April 30th, 2018

Tom Crumpton

In the news you may have seen Mark Zuckerberg being questioned by US Congress on how millions of American’s Facebook data was used by Cambridge Analytica for targeted advertising that may have had an effect on significant world events such as the US election. 

A significant leap in impact from advertising to sell products, to potentially influencing election outcomes. This innocuous looking personality quiz, written by a third party application developer, will likely lead to considerable more oversight and changes to Facebook in the USA.

In New Zealand only ten kiwis downloaded the Facebook Cambridge Analytica quiz that gave them access to their data but through the way Facebook had set up privacy controls a possible 63,714 people may have had their data harvested as a result of the ten.

The Privacy Commissioner has taken no action so far, while waiting for additional information. In another recent privacy breach, he did all he could under NZ’s current legislative framework and the only concrete action he could take was to delete his own personal Facebook account.

The story would be different in the EU where they have made significant privacy improvements, the latest in the form of General Data Protection Regulation (GDPR).  Coming into effect on 25 May this year, it gives all EU residents many rights such as the right to be forgotten. This may impact NZ organisations that hold personal data on EU residents.

But there are also some changes afoot to New Zealand’s privacy legislation, with a bill before Parliament to replace the 25-year-old Privacy Act which is no longer relevant to today’s digital environment.

Two of the more significant changes are to introduce mandatory reporting of privacy breaches (so the public will know if someone hacks into a private organisation and steals all their customers records - currently they could withhold this information.) The second is to empower the Privacy Commissioner to issue a compliance notice in the event of a breach of the Act.

The UK and US intelligence agencies have issued a joint technical alert on Russian State-sponsored attacks targeting network infrastructure, which the GCSB has passed onto us. Considering the alert, specific systems have been impacted with guidance and techniques provided to manage the risk.  REANNZ has taken all relevant action.

The general advice remains the same as always:

1.     Patch your stuff to manufacturer recommended levels and do it quickly;

2.     Lock down services much as possible to keep the attack surface small;

3.     Change default usernames and passwords and make sure passwords are unique; and

4.     Use two factor authentication(2FA).

If you would like any more information or assistance on areas covered in this article, contact Tom Crumpton, our Head of Security who is available to provide support and advice.