• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

Our hot topics for this weeks cyber news episode include a conversation around the role of the ‘Big 4’ consultancies in Australia’s cybersecurity future and what the recent hiring spree at PWC and EY acquiring SecureWorx means. We review how Toll have rebuffed criticism that it allegedly acted too slowly in keeping the ASD informed during their two cyber-attacks last year. We look at Amazon’s huge $1B fine for alleged breaches of GDPR laws in Europe, and what a fine of this size means for other large tech companies. We also dive into a story that was published on Radio NZ last week that referenced information obtained from the ransomware attack on the Waikato District Health Board in May and the moral, ethical, and legal implications of such reporting. 



The Get Cyber Resilient Show Episode #66 Transcript

Dan McDermott: Welcome back to the Get Cyber Resilient show. Today is our fortnightly in the news episode. My name is Dan McDermott and I'll be your host for today. Joining me are our resident cybersecurity experts, Bradley Sing and Garrett O'Hara and we'll be exploring the hot topics of what is the role of the big four consultancies in Australia's cybersecurity future, With the recent hiring sprees and acquisitions made by PWC and EY. we'll review, how Toll have rebuffed criticism and that it allegedly acted too slowly in keeping the ASD informed during their two cyber-attacks last year. We'll look at Amazon's one billion dollar fine for alleged breaches of GDPR laws in Europe and we will finish with diving into how radio New Zealand published a story that referenced information obtained from the ransomware attack on the Waikato district health board in May and the moral, ethical, and legal implications of such reporting.

Firstly, Gar, welcome back after being unwell for our last, in the news episode. Great to have you here today.

Garrett O'Hara: Thanks Dan. And as you were saying, when we were off-mike actually healed today as well from the uh, first AstraZeneca jab but I'm feeling like my body's doing what it needs to do to be uh, COVID-resilient, So good times,

Dan McDermott: Well, congratulations on arming up and

Garrett O'Hara: Thank you.

Dan McDermott: ...getting, getting the jab Brad, Let's kick off with reviewing the recent announcements by two of the big four consultancies on their growth in cybersecurity here in the Australian market.

Bradley Sing: Yeah, certainly and it's good to have you back Gar, and hopefully you don't start acting strange due to a microchip for 5g or anything.

but, um...

Garrett O'Hara: Stranger, Brad, stranger. [

Bradley Sing: laughs]. We won't get into that. though. We'll be taken down for fake news. so look guys I guess, yeah, thanks again, everyone for joining us today. And first topic or story we want to talk about is I guess, really looking at. The rise and I guess it's been happening over the past few years with the entry of the big four or more of the top tier consulting firms into cybersecurity.

we've seen a couple of press announcements recently uh, from Ernst &young as an example where they've uh, effectively gone out and purchased uh, Secureworks which is a local cybersecurity firm here in Australia or kinda MSSP. And then also PWC planning to hire in excess of over a hundred cybersecurity staff over the next few years.

And Now that I think of it we've also seen, I guess, the rise of I guess, you know, p- public cybersecurity in company as well in Australia as well with you know, CYBERSEC's coming to a front and that amalgamation of companies. So yeah, I guess from, from your guys' perspective, this as well as, what do you think this changes and if anything is this new and- and then kind of, I guess, what is the impact or how does this help the narrative around better high-level accountability around.


Garrett O'Hara: Yeah, I think these the big four, I mean, in the UK there are the they Hoover up cybersecurity experts [inaudible 00:02:53] what the top hirers, And I think have been for, for a while when it comes to cybersecurity. uh, look, my understanding is that many organizations, certainly when you hit a certain size, will use the big four for external audits.

You know, they're, they're sorta set up for that. in a way that many other organizations aren't plus the fact that they're a big four tends to add a little bit of weight in gravity when you're doing a board presentation and you want to get some funding for maybe gaps in controls or to fund a project. and, you know, so my sense is having EY, KPM- KPMG, you know, Ac- Accenture PWC as the logo on an external audit is is gonna help your cause.

