Security Market Segment LS
Monday, 23 July 2018 11:35

PageUp breach secrecy may be to set precedent: expert Featured

Helaine Leggat: "If too much information is made public, it does not help in an investigation." Helaine Leggat: "If too much information is made public, it does not help in an investigation." Supplied

Australian authorities may have decided not to fully disclose details of the data breach at human resources outfit PageUp People as it is the first major breach to be revealed, and the processes followed could set a precedent for others that follow, an expert in cyber security and law says.

Helaine Leggat, head of cyber law at Sladen Legal, told iTWire in response to queries that the Department of Home Affairs and other Australian authorities may have decided to practice "security through obscurity".

Since 19 June, PageUp People has kept mum about the breach, having revealed very little about it prior to that as well, after first breaking the news of the breach on 6 June. The company has said it first noticed the intrusion on 23 May.

Leggat pointed out that in the US, from as early as 2015 after the promulgation of the Cybersecurity Information Sharing Act (CISA Legislation), "the authorities, including LEA (Law Enforcement) were saying that the victims of crime should not be punished. I have heard (Australian Cyber Security Centre chief Alastair) MacGibbon say the same thing here in 2018".

MacGibbon has gone on the record describing PageUp as being effectively "victimised" as a result of having to out itself to Australian customers before it even knew for certain there was a problem.

Leggat said there could be many reasons why the authorities were keeping quiet and protecting PageUp People.

"We are no doubt dealing with crime/criminal organisations wrt the breach," she said. "The UK authorities are also involved. Remember, there are Mutual Co-operation laws where countries like Australia and the UK agree to work together to assist one another. If too much information is made public, it does not help in an investigation."

She pointed out that in the case of the Singapore Privacy Law, there was no obligation to report a breach.

Asked whether there was a requirement for PageUp to provide full details of the breach to the public, Leggat said there were various provisions of the law that gave authorities an out.

She said she suspected that "full disclosure in this case will not be helpful to Australian interests in the fight against crime".

But Leggat said that "from a trust and company risk/reputation point of view, one would think that PageUp People would want to communicate more frequently. (I recommend Crisis Communications Policies, among other things).

"It is complex and we do not have the answers. Bear in mind the broader aspects of privacy. While Australia does not have a Tort (private action) of privacy, it does recognise privacy as a human and civil right – Refer to the Preamble of the Privacy Act 1988.

"There are all sorts of legal causes of action that can arise in a case such as this, including, contractual actions (PageUp with its clients, service providers etc), Breach of Confidence, negligence, shareholder actions etc. The biggest mistake people are making is to look narrowly at the NDB Scheme."

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments