. In the new state, anybody will escape.

<They are supremacist>

Entrance, when we finish to born like state, pass to be the 14,by the way ,the Spain go to the 21, i suppose that know you.  At the moment that we get out ,clearly, they are going to 21.

Pass to be the number 14 to be the number 8. You don't negate me that make ilusion. Because the intention is to be the Norway or Denmark from South.

<They take us by idiots>.

The big corporations in infrastructures,above all,germans and frenchs will begin to invest million and million euros

Catalonia will reduce the unemployment from 14.6-14.7% to 11.3%,

If the month June-July, we go to Baix LLobregat,and everybody are(that there are many undecided:"oh,is that my pension i don't know what..", you said them:"Listen"(on paper).

 You will recieve...How many do you recieve,now? 641?

You will recieve 1,000).

<Plotting with others countries versus us >

And this numbers have validated and this we can't say you until recently, by 3 international organisms.

The  first interantional organism: Deutsch Bank. There is a state that it is not european, and therefore over Spain can not apply any control,besides, the bilateral relations isn't speacially goods,

that they have said us, that they will do us of  bank.

At this moment, i can say you that we have the word pledge from the 31 states

<Making the list of the goods and bads>

At this moments,perfectly, we already have delimited through of field working very exhaustive,how many these 801 judges will go to their state and that want to say:

Treasury Inpector,attorneys. We know with names and surnames who will stay and who will get out .

We will get them a term- they are roughly a 300, we will get them a term form 3 months for choosing if they will want to stay or will get out.

And the case who will want to stay , they will have to pass the filters: First filter, they will have to accredit ,a minimum, a C level catalan language

Second filter: They will have to be a favorable report ,we still haven't put the exact title , but will have a Evaluation Commission.
                     We can't have a people who will stay here like 5th Columnists.

<They are above of the law>   

When  they will send all their rulings,suspending all this and this wiil arrive between April/May of the next year, no longer we won't acknow the Spanish Constitutional Court.

All this that we will make, Is it agree with the spanish legalty? No ,and i believe that is not necessary to explain the motive.

<And this nightmare is not end>

In spite of we will lose the referendum, if we will lose it , we will repeat it

Perfectly, we know who share the dreams and ideals of the majority-i imagine from us that we are in the room.

Perfectly, we know by your tranquility who person, absolutely formed to level juridic,honest,worker will occupy the place of each one these civil servant who will get out.

<Prepared ideological purges>

These civil servarnts who will want to stay on the new state,while it may appear redundant, the first request is a firm pledge and serious with the valors,principles and legalty of the new state.

[bitwelder]

"Perth Mint did not identity the third-party IT provider that hosted the breached database. But over the past couple of years, the mint has sought to revamp its IT infrastructure, which involved moving from in-house ICT support to a managed service, CRN reported in March 2017.

After a tendering process, the mint selected Silverfern IT of Perth."
https://www.bankinfosecurity.com/perth-mint-says-3200-customers-affected-by-data-breach-a-11521

[firewalker]

Can you twist their arm with a court order or similar to answer your really valid questions?

Alexander.

[thm_w]

Seems there is some physical hacking going on too!

http://www.abc.net.au/news/2018-08-03/man-hid-stolen-perth-mint-gold-coins-in-computer-hard-drive/10070998

Interesting because that happened in 2016 when the database is supposedly from: "Joseph Charles Viola, 29, pleaded guilty in the District Court to six charges of stealing the items, worth a total of $55,000 and including a limited edition Kimberley sunrise coin, between February and April 2016."

But that doesn't match up with the other information given, so probably was not him.

[HeywoodFloyd]

I wouldn't accept any cheap monitoring service, I'd demand that the company pays my lawyer for dealing with the real problems and some compensation for the stress and time wasted.

Mind you, you'd need to know which one of your data leaks led to that particular identity theft.
You probably have an account with credit rating agencies that you don't even know about... https://www.bbc.co.uk/news/uk-england-essex-45574163

[Halcyon]

Can you twist their arm with a court order or similar to answer your really valid questions?