If you're actually trying to get something across the line, so. it- it's sort of an interesting one. I think they've been doing a lot of this stuff for, for quite some time and obviously all the other things that they do. I I, the big four's always kind of mythical to me. I've met people, who've worked there and they they're a certain type of person can't quite put my finger on it or describe it.

But you know, I think you can, you can tell when somebody's kinda come through the ranks of these organizations, they've got a poise and a certainty about themselves that they, they carry through to the rest of their careers.

Dan McDermott: Yeah, I- I think that's a highlights A couple of things to me. One is obviously the rise of cyber and what it means to for organizations.

The fact that, you know, lot of smaller companies are being, you know, amalgamated into, into the big four or a [inaudible 00:04:18] as you said, Brad. So it is like the coming together and sort of the rising out of sort of, you know, maybe smaller sort of players into, into much larger conglomerates. I think it's also extending their service offering.

Right. As you sort of see as they're going into that, rather than just the advisory, if you like, or the auditing side moving much more than into that MSSP of actually delivering the service itself as well. so it gives an interesting lens to, you know, well, you know, do they need. You know, [inaudible 00:04:50] to operate at arm's length between, you know, advice and actually delivering the service.

And what does those sort of things mean? But they've been going through this for a long time and understand how to sort of, I guess, maximize their role in what they believe they can sort of offer value to back into the, I guess, the ecosystem in the, in the cybersecurity community.

Bradley Sing: I, I think that's a real thing there, right?

It's like, what, what role do they play? Are they gonna play that pure advisory role moving forward or with the, you know, point Dan, like with the acquisitions of MSSPs, I- I feel like they've gone from doing softer things, such as awareness training exercises and and that type of maybe interviewing staff.

and running That type of education to your point, maybe to more of that almost end-to-end capability. But the thing is though, to your point as well, it's the rise of cyber. Where does this end? Where does this start? Everybody has a skill shortage and- and these organizations are snapping up all the good talent. And I'm sure there's gonna be a demand for uh, for their services.

Garrett O'Hara: Yeah, there definitely will. I think the the interesting point you raised there, Dan, is the potential conflict of interest. And how do you separate the, you know, those advisory services from then the onsell of services or products afterwards. And, you know, I've certainly seen that in other organizations and I've always scratched my head where you, you, you know, if you pay somebody to do an independent analysis of a toolset or an approach, I've always I've sort of found it interesting that you could then potentially also with the organize- organization that sells the product or service afterwards, because surely that's a conflict of interest.

so yeah, it'll be interesting to see if this, if this separation or how they kind of approach that you know, audit versus service provision.

Dan McDermott: Definitely. And I think you're also raised the issue Gar, around like, you know, I guess it takes a different, I think person to run a SOC than it does to be a a consultant or [inaudible 00:06:34], so I think the only way that they can really legitimately offer those services and do them really well is probably through acquisition.

Right. And bringing in The right type of people and that talent cause I'm not sure that they would cultivate it themselves. So they're definitely on- on the March and expanding their footprint into, into this. And it will be interesting, you know, to hear from our listeners as well, you know if they wanna share as we post the episode you know, what's their involvement with the big four and do they see them actually playing a role?

in and how, how much will they rely on them today versus into the future? or in, you know, some of those topics might come out as interesting things for I think, for discussion around, you know, that conflict of interest or do they see them as two separate things or will they actually just sort of leverage, we know one, one throat to choke as well,

Garrett O'Hara: or one hand to shake.

If you want to do the positive version, [

Dan McDermott: laughs]. drinking our own champagne, rather than eating our own dog food.

Garrett O'Hara: There you go.

Bradley Sing: Yeah, that's it.

Dan McDermott: Indeed. Uh, The next topic that we had for today was actually, a- a [inaudible 00:07:37] from last year which was some of the most high-profile ones regarding the toll group and what had happened. And we covered it during the- the podcast and online last year.

but it's also, it's raised its head again. In terms of some criticism leveled at Toll around sort of allegedly sort of taking too long to keep the ASD informed and keeping the government actually informed with- with those attacks and what was happening. they've defended themselves and said that that's not true.

and that they believe that their engagement was uh, was timely and- and well-justified, But Brad, What can you tell us about w- what's happening here with toll and did the, I guess the rights of the organization to be able to interface with government and how do we actually get that, right?

Bradley Sing: Yeah. Yeah, no, look, I feel like we can't stop talking about toll and again, nothing against the organization or anything.

It's just, they're a really good case study, I think in terms of changing regulation, the, the yeah, the ASD/government wanting to. have More input an- and more control over their response. but also the reality that uh, a lot of Australian organizations just don't have the maturity to, to well, protect themselves.

And then how do they recover quickly again, in terms of the story, which is kinda breaking right now, this is all back around uh, well, to your point. I think it was the chief spy M Ms. Noble

Garrett O'Hara: Mm-hmm [affirmative].

Bradley Sing: ...of the ASD. she- she Basically came out and said there was a Australian company or an organization, which didn't respond very quickly enough to the ASD.

Uh, it was brought up in question time in parliament as well by a liberal Senator with both with I think Qantas, toll. there was another company as well. who effectively denied the allegations. the response from toll and in their response, they've also cited the critical infrastructure bill, which we've talked about a lot on this channel in the past.

they've also cited the fact that uh, look, we're really busy. We're sorry. We're under a lot of stress. and We tried to work with them as much as possible, and I think it comes back down to the point where technically, without something like the critical infrastructure. Bill, There isn't any obligation for these organizations to work with the ASD or even actually give them access into their systems.

So it's kind of up to the company, but I know from a, I guess, a roles and responsibilities perspective, it really does start to get a bit murky. doesn't it.

Garrett O'Hara: That's, yeah, That is the word murky is so Important. there, Brad. uh, clarity, I think is the thing that's missing so often when it comes to this stuff, because like, how do you, how do you operate?

So if you are an organization and you don't know what the expectations are or the, you know, the sort of time limit you have To inform the ASD of something. I think that's partly what we are suffering from. You know, I think the you know, [inaudible 00:10:15] wrote the, p- the article on ransomware a couple of weeks ago, and, you know, they talked about the, kind of the policy vacuum when it comes to ransomware And I think we're probably seeing that in other places too, where. you know, the, the job of regulation and laws is to give clarity so that all organizations know exactly what they've got to do. And it's not a decision point in, you know, in an ex-co meeting or a board meeting or in this security team, it's, Hey, this is what we have to do.

So we go and do it. and I think, it, you know, you probably eliminate so much of the confusion. That exists through clarity and through this legislation stuff to, to the, I mean, there's, I think we're gonna talk about this a little bit later, but I think it's part of this story. Also the that sort of idea of the ASD intervention and, you know, what does that mean?

That that's a really, really interesting one. And, and Brad, you kinda mentioned it. you know, you got smaller organizations in Australia that are providing critical services or infrastructure. There's a, definitely an argument to be made for assistance from the ASD, but uh, both Amazon and Google have, in my opinion, rightly come out and said, well, actually you're probably gonna potentially cause way more damage by trying to help us, 'cause you've no idea about our systems or controls that are in place.

And that's, that, that to me is one of the things I'm scratching my head about is when it comes to security. There's so many things are interdependent the controls kinda Daisy chain off each other. If you don't really know an environment, it's very, very hard to do any kind of useful instant response.

And also the talk from the ASD about potentially installing software or applications within environments like that also has me scratching my head a little bit, you know, I'm sure the intent is pure, but yeah, I think there maybe sort of unexpected or undesired consequences from that. sort of stuff.

Bradley Sing: I think it's uh, definitely uh and I've kind of, I kinda suspected this last year, like there's definitely a big, big power play going on here as well.

Like whilst this is for cybersecurity. there is a huge clash of, I guess, Government versus private enterprise and- and the corporation, like to your point around Amazon and Google, that's a phenomenal example, but like, do you need to get the point where the ASD are all qualified AWS, Google cloud Azure, like, name, how many platforms or systems out there?

I wonder if the government turns or installs some type of, I dunno, some software within your environment, and then it gets breached as an example like that the levels of risk and- and trust. And yeah, I think it does get back to that point though. How do we defend against The scale of this, like we do need government help.

And I think to your point, we do need government regulation. before I pass it back over to you, I think their big problem at the moment is when you do get breached, when does that actually get reported to the public? Right? If you do work with the ASD, you could get breached. And in three months later it hits the press.

Technically, you maybe haven't actually suffered any fallout from that. And none of your, you know, the people who suffer the breach potentially, you know, their details are still in lieu and it doesn't actually come out that they can reset their passwords, et cetera. So I think because of that timing which you kind of mentioned before, Gar, We definitely need better guidelines in terms of what companies need to do, 'cause otherwise they're just gonna skirt around the murkiness and they're gonna, you know, they're gonna interpret it in- in the best way for- for, in the best light they think they can.

Garrett O'Hara: Yeah, it's I mean, there's, it's one of those complex problems, as in I wish there was a magic wand or a simple three sentence you know, paragraph you could write to fix this thing, but it is. So, you know, it's one of those problems that the answer seems to be just, it depends. And at so many different levels, it depends, you know, on the best approach. and I th you know, in my mind I see, probably like I've started [inaudible 00:13:46] mentally divide this stuff into like the data breach stuff, which is obviously bad and terrible.

And then the impact to critical services and infrastructure. I think that's the one that I you know, personally gonna worry about a lot more. and I think this may be a stronger role for the ASD and, you know, government bodies to come in and, and, you know, do some stuff to to try and help there again, you know, big asterisk, depending on the organization that they're trying to help.

yeah. I I wonder how long it takes to settle down, like, that's the thing. I mean, it's not coming next month or six months from now. I suspect this is kinda gonna take some time to figure out.

Dan McDermott: Yeah. Like you both said a, definitely a- a multifaceted challenge. Right. And I think the, one of the things is, is, you know, Those in glass houses, shouldn't be throwing stones.

so how much can you trust the government when they constantly fail their own audit standards? is- is one concern and I think they're a legitimate one. Not that the ASD fall into that, right. they obviously you know, do have the highest of standards, but. it- It is hard to sort of impose your right and your will onto others.

if you don't have your own house in order. So I think there's some of that that needs to be done and then some hygiene just within government itself. but it's also like the, what is the role? And I think that's where you really summed it up. Gar is, is, is it that, you know toll in this instance should be informing the ASD so that the ASD can then inform the rest of the community.

and actually, You know, get ahead of anybody else being attacked. So is it, you know, actually, you know, a- a- a quick rapid response to actually helping everybody else versus stepping in and actually trying to say that they can help uh, toll could they actually solve, you know, what, you know, the incident that is already occurred post it occurring.

Garrett O'Hara: spot on like, the like you've, just I think you've hit it there in a way.

Like it's the. Letting a government agency know off the top of my head, don't see [inaudible 00:15:41], you know, at least they know they can plan around what, what the impact could be to citizens and, you know, getting stuff shipped, et cetera, blah, blah, blah, then the bit where you're actively intervening and potentially, you know, doing more harm than good, you know, that's the bit where, Yeah. There surely is a gray area. But yeah, I, like, have been, I love the idea of just, yeah. Notification l- at least get the visibility. Isn't this a little bit like the suggestion for the mandatory reporting of ransomware. Like it's the same idea. Let's get, let's get visibility on the size of the problem and where the money's going to cool.

Like away we go, at least we can start dealing. with.

Bradley Sing: Bring in the penalties later, we just need a proper benchmark to understand it so we can guide people. And then I think the biggest thing is the guidance, right? So like what guidance are we telling to organizations? It feels like at the moment, it's just every company for itself.

Really, until you get breached, y- you don't really know what you're dealing with.

Garrett O'Hara: Cyber hunger games. [

Bradley Sing: laughs].

