Compliance officers for businesses to which the Privacy Act applies need to ensure that their advice takes into account issues that apply to business websites.

The privacy policy published on the website should be readable and not be unnecessarily lengthy or complex . It should address security issues including whether information is stored overseas and the things users need to do to protect their own passwords and information.

Compliance officers should discuss with the website manager the actual steps taken by them to protect and secure the personal information collected on the website, how they will detect a website security breach and what happens if there is a breach.

Overview
This article discusses the relevant Australian Privacy Principles, the recent investigation by the Privacy Commissioner into Cupid Media and specific website security steps.

It is clear from the Privacy Commissioner’s Own Motion Investigation Reports (including on First State Super, Multicard, AAPT, Telstra and Cupid Media) that website security is an ongoing obligation: security at a point in time does not mean the website is always secure. There is always the risk that security breaches will occur if the website’s security measures are not checked on an ongoing basis.

Sometimes a website owner does not know for months there has in fact been a security breach.

Shortening the time between initial breach and detection can minimise financial loss due to fraud, loss of sensitive data and customer confidence. Loss of customer confidence in website security can affect a business’s market share.

Designing information security measures to prevent the misuse of personal information on a website and to detect and respond to privacy breaches as a result of changing technology is a critical compliance measure.

The Australian Privacy Principles and security
APP 11.1 requires an organisation to “take reasonable security measures to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure”.

APP 11.2 requires that information which is no longer needed to be destroyed or to ensure that it is de-identified.

In addition to APP 11, Sections 20Q and 21S of the Privacy Act imposes security obligations on credit reporting agencies and credit providers. TFN guideline 6.1 requires TFN recipients to protect TFN information by such security safeguards as are reasonable in the circumstances.

The OAIC’s statement of 6 March 2014 made it clear that “while an organisation may not be found to have ‘disclosed’ personal information following a data breach or cyber-attack (under APP 6), the organisation may still be found in breach of APP 11 if it did not take reasonable steps to protect the information from unauthorised access, such as a cyber-attack.”

What are the security risks for websites and how do you prevent them?
The OAIC’s Guide to information security (April 2013) provides guidance on what the OAIC may consider to be ‘reasonable steps’ as required by APP 11. The OAIC has recently concluded consultation on its revised version of the Guide.

The revised guide states :
“There is an expectation that entities which provide online customer services or engage in electronic commerce, such as online retail businesses, will utilise ICT security measures to ensure that their website, along with smart phones, apps, terminals, kiosks and other environments that may be connected to a network are secure and that they provide a safe environment for individuals to make payments or provide their banking and personal information….
failure by the entity to take reasonable steps under APP 11 to prevent unauthorised access such as a cyber-attack or a theft, including where the third party then makes personal information available to others outside the entity, may be a breach of APP 11. The OAIC has previously found, after investigation, that entities were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.”

Breaches of website security can result from exploitation of hardware or software issues as well as poor access security.

Security steps can include:
• ensure the latest versions of software including security software are in use
• ensuring that web browsers, including ‘add-ons’ or ‘plug-ins’ are up to date
• ensure that the data is scanned before it is opened to ensure that it does not contain any malicious content
• encryption of sensitive information
• filtering of web traffic to prevent harmful content from reaching user systems.
• maintaining an intrusion detection system and regularly analysing event logs
• penetration testing to discover security weaknesses
• ensuring that personal information is only accessed by authorised persons
• using multi-factor authentication to obtain access
• ensure that personal or sensitive information not intended for public release is not stored on a public website.
• in conjunction with authentication, entities should also disable directory browsing when configuring web servers
• require strong passwords or passphrases
• lock users out after a specified number of failed logins.

Cupid Media
On 13 December 2013, the Australian Privacy Commissioner opened an own motion investigation into Cupid Media Pty Ltd in response to media allegations that personal information of Cupid users had been acquired by unauthorised persons, and were found on a server operated by hackers, which Cupid confirmed.

The Commissioner found that Cupid Media breached the Privacy Act by failing to take reasonable steps to secure personal information it held on over 35 niche dating websites based on personal profile including ethnicity, religion and location (such as ‘African dating’, ‘Asian dating’, ‘Latin dating’, ‘gay and lesbian dating’, ‘special interest’ and ‘religion’). It also failed to destroy the personal information it held in relation to accounts that were no longer in use.

