Shostack + Friends Blog Archive


No word on the lupins

NSW Police are investigating the possible compromise of an online florist’s database and theft of customers’ credit card details.
The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only.
There are unconfirmed reports that the details were used to make a string of luxury purchases in South-East Asia.
“A strike force has been set up by the State Crime Command Fraud Squad to investigate the possible compromise of an internet-based business’ database and subsequent fraudulent transactions,” a police spokesman said.
She said the investigation was in its earliest stages and no further information was available.
Roses Only later released a statement saying that it had been recently advised that their computer systems “may have been” compromised through an unauthorised intrusion earlier in the year.
“We moved quickly to address the situation and engaged a leading international technology security firm to enhance the security of our system,” the statement said.

Sydney Morning Herald
(Image grab via Youtube)

4 comments on "No word on the lupins"

  • Alex says:

    Dennis Moore, Dennis Moore,
    etc.. etc…

  • Anonymous says:

    1. Huh?
    2. I rearranged my post, this seems like a weekendy thing. 🙂

  • Toby says:

    This is interesting, in light of the recent discussion paper produced by the Australian Law Reform Commission, here.
    In particular, Australia (as far as I know) has no breach notification laws at either the State or Federal levels. The report does spend an entire chapter discussion them, however, and concludes that
    “47.63 In the ALRC’s view, the proposed data breach notification provisions should
    include a general requirement to notify the Privacy Commissioner and affected
    individuals when specified personal information has been, or is reasonably believed to
    have been, acquired by an unauthorised person; and the agency, organisation or
    Privacy Commissioner believes that the unauthorised acquisition may give rise to a real
    risk of serious harm to any affected individual.”
    The report seems to have been vaguely well researched. They go on to note that this test is weaker than the California law but counter that a stronger test is needed to avoid “notification fatigue”.
    Perhaps unfortunately, it does appear that their recommendations have been watered down by stakeholders.
    “47.68 While the proposed triggering event set out above is narrower than that adopted
    in many states in the US, the ALRC acknowledges the concern expressed by
    stakeholders that there be some exceptions and discretion around the requirement to
    These exceptions include cases in which data was “encrypted adequately”, or “acquired in good faith by an employee or agent where the agency or organisation was otherwise acting for a purpose permitted by the proposed UPPs — provided the personal information is not used or subject to further disclosure”, and cases in which the Privacy Commissioner determines that it is not in the public interest to notify.
    The second exception in particular seems, at first glance, to perhaps conflict with the need to disclose in cases of insider abuse, but I may be wrong here.
    Timely stuff.
    Breach disclosure is an uneard of concept to most Aussies. Hopefully we will begin to see some momentum here. The US experience appears not to have gone unnoticed by the Australian Law Reform Commission at least, even if their recommendations could be tougher.
    I’d love to get the more experienced EC view on these recommendations though.
    Thanks for the continuing goodness of EC

  • Toby says:

    I probably should have pointed out that the ALRC’s report centres around Australia’s privacy laws.
    Also, the need for notification in instances of insider abuse is particularly relevant given recent reports (such as this one) that are finally beginning to show insider abuse as the major threat.

Comments are closed.