There's really no point and it's certainly not worth the time, effort and expense of going to court. The best we (the public) can do is refer the matter to the Office of the Australian Information Commissioner. If they determine that the Privacy Act has been breached, they can take action against the entity. But it appears that there is nothing compelling the organisation to answer Dave's questions, as fair as those questions may be.

[NiHaoMike]

Those in the US probably remember the infamous Equifax hacking incident...

Btw, speaking of money, I remember a couple of times, I had made a small donation (some 10 usd) with my Visa card, and then the bank froze my bank account, which seems like an overreaction. I interpreted it as an act of intimidation simply because of who the money was supposed to go to (nothing criminal or violent or bad), and the bank said they did it because they didn't know who the money went to (money went to a foundation). I suppose I should be glad if my bank puts a stop to mysterious bank transactions, but it seems to me that it is about control, more than providing security. Presumably, banks in can/will be held accountable should money go places where other people don't want it to do, I guess that is sort of ok (if fraud is involved), but I don't know, I basically want to decide for myself where my money goes.

I like donating money on the internet, because if everybody chip in, things gets done. However, I am also conscious that this activity might as well be considered very limited, as it won't solve the world's poverty problems (not my donation activity anyway I would think, as I have limited money anyway), and also that I am no willing to donate too much either. Either way, I don't donate to feel better about myself, but to well help out when I feel it is ok.

I use cryptocurrency for that - maintains my desire to keep "regular money" and "hobby money" separate where practical and it's a lot more fun to build and run a machine that "generates money". Well, more like "collect the transaction fees from other users in exchange for getting their transactions into the blockchain", especially for coins like Swagbucks that recently halved the block reward. (There seem to be lots of clueless users who waste their time on the surveys only to have a significant percentage of their little profit going to the miners, but that helps to keep the mining profits high...) Some of the exchanges don't ask for very much personal information so there's not much to leak in the first place.

That is not to say that cryptocurrency is completely immune to leaking personal data - one time Perk ramped up asking for ID in order to use the exchange services, which was likely a factor in its crash... (I just moved on to mining other coins like many others did and never gave them any personal information.)

[(*steve*)]

I'm employed in an area within the WA Govt which is very aware of data breaches.  It's not the Mint (but I won't say more).

One thing you need to be aware of is that WA Government agencies are not covered under the Privacy Act (1988) (the Act).  This is because of (1) the definition of who is covered by the  Act, and (2) because WA has *NO* privacy legislation.  Off the top of my head, I'm not sure if the WA Mint falls under one of the categories which are covered, but they well may not be...  This is something you can check by a call to the Office of the Australian Information Commissioner (OAIC) (email foi@oaic.gov.au) 1300 363 992.

The report by the mint to the OAIC may be a courtesy rather than a requirement.  If it is, the OAIC can't force them to follow the law they're not acting under...

If they are covered by the Act, your best recourse is a complaint to the OAIC because complaints by individuals *can* be handled under the Act.

HOWEVER, if you take the time to read the Act (and yes, I'm someone who has) there are plenty of outs for organisations if they deem your issue falls into the "too hard" basket or (as they've said) would result in a further breach.

If the breach has been reported ONLY by the Mint, then the third party is probably a party that isn't covered by the Act.  This could be a WA State Govt agency (but you can bet they would have been thrown under the bus) or they are situated outside Australia.  The latter would be my best bet.

Given the date of the breach vs the currency of the data, my bet is that the breach occurred in a test system populated with old production data. 

The definition of a eligible data breach in the Act (Section 26WF, pp185-186 requires that there is both "unauthorised access to, or unauthorised disclosure of, the information", AND "a reasonable person would conclude that the access or disclosure WOULD [my emphasis] result in serious harm[...]".  Given that, you can draw some conclusions about whether the disclosure was contained (I would guess it wasn't, because containment would mitigate the risk) and regardless of whether there is "no threat to any account holdings at The Perth Mint", there IS a real risk of "serious harm".  Personally, I would go beyond "real risk". 

Whilst I wouldn't go this far, some have suggested that the Act is designed to shield Australian organisations (not people) from harm resulting from data breaches.  Some evidence in this regard is that one type of organisation exempted from the Act is "political parties".

The OAIC can hold hearings and has some power to compel witnesses, so if you want to have a bit of fun you could agitate to have the OAIC investigate.  Beware that they can also require you to attend and answer questions under oath.  This is not my idea of fun.

[Halcyon]

One thing you need to be aware of is that WA Government agencies are not covered under the Privacy Act (1988) (the Act).  This is because of (1) the definition of who is covered by the  Act, and (2) because WA has *NO* privacy legislation.  Off the top of my head, I'm not sure if the WA Mint falls under one of the categories which are covered, but they well may not be...  This is something you can check by a call to the Office of the Australian Information Commissioner (OAIC) (email foi@oaic.gov.au) 1300 363 992.

I'm sorry but that's just not correct at all. Could you point to some references to support your claim?

The Privacy Act is federal legislation. It trumps any state/territory legislation to the contrary but also co-exists with existing state/territory legislation concerning the collection of personal information. The Privacy Act 1998 applies to all states and territories within Australia. In fact, if you look at the very first paragraph on the OAIC website concerning this, it says:

The Privacy Act 1988 (Privacy Act) regulates how personal information is handled by Australian Government agencies and the Norfolk Island administration, medium-to-large businesses, the not-for-profit sector, the credit reporting industry and health service providers.

The report by WA mint to OAIC was done because that is what is required of them by the act.

[(*steve*)]

Please see the Privacy Act (1988) here https://www.legislation.gov.au/Details/C2014C00076

One of your objections is under section 109 of the Australian Constitution.  This act explicitly deals with inconsistency by generally deferring to State/Territory legislation.  Read section 3:

"It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act."

The fact that WA does not have Privacy legislation is important, but not the sole consideration here because many state acts make provision for the "collection, holding, use, correction or disclosure of personal information[...]"

Then section 6C (p36)

Starting with "What is an organisation?", and going through to "that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory."

Then further on page 37, "What is a State or Territory authority?" which lists a huge set of things.  Notably, and as I alluded to in my opening post, certain structures are exempted from this exemption.  6C(3)(c)(i) may apply to the Mint.

There are other methods by which organisations can be prescribed, exempted, or have certain functions exempted, but I doubt those are relevant here.

I think it is quite likely, but not 100% certain that

The report by WA mint to OAIC was done because that is what is required of them by the act.

  Because it's not relevant to what I do, I've not looked to see if organisations exempt from the Act can volunteer to report to the OAIC. 

The entire point of this is that *before* you go off complaining that the organisation has not reported completely, you should determine that the organisation is actually covered by the Act.  Once you find that it is, I would recommend you direct your enquiries to the OAIC.  As underfunded as they are, they have the power to actually get an answer, the Act doesn't really give an individual much power to demand anything (because there are so many ways they can fob you off).

[Brumby]

To me it sounds absurd to claim a Federal act has no power in a state because that state has no similar legislation - because that's what it sounds like you are saying.

While I'm no legal expert, the phrase "is not to affect the operation of a law of a State or of a Territory ... ... and is capable of operating concurrently with this Act." would indicate to me that, if there is no conflict between State law and the Federal privacy act, then they can both be applied to a given situation.  In the case where the state has no such legislation, then the Federal legislation carries full weight.

It's like having a Federal law to not detonate a nuclear bomb - but the state has no such laws.  It doesn't mean you can go to that state and blow shit up with one.

[(*steve*)]

To me it sounds absurd to claim a Federal act has no power in a state because that state has no similar legislation - because that's what it sounds like you are saying.

I didn't say that.

While I'm no legal expert

Funnily enough I rely on the advice of those who are.