Dan McDermott: And is there a notion that, you know, the government steps in for a smaller organization and tries to help them out? Because we know, you know, that they don't have, you know, maybe their resources and investment into cybersecurity versus, you know, a larger enterprise, but it's still fraught with.


Garrett O'Hara: D- Dmitri, when he was on spoke about this actually. [inaudible 00:16:56] Dmitri Alperovitch spoke about this, right? The, the bit where you get the point where if you're providing critical infrastructure services to a country, then you know, the value of an audit system that gets you either in or out to be able to do that because.

if you can't afford to do security good, then you can't afford to be part of this the critical national infrastructure. And I think there's validity to that argument. really struggled with that word validity to [laughs], to that argument. That like, this stuff is really important. And I think we've been lucky and maybe gotten away with things for quite a long time, but now we're not anymore.

and I do, I do think there's merit in som- yet another standard. but you know, something where we can go and figure out. hey, You know, organization X they're of certain size we've don't the audit and they're in a pretty good position. As far as being able to respond or stay resilient. Uh, organization Y could be bigger, but for whatever reason, you know, management structures, lack of funding who, who knows not so good.

So, you know, they're, they, they, don't get to fly solo. They, they will have us intervene because they we don't think that they can do it. I, You know, I wonder do we land somewhere there.

Dan McDermott: Mm [affirmative]. Yeah, very interesting way of looking at it and you know, much more sophisticated approach than just based on size or one element if you like. I think this whole area around you know, legislation in- in the role of government leads us to the next story as well. you know, one area that we've known for a number of years around, I guess, you know, data breach laws and data laws in particular is GDPR and led out of the European. Union and in many ways, like a lot of these legislations is often been seen as is it the toothless tiger It's, Like it's been, interesting and it's there. but you know how well can it actually be enforced? Well, we've seen a a big one come out with Amazon. being hit with one billion dollars Australian. so a huge number you know, fine for, you know, alleged in breaches, which of course they are denying and fighting back against.

But Gar and Brad it would be really interesting to he- learn more about like, what, you know, what Amazon are facing here. and where do we [inaudible 00:19:07] see this going from from a GDPR perspective.

Garrett O'Hara: Yeah. I think the, the number, the one billion is interesting. Cause I, I, I'm pretty sure that's like pocket money for Jeff Be- Bezos, so, Like that's, that's what he spends on uh, you know, trousers in a week, but it's like it's a Whopper. Uh, but I I think you're spot on Dan in terms of. like, in the, Maybe your personal opinion, but I like the idea of legislation having teeth, because I think there maybe is a little bit of overstep and too much power in big tech companies where there there's attempts often to push policy onto sovereign nations.

We saw a little bit of that with uh, one of the social media companies in Australia, not too long ago. And I I personally have a problem with that. I think, you know, we. We are nations. We, we vote for the people who lead us. We don't necessarily vote for tech companies to, to lead us, or make decisions around what good looks like when it comes to our data our privacy, how they use that data.

but this is, I mean, it's a really interesting one uh, to me and, you know, it's Lux- Luxembourg we've kinda gone after them. And it's a sort of breach in GDPR. And my understanding is that we don't really know what the breach is and correct me if I'm wrong, if you guys know. but it- it feels like something happened.

It's been considered pretty serious given the size of the, the fine, but I'm, I don't know what the details are of what actually happens to cause the fine.

Bradley Sing: Yeah, I don't think we know yet. and [laughs], Does this feel like it's just for a company like Amazon, it's just the cost of doing business, you know, like it's at the end of the day, like.

[laughs], It's good. I think okay, agree. I think it's great that we're having enforcement around this, but it doesn't really hurt them. And then, I mean, to, at this point, I guess to Amazon's defense, they haven't confirmed or you know, they're denying the allegations and kind of what you said earlier, Dan, but I guess they'd be stupid to kind of admit to anything at this stage.

Uh, interestingly enough, you mentioned kind of, I guess the whole Facebook news and that aspect, Facebook have just launched their news offering in Australia as of today. So that's uh, their kind of news Channel program, which I think they're basically trying to get journalism revenue all around through the world.

