At a glance.
- Australian lawmakers pass bill increasing penalties for data breaches.
- EDF hit with fine for using MD5.
- No, Cybercom did not find fraud in US midterms.
Australian lawmakers pass bill increasing penalties for data breaches.
In the wake of a wave of cyberattacks targeting high-profile companies, the Australian government has passed a bill that increases the penalty for companies suffering from serious or repeated data breaches from a maximum of AU$2.22 million to AU$50 million (or 30% of an entity's adjusted turnover in the relevant period, or three times the value of any benefit obtained through the misuse of information, whichever is greater). Attorney-General Mark Dreyfus said in a statement, "Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business." As the Hacker News notes, the legislation also increases the powers of the Australian Information Commissioner to address security breaches. Australian Information Commissioner and Privacy Commissioner Angelene Falk explains that the "new information sharing powers will facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.” The bill, which was tabled as part of wider reforms to the Privacy Act 1988, now awaits Royal Assent to become law.
EDF hit with fine for using MD5.
The Commission nationale de l'informatique et des libertés (CNIL) has fined the Électricité de France (EDF) €600,000 for breaching the General Data Protection Regulation by storing the passwords for over 25,800 accounts using the weak MD5 algorithm. As Hacker News explains, not only was EDF found to be using the algorithm, which was found to be cryptographically broken back in 2008, but the electricity provider also failed to salt the passwords associated with more than 2 million customer accounts. The CNIL explained, "The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches."
No, Cybercom did not find fraud in US midterms.
USA today debunks a claim that US Army Cyber Command (Cybercom) was investigating potential fraud in the US midterm elections, which took place last month. Republican numbers failed to reach the levels anticipated, and some social media users suggested fraud could be the reason, citing an article in Real Raw News which claimed Cybercom had noticed “election irregularities.” In the piece, which was shared over one hundred times in six days, an unnamed CyberCom source was quoted as saying, “There’s a lot going on now that doesn’t meet the eye. We will be looking into all allegations of fraud as we await the results.”
According to an agency spokesperson who spoke to USA Today, Cybercom found no evidence of election fraud associated with the midterms, nor has it announced any suspicious election activity. What’s more, the Real Raw News article claims Cybercom was investigating allegedly compromised voting machines in Maricopa County, Arizona, but no such investigation could have taken place, because Cybercom’s remit is confined to protecting the US from foreign actors, not domestic threats. The spokesperson stated in an email, “U.S. Cyber Command and our components have provided no such comments; these claims are inaccurate.” This is not the first time Real Raw News has been found to publish stories that are neither “real” nor “raw,” and a disclaimer on the site’s “About Us” page states it “contains humor, parody and satire.”