The categories of personal information compromised in the data breach consisted of full names, dates of birth (for some customers), email addresses and passwords.

Cupid estimated that the accounts and personal information of approximately 254,000 Australian users were compromised in the data breach.

Cupid stated that the following key events led to the data breach:
•On 21 January 2013, Cupid identified a rogue file on one of its webservers.
•Cupid then conducted internal investigations and identified that on 18 January 2013, attackers exploited a vulnerability within the application server platform used by Cupid (ColdFusion), which allowed them to gain access to Cupid’s webservers.
•With access to Cupid’s webservers, the attackers were able to upload a shell ‘ColdFusion Markup’ (CFM) file that allowed the attackers to run SQL queries against Cupid’s databases and gain unauthorised access to Cupid’s data.
•A security hotfix (patch) for the ColdFusion vulnerability was released on 16 January 2013, however Cupid did not receive notification from the developer that the patch was available. Cupid advised that the particular developer ordinarily sent Cupid an alert when updates and patches were made available, but did not do so in this instance. In the absence of the alert, Cupid’s IT team identified (through its business as usual internal patch management processes) that the patch was available on 21 January 2013.
•On 21 January 2013, Cupid applied the patch and fixed the vulnerability, which in turn stopped the attackers from obtaining further data.
Cupid advised that it used information management tools, including the following:
•patch application and management, including processes to identify and install patches and security updates as they become available from Cupid’s third party software suppliers
•antivirus software protection on all servers, including updates and maintenance, and
•database segregation (database information is kept on a separate network to website information, so that database information is only accessible by Cupid webservers and not the public internet).

In respect of NPP 4.1 (substantially the equivalent of APP 11.1), the Commissioner considered that the information and patch management steps and the testing and monitoring steps taken by Cupid were reasonable security steps for the purposes of NPP 4.1 in the circumstances.

Cupid stated that it used the following testing and monitoring processes at the time of the data breach:
•daily vulnerability scans, and
•an intrusion prevention and intrusion detection firewall.
The Commissioner was satisfied that the testing and monitoring steps taken by Cupid were reasonable steps as required by NPP 4.1.
Cupid advised that it used the following password protection mechanisms at the time of the data breach:
•an account lockout policy, and
•enforcement of strong password policies on all servers.

Following the data breach, Cupid also promptly initiated a password reset process for all its users. This included encouraging users, as an extra security precaution, to reset passwords for different online services where the users used the same password as used for Cupid.

However the Commissioner found Cupid’s storage of passwords in plain text to be a failure to take reasonable security steps for the purpose of NPP 4.1. He observed that password encryption strategies such as hashing and salting are basic security steps that were available to Cupid at the time of the data breach that may have prevented unauthorised access to user accounts.

Also, the Commissioner considered that prior to the data breach Cupid failed to take reasonable steps to destroy or permanently de-identify the personal information it held in relation to user accounts that were no longer in use or needed, in contravention of NPP 4.2 (similar to APP 11.2).

Cupid stated that although the media had reported that 42 million users’ accounts were compromised as a result of the data breach, this figure was not accurate because it included ‘junk’ accounts and duplicate accounts. Cupid confirmed that at the time of the data breach, it did not have any particular systems in place to identify accounts that were no longer needed or in use, or a process for how the destruction or de-identification of personal information related to such accounts would occur.

Conclusion
Compliance officers must remind the website manager that they must secure what they collect and store on a website.

This involves implementing a system to prevent unauthorised access as well as monitoring that system.

Detection of website security breaches and how a business reacts to breaches are just as important as prevention.

Questions for compliance officers to ask website managers
• Who is responsible for website security?
• Do you keep your website security software up to date?
• Do you carry out website penetration testing?
• Do you have an intrusion detection system?
• Is user information encrypted when it is transferred via the internet or stored?
• Does your code allow for differences in mobile platforms?
• Are credentials generated securely?
• Do you do due diligence on libraries and other third-party code?
• Are passwords stored in plain text on your server?
• Do you tell users the steps they need to take to protect passwords?
• Do you have an account lockout policy if incorrect passwords are used?
• Do you delete or de-identify personal information that you don’t need?
• Do you have a data breach policy and response plan which is implemented and regularly reviewed?

This article was first published in a slightly different form in the Privacy Law Bulletin.