And the Australian meda bar- media bargaining that we did with them was kind of like a bit preemptive, but kind of on a similar vein as well. So back to the privacy aspect, I think you're a hundred percent, right? Like we need to make these companies accountable, but I don't think big financial fines is just enough.

Like there needs to be something else doesn't there, there needs to be. the ACCC coming in and saying you can't advertise anymore. There needs to be higher penalties or something because clearly what we're doing at the moment, is not effective. And we definitely don't even need to get into the, the, you know, the aspect or the idea of how tax hasn't been paid by a lot of these large providers, but you know, they- they take a lot of money out of the economy as well.

Garrett O'Hara: And I think there's, I mean, there's energy behind breaking these, these organizations up. certainly seen that change uh, with the uh, government over in the US and some of the people that Biden has put in positions to kind of start looking at, you know, the, the power of big tech and what it does mean to kind of break up those organizations.

And you know, there's some commentary in people in kind of the business community. about how that's an overall good for investors for society and that when you break up organizations that size, it tends to be really good for shareholders. You, you, you come out on top, like it's better financially which is kind of an interesting thing.

So, you know, the, the sort of the, the churn and the break up of these organizations, I- I suppose one thing is it has a good outcome. I I suspect for society, but then secondly, it's actually pretty good for an economy. so, you know, I'm sure they don't necessarily want to be broken up, but and in the background.

I just had a quick look to see how much Jeff was worth and it's 196 billion personal worth in 2021. So the fine is .5% of, of Jeff's personal [laughs], worth and that's USD. So probably even more in Australian dollars. [crosstalk 00:23:01]. Sorry you go. [inaudible 00:23:03].

Bradley Sing: I was gonna say, this comes after. I think uh, Amazon just, posted a really weak earnings, So I think he lost the most. Anyone's lost in a day, which is over 10 billion, but I'm gonna play devil's advocate here and protect the billionaires for a moment. China have gone through [laughs], a big process of basically getting re- rid of their billionaires. So

Garrett O'Hara: Yeah.

Bradley Sing: ...people like J- Jack ma and then quite other influential people who kind of, you know, going against what the CCP's mantra is.

And I think. what, And this kind of goes against what I think the dream. for a lot of you know, potentially Chinese people was in the past as well, where you can make it, you b- you can rise up, you can become a really successful person from nothing, but to have the government come in and then destabilize it or not let you go public or effectively silence you.

That doesn't really do good. I think for the uh, I guess for- for the dreams or push entrepreneurial spirit forward or, or help with creativity. but it also does highlight that, you know, one of the biggest powers in the world is afraid of really wealthy individuals. who have Large platforms. And as individuals, we need to very mindful of that as well.

And we probably do need government help and regulation here because otherwise they're just gonna get even more powerful. And you could argue that some of these com- countries are more powerful than small nations which isn't far from the truth.

Garrett O'Hara: Yeah, they a- I mean, they are, and the- the amount of money they have to spend on lawyers and lobbyists is astonishing.

It's jaw-dropping and that's the thing I think. Yeah, there's some, there's some, I mean and we're getting very political here, but it feels like there's some stuff broken in the system where, I mean, let's be honest [inaudible 00:24:34] for most Developed countries that it's kind of bribery for the most part, you pay the lobbyists enough, you, you, away you go, you get your- your policy through, you get your legislation through time And again, I fee- I find that, you know, the whole lobbying thing, very bizarre. but like, how do you compete with the army of lawyers the big tech will kind of bring to the fight? each and every time. So, yeah, I don't know what the solution is, but yeah, we, we need something to change in- in my personal. opinion.

Dan McDermott: Wanna just say, Gar, they definitely will bring the lawyers to bear.

And it will be interesting to see how this one plays out, to to see whether, you know, the, the GDPR legislation will stand up and be able to actually hold to to the fine or whether that will be overturned as well. in time.

Bradley Sing: And just in case any Amazon lawyers are listening, I'm a lovely Amazon prime member, and I am a huge fan of Amazon's services.