It's like having a Federal law to not detonate a nuclear bomb - but the state has no such laws.  It doesn't mean you can go to that state and blow shit up with one.

No, it's like having a federal law that is drafted so as not to override state legislation. 

I'm not going to argue with you.  If you're correct, please inform the Federal AG and the AOIC, the various State Solicitors, and frankly as many other people as you can.  It will save me a hell of a lot of time and effort and let me retire early to my electronics hobby. 

[Brumby]

Seems I've got the wrong end of the stick.  Maybe I'll reread this when my head cold clears.

[Halcyon]

Please see the Privacy Act (1988) here https://www.legislation.gov.au/Details/C2014C00076

"It is the intention of the Parliament that this Act is not to affect the operation of a law of a State or of a Territory that makes provision with respect to the collection, holding, use, correction or disclosure of personal information (including such a law relating to credit reporting or the use of information held in connection with credit reporting) and is capable of operating concurrently with this Act."

The key words here are "and is capable of operating concurrently with this Act". The above clause in the Privacy Act basically gives each state the ability to create its own laws in addition to the federal Privacy Act (although it seems a little redundant to me). As per Section 109 of the Australian Constitution, If there is a clash between state and federal law, then federal law takes precedence as to the extent of the inconsistency.

The fact that WA does not have Privacy legislation is important, but not the sole consideration here because many state acts make provision for the "collection, holding, use, correction or disclosure of personal information[...]"

It really doesn't matter for the purposes of this thread whether Western Australia does or does not have it's own laws regarding Privacy or the collection of personal information, this is why the Privacy Act 1988 exists.

Then section 6C (p36)

Starting with "What is an organisation?", and going through to "that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory. Then further on page 37, "What is a State or Territory authority?" which lists a huge set of things.  Notably, and as I alluded to in my opening post, certain structures are exempted from this exemption.  6C(3)(c)(i) may apply to the Mint."

You're looking at the wrong definition. Under Part IIIC (Notification of eligible data breaches), this part refers to "entity", not "organisation". An "entity" is defined as being an agency, organisation or a small business operator. Then, if you look at the definition of "agency", its interpretation is wide. The Western Australia Mint falls under this definition.

There are other methods by which organisations can be prescribed, exempted, or have certain functions exempted, but I doubt those are relevant here.

Correct.

I've not looked to see if organisations exempt from the Act can volunteer to report to the OAIC.

Yes they can but it doesn't apply in this case.

The entire point of this is that *before* you go off complaining that the organisation has not reported completely, you should determine that the organisation is actually covered by the Act.  Once you find that it is, I would recommend you direct your enquiries to the OAIC.  As underfunded as they are, they have the power to actually get an answer, the Act doesn't really give an individual much power to demand anything (because there are so many ways they can fob you off).

I made the comment in another thread that it was possible that WA Mint didn't fully comply with the requirements under the Privacy Act, specifically "the kind of kinds of information concerned". I haven't read the e-mails from WA Mint to Dave so I only made the suggestion based on Dave's comments before the video was uploaded to YouTube. Whilst I've studied law, I'm not an expert in legislation concerning privacy and alike. The wording is open to interpretation and I'm sure the legal experts at WA Mint would have advised correctly. However, by not providing a complete list of the various fields/pieces of information that was stored in the database seems a bit dodgy to me.

I don't think anyone expects an organisation to send each and every person affected by a breach a personal letter to explain exactly what of theirs was stolen, but I would expect them to tell everyone what fields were in the database subject to the breach, then it would be up to the individual to determine whether they had provided that data to the organisation.

* I used the word state but consider this to also mean "territory".

[EEVblog]

The Perth Mint have now offered a third party credit monitoring service for 12 months for all those affected.

[MK14]

The Perth Mint have now offered a third party credit monitoring service for 12 months for all those affected.

I was offered something similar, when my account details (in the end, I think I was lucky, and my details were safe) were compromised (along with a huge number of others), because of a UK business being hacked. About 2 or 3 years ago.

But I ignored that measly offering, because I was worried it would need my credit card to verify who I am for the "free" 12 month period.
Then after the 12 months, they would charge me for the credit monitoring service and be a real nightmare (pain in the neck), to cancel. Needing lots of phone calls and listening to sales talk (which I'm not interested in), from sales reps, trying to sell me services I don't want. For just cancelling the "free" service.

[(*steve*)]

It really doesn't matter for the purposes of this thread whether Western Australia does or does not have it's own laws regarding Privacy or the collection of personal information, this is why the Privacy Act 1988 exists.

Sigh.  Clearly expertise in electronics elicits a greater working knowledge of the Privacy Act (1988) than a person who has to deal with it, and more than the Federal AG and the OAIC have in administering it.

Please read the datasheet.  You don't even have to read the whole 346 pages. I have provided references to the information created for engineers using this product.  I would encourage you to read and understand that rather than the bullshit marketing fluff.

My last word on this (and then I'll leave you to your misinterpretation based on inaccurate media reporting of detailed technical information):

The Act EXCLUDES state agencies (and a broad range of other groups -- possibly including Dave -- from many/all provisions), and this MAY include the WA Mint.  I'm not saying it is a good thing any more than I would say that "Absolute Maximum" ratings are a good thing, they're just facts.  I have suggested how to find out, and once you have, how to leverage the Act to possibly get answers to your questions.

[madires]

But I ignored that measly offering, because I was worried it would need my credit card to verify who I am for the "free" 12 month period.
Then after the 12 months, they would charge me for the credit monitoring service and be a real nightmare (pain in the neck), to cancel. Needing lots of phone calls and listening to sales talk (which I'm not interested in), from sales reps, trying to sell me services I don't want. For just cancelling the "free" service.

It's like being robbed twice.

[Halcyon]

It really doesn't matter for the purposes of this thread whether Western Australia does or does not have it's own laws regarding Privacy or the collection of personal information, this is why the Privacy Act 1988 exists.

Sigh.  Clearly expertise in electronics elicits a greater working knowledge of the Privacy Act (1988) than a person who has to deal with it, and more than the Federal AG and the OAIC have in administering it.

Please read the datasheet.  You don't even have to read the whole 346 pages. I have provided references to the information created for engineers using this product.  I would encourage you to read and understand that rather than the bullshit marketing fluff.

My last word on this (and then I'll leave you to your misinterpretation based on inaccurate media reporting of detailed technical information):

The Act EXCLUDES state agencies (and a broad range of other groups -- possibly including Dave -- from many/all provisions), and this MAY include the WA Mint.  I'm not saying it is a good thing any more than I would say that "Absolute Maximum" ratings are a good thing, they're just facts.  I have suggested how to find out, and once you have, how to leverage the Act to possibly get answers to your questions.

As I said, I have a very good grasp of law based on my previous employment. My electronics knowledge aside, I think I have a fairly clear understanding on how to interpret legislation. My interpretation has absolutely nothing to do with the media, in fact, I haven't read, seen or heard a single thing about it in mainstream media, mostly because I don't pay that much attention to it.

It seems it's you who is misinterpreting the law in this instance. I get that you're getting advice from others, but I find Chinese whispers never worked too well. As I said, I'm not going to pretend to know the in's and out's of privacy legislation, it's not my area of expertise, but you're still yet to point me to any piece of legislation which excludes the WA Mint from the definitions/clauses I pointed out previously. From what I can see it very much INCLUDES them. On one hand you're sitting on the fence by using words like "may", yet on the other hand you're arguing sections which I literally copied from the Privacy Act. If you're going to assert that I'm wrong, provide some evidence please.

[CatalinaWOW]

What is silly about this is that anyone anywhere will loan a significant amount of money based on a single number, an email address and a password.  These data breaches shouldn't really matter.  They are annoying, troubling and all of that, but wouldn't have affected anything in the world of a few decades ago when you couldn't get any kind of credit unless the banker knew you and your employer personally.

We have gained much with the convenience of these remote transactions, but we have lost much too.  Perhaps we should swing the pendulum back the other way a bit and require something closer to the bandwidth involved in the older methods of giving credit.

[Halcyon]

What is silly about this is that anyone anywhere will loan a significant amount of money based on a single number, an email address and a password.  These data breaches shouldn't really matter.  They are annoying, troubling and all of that, but wouldn't have affected anything in the world of a few decades ago when you couldn't get any kind of credit unless the banker knew you and your employer personally.

We have gained much with the convenience of these remote transactions, but we have lost much too.  Perhaps we should swing the pendulum back the other way a bit and require something closer to the bandwidth involved in the older methods of giving credit.

Most (all?) banks in Australia now use two-factor authentication. Whilst it's not enforced on every account, the banks tend to limit their liability by restricting transfer limits. For example without 2FA, the most I can transfer out of my account is $1000. With 2FA, I can increase that up to $10,000 per day.

But all the security measures in the world won't protect people from themselves, for starters, they need to stop using the same passwords for their various accounts!

[(*steve*)]

As I said, I have a very good grasp of law based on my previous employment. My electronics knowledge aside, I think I have a fairly clear understanding on how to interpret legislation. My interpretation has absolutely nothing to do with the media, in fact, I haven't read, seen or heard a single thing about it in mainstream media, mostly because I don't pay that much attention to it.

It seems it's you who is misinterpreting the law in this instance. I get that you're getting advice from others, but I find Chinese whispers never worked too well. As I said, I'm not going to pretend to know the in's and out's of privacy legislation, it's not my area of expertise, but you're still yet to point me to any piece of legislation which excludes the WA Mint from the definitions/clauses I pointed out previously. From what I can see it very much INCLUDES them. On one hand you're sitting on the fence by using words like "may", yet on the other hand you're arguing sections which I literally copied from the Privacy Act. If you're going to assert that I'm wrong, provide some evidence please.

https://www.oaic.gov.au/privacy-law/rights-and-responsibilities

Scroll down to "Who doesn't have responsibilities under the Privacy Act?"

then read this:

The Privacy Act does not cover:

• State or territory government agencies, including state and territory public hospitals and health care facilities (which are covered under state and territory legislation) except:
• certain acts and practices related to My Health Records and Individual Healthcare Identifiers
• entities prescribed by the Privacy Regulation 2013
• individuals acting in their own capacity, including your neighbours
• universities, other than private universities and the Australian National University
• public schools
• in some circumstances, the handling of employee records by an organisation in relation to current and former employment relationships
• small business operators, unless an exception applies (see above)
• media organisations acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
• registered political parties and political representatives.

This is, of course, not as authoritative as the references to the Act that I have already provided. 

And I am VERY MUCH on the fence as to whether or not the Mint is covered -- you simply assume they are.  I was pointing out that state agencies ARE NOT covered, and IF it includes the Mint, it is a reason why they don't have to do what the ACT says an organisation under the act has to do.  My advice continues that you should (1) find out, and (2) IF they are, take it up any perceived non-compliance with the OAIC.

The legal question concerning the Mint is whether their corporate structure falls one way or the other with respect to the Act. 

I would recommend that Dave, in his next communication with the Mint, ask "Are you covered by the Privacy Act (1988)?"

[Halcyon]

As I said, I have a very good grasp of law based on my previous employment. My electronics knowledge aside, I think I have a fairly clear understanding on how to interpret legislation. My interpretation has absolutely nothing to do with the media, in fact, I haven't read, seen or heard a single thing about it in mainstream media, mostly because I don't pay that much attention to it.

It seems it's you who is misinterpreting the law in this instance. I get that you're getting advice from others, but I find Chinese whispers never worked too well. As I said, I'm not going to pretend to know the in's and out's of privacy legislation, it's not my area of expertise, but you're still yet to point me to any piece of legislation which excludes the WA Mint from the definitions/clauses I pointed out previously. From what I can see it very much INCLUDES them. On one hand you're sitting on the fence by using words like "may", yet on the other hand you're arguing sections which I literally copied from the Privacy Act. If you're going to assert that I'm wrong, provide some evidence please.

https://www.oaic.gov.au/privacy-law/rights-and-responsibilities

Scroll down to "Who doesn't have responsibilities under the Privacy Act?"

then read this:

The Privacy Act does not cover:

• State or territory government agencies, including state and territory public hospitals and health care facilities (which are covered under state and territory legislation) except:
• certain acts and practices related to My Health Records and Individual Healthcare Identifiers
• entities prescribed by the Privacy Regulation 2013
• individuals acting in their own capacity, including your neighbours
• universities, other than private universities and the Australian National University
• public schools
• in some circumstances, the handling of employee records by an organisation in relation to current and former employment relationships
• small business operators, unless an exception applies (see above)
• media organisations acting in the course of journalism if the organisation is publicly committed to observing published privacy standards
• registered political parties and political representatives.

This is, of course, not as authoritative as the references to the Act that I have already provided. 

And I am VERY MUCH on the fence as to whether or not the Mint is covered -- you simply assume they are.  I was pointing out that state agencies ARE NOT covered, and IF it includes the Mint, it is a reason why they don't have to do what the ACT says an organisation under the act has to do.  My advice continues that you should (1) find out, and (2) IF they are, take it up any perceived non-compliance with the OAIC.

The legal question concerning the Mint is whether their corporate structure falls one way or the other with respect to the Act. 

I would recommend that Dave, in his next communication with the Mint, ask "Are you covered by the Privacy Act (1988)?"

Don't just rely on the dot-points on the OAIC website, for example If you scroll up a little bit it states:

Who has responsibilities under the Privacy Act?
Australian Government agencies (and the Norfolk Island administration) and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.

As I said, read the actual legislation.

26WK  Statement about eligible data breach

Scope

             (1)  This section applies if an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity.

Statement

             (2)  The entity must:

                     (a)  both:

                              (i)  prepare a statement that complies with subsection (3); and

                             (ii)  give a copy of the statement to the Commissioner; and

                     (b)  do so as soon as practicable after the entity becomes so aware.

             (3)  The statement referred to in subparagraph (2)(a)(i) must set out:

                     (a)  the identity and contact details of the entity; and

                     (b)  a description of the eligible data breach that the entity has reasonable grounds to believe has happened; and

                     (c)  the kind or kinds of information concerned; and

                     (d)  recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.

             (4)  If the entity has reasonable grounds to believe that the access, disclosure or loss that constituted the eligible data breach of the entity is an eligible data breach of one or more other entities, the statement referred to in subparagraph (2)(a)(i) may also set out the identity and contact details of those other entities.

entity means:

                     (a)  an agency; or

                     (b)  an organisation; or

                     (c)  a small business operator.

agency means:

                     (a)  a Minister; or

                     (b)  a Department; or

                     (c)  a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth enactment, not being:

                              (i)  an incorporated company, society or association; or

                             (ii)  an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 or a branch of such an organisation; or

                     (d)  a body established or appointed by the Governor‑General, or by a Minister, otherwise than by or under a Commonwealth enactment; or

                     (e)  a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth enactment, other than a person who, by virtue of holding that office, is the Secretary of a Department; or

                      (f)  a person holding or performing the duties of an appointment, being an appointment made by the Governor‑General, or by a Minister, otherwise than under a Commonwealth enactment; or

                     (g)  a federal court; or

                     (h)  the Australian Federal Police; or

                   (ha)  a Norfolk Island agency; or

                     (k)  an eligible hearing service provider; or

                      (l)  the service operator under the Healthcare Identifiers Act 2010.

A number of exemptions exists, for example, complying with secrecy provisions, but they don't seem to apply here.

[BrianHG]

How funny, bumped into this (shows you how the Australian government databases have been hacked many times and shared with others...):