Does anyone know where to report breaches of equivalent to the AU version of the EU Data Protection Directive?

[Deactivated] on 29/06/2018 - 19:58
Last edited 29/06/2018 - 20:00

I went to the website to report possible cybersecurity incidence of breaches, but I'm not involved with the business. So I thought I would report it as an individual, but it sends me to ACORN but I haven't experienced loss "yet"; so I'm not sure if that is the correct place to report it.

I haven't been able to get into contact with the business's IT team yet.

Basically, the breach involves medical records which can be accessed online. Date of Birth and Names of patients are released along with Mobile Phone number and other possibly private information. The breach is a result of use of sequential booking numbers which when changed in the URL link will result in many different stranger's data being released.

(I could go in and lock down everyone's account by creating them a random pass, but I don't think that's appropriate and would probably breach some other part of Australian law, including parts of the Cybercrime Bill as it would lead to impairment of services for others as well as unauthorised access)

All people who have booked a session are prone to having their records accessed if they haven't already logged onto the website and created a password. Upon creating a password, future logins seem to be blocked without proper login credentials which you just created.

The website mentions indemnity from misuse, but it is my opinion that most people don't even access the website, as I myself did not access my own records until weeks later. In those few weeks I think someone might have accessed my data; at the moment they might not have done anything yet, but they could technically use this to port away my prepaid number (also others involved in this breach).

As a business, if you haven't provided notice you can't bind people to those terms; merely linking terms of use which none of your patients will access is dubiously binding if binding at all. Thus this is actually a big issue for this particular business if anyone actually manages to link this business to any material loss.

For the purposes of this discussion and to figure out what to do next. I'll assume that it has most likely been breached.

How have you guys gone about reporting issues, in particular involving Australian Businesses?

Ok, more information. Parent company is based in Europe. So I'm going to try contact them too.

Internet

Comments

    • [Deactivated] on 29/06/2018 - 20:56
      -1

      Ok, I guess I'll have to wait 30 days for their reply.

      I hope they fix it before I have to take it to the commissioner, not sure if my data was breached, but who knows…

      Thanks.

      • chumlee on 29/06/2018 - 21:05
        +1

        Or just tip of the media and it will be resolved much more quickly. Try the ABC

      • oldm8 on 30/06/2018 - 09:16

        "If they do not respond within 30 days, or you are dissatisfied with the response, you can then bring your complaint to us." - so you may not have to wait. You could always just call the Commissioner's enquiry line: 1300 363 992.

        If the website becomes aware of a data breach they may be required by law to notify the Commissioner themselves.

  • [Deactivated] on 29/06/2018 - 21:35
    +5

    Let this guy know

    https://twitter.com/troyhunt

    • jelko on 29/06/2018 - 22:50

      Yep definitely contact Troy. He will know the appropriate people to inform and if he doesn't get a response he will use his considerable online influence to make stuff happen.

  • Diji1 on 29/06/2018 - 22:37

    AU version of the EU Data Protection Directive?

    Er … we have that?

    • airzone on 30/06/2018 - 13:00

      We've only just not got mandatory disclosure laws for breaches of private data.. So maybe come back in another 10 years or so and we will.

Login or Join to leave a comment
Login Join