So just wanted to state that for the record. [laughs].

Dan McDermott: [laughs]. hope you're not getting splinters sitting on the fence there, Brad. [

Garrett O'Hara: laughs].

Dan McDermott: so, [laughs], Brad, you did mention though on, on Facebook and media, and the last story we wanted to cover today is- is one that is sort of quite disturbing in many ways, in terms of, I guess, you know, the integrity in, in journalism.

and over in New Zealand, we saw a story sort of being produced from information that was sourced via a ransomware attack. and it wasn't just any ransomware attack. It was on a, on a health service. and they got the information apparently off the dark web and have used private information. To actually then go and publish a story.

this is a, a can of worms that I don't think anybody really saw coming. but is now here with us, and I think something that needs to be addressed pretty quickly.

Bradley Sing: It's a really interesting one, I think, just because, and I think I we remember the breach, It was the district health boards and I won't try to say that, that part of New Zealand, if- if anyone.

on the, If anyone can help [laughs].

Dan McDermott: Waikato.

Bradley Sing: There you go, Waikato, okay. Waikato district health board, look again, I feel really bad for anybody whose, you know, whose details may have mis- been misused. And I think the big thing here, as well is that the breached data was potentially used for- for marketing, you know, creating marketing content, TV ads, monetizing people's private details effectively.

I think that's a big red flag. and One thing. I, I do lord the New Zealand media for is I know with some of the, you know, the terrible shootings and challenges they've had over there, they've, they've never named the gunman behind that publicly. And they've done really well to try and avoid that. And I think that's kind of the same thought process here, right?

Like this is people's personal details and it also comes back to that concept of, okay, well what about things like wiki-leaks and if you know, if we're going out and publishing large troves, but maybe it is to protect the fact that there's a huge. Misuse of our data going on, where we do need events like this to bring it to light.

But I, I I, I I think it's a good step up by the privacy watchdog in New Zealand. And I think that any time people's details like this, especially when it's result of something out of their control, which I think in consent is the big thing here. I think it's uh, absolutely great that it's been raised and probably a little bit poor taste for any media organization to, you know, kind of use those details.

in that light.

Garrett O'Hara: Kind of reminds me of some of the stuff that happened up in the UK with, you know, the tabloid press, where they were hacking phones. And there was some really kinda, like, I think you used the word grubby or somebody used the word grubby kind of approaches to reporting. And you know, if- if I'm reading the headline right here, it's the state broadcaster that just that leaves me.

kinda Scratching my head again, wondering what the heck, what, like surely there's you know, journalist, like, integrity. There's just basic rules of, of reporting that like what's going on here. They- They would presumably have ethics you know, documented ethics and policy. so yeah, it just, it seems very bizarre that that's happened, but to your point, Dan, be a can of worms, like this is pre- pretty scary that it would just, sort of end up in in the media.

Bradley Sing: I think it's really bad though, too, because like, this is a breach that a lot of people know about. And if you knew somebody. who was, You know, a member or a customer or a patient client of the health board now that you know, that it's really easy to get these people's details off the dark web because a state broadcaster has pretty much said it.

You could potentially go online and find the stuff really easy as well. And I guess that's the thing, right? Like the information is out there. It's just that this is really. Utilizing it for malicious reasons, which is, I guess, kinda what- what the third actors are doing?

Dan McDermott: Yeah, it's a, an additional threat, isn't it?

Of the use of the data. So it's, it's already, you know, it's been breached your information has been stolen it's been you know, published for goodness, knows what reasons on the dark web and, and financial gain from that perspective. But to then feel like, a, like, I guess the breach is happening all over again if it gets used in this sort of way and as you say, Gar, like, it is very like, into, to what's been happening in tabloids in, you know, for a long time, but I think that's the difference is it's that, you know, the tabloid newspapers versus, you know, a a, a state sort of based publication is is very different you would normally find.

So I think it also just it points to, you know, I guess where journalism and news is at right that, that-

Garrett O'Hara: Mm [affirmative].

Dan McDermott: ...that notion of, you know, it's so cutthroat and trying to find. s- Any sort of angle and be able to get ahead of the game because it is, it is so difficult now, right? In a 24 by 7 news cycle when d- things moving so quickly all the time it's a bit of a sad state of affairs, unfortunately.

Garrett O'Hara: It is, I- I, you've just I've had, there's a a conversation I had with uh, Gregor 00:30:12], who actually was the, you know, the first [inaudible 00:30:14], post, the uh, pod, caught up with him last week. Hey Gregor, if you're listening but we got chatting about the media and you know, how so I've started buying the newspaper and, you know, the reason there was that I got a little bit sick.

of you know, seeing online news and the salacious clickbait headlines, and sort of felt like, actually, it just feels weird. So we had a newspaper delivered. It's lovely. I can sit down with a cup of tea and- and read the paper, get my slippers on. but I- I've noticed that if I look at the online app for the newspaper that I get delivered, the headlines are different.

So they're much more clickbaity when they're online and something I hadn't considered and Dan, You probably have a good insight on this given, given what you do, but Gregor made the comment that you think it's just the online version of the headline, but what if it's actually almost customized on an individual level?

Not just that you're seeing the salacious on- you know, the salacious online headline that everybody sees, but actually you're seeing a version of the headline. That somebody's customized based on understanding your profile and then potentially do we get the point where when you're reading an article, you know, the machines have, you know, somehow massaged it into something that is much more you know, it's gonna put push the, what do they call it, the bummer button or the outrage button for you.

and like that's a rabbit hole. but I dunno. Y- You, would know that stuff way better than I do,

Dan McDermott: Oh yeah. beyond my pay grade. That's for sure. But if they're, definitely like that's where, you know, it is possible. Like

Garrett O'Hara: Yeah.

Dan McDermott: ...it's not beyond the realms of possibility that's for sure. and then, yeah, like you say, it gets back to the notion of integrity. I think that's what has to come to the heart of it. And if that gets broken, then, then these things are possible. They can occur with the rise of technology and everything else that's available. there's no doubting that this could happen. so it is, you know, incumbent upon, I guess again, regulators or others to sort of think about, you know, how do you not allow it to, to occur and how is there some self-regulation in the industry I think is a critical part.

Bradley Sing: J- just on that really quickly as well.

before you kind of wrap up. Thinking out loud about platforms and regulators sky news got in a lot trouble recently for their COVID-19 uh, misinformation and YouTube banned them for, for, what was it a month or something like a whole month, Sky News-

Garrett O'Hara: Uh, seven days, I think.

Bradley Sing: Yeah. Okay. A- A week. But that's interesting, right, because that was broadcasted on our public television channels or, you know, like you watch during the normal regulations, So it's interesting to see. that It's been a tech giant, come in and regulate misinformation and not one of our local governing bodies. Who would, I guess, effectively designed to regulate the media.

Dan McDermott: It's a Complicated world, that's for sure. And definitely like one that we're where we don't want to see, you know, you know, ransomware being used again for another purpose and therefore fueling the continued rise.

So I definitely think there, we've gotta find ways to- to stop all of these things occurring in order to, you know, put a halt to it in one way or another

Garrett O'Hara: abacuses and notepads, I keep saying It [

Dan McDermott: laughs].

Bradley Sing: Can't compromise a notepad. I mean, an Abacus, I guess. or can you,

Dan McDermott: well, I think on that note, thank you, Brad.

Thank you Gar, for your insights and expert analysis today. and thank you to all our listeners. Gar, who do you have in store for us for next week?

Garrett O'Hara: next week, we've got uh, Jay Hira, who is of, um Salesforce. So he's the security appliance advisor over there. guy who's come actually, interestingly he's come through KPMG IBM [inaudible 00:33:50], EY, So it actually weirdly kinda links into what we were talking about today. And we get into things like APRA CPS, 234, value of certification standards and regulations, the critical infrastructure bills. So yeah, a cracking conversation, with Jay.

Dan McDermott: Fantastic. really looking forward to that until then stay safe. .


Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara