Category Archives: YOUR FILES & RECORDS

Yahoo hack: Email accounts of Australian politicians, public figures,police and judges compromised in massive breach, dataset has revealed

Yahoo suffers world’s biggest hack with data stolen from ONE BILLION users – including over 150,000 US government and military employees

  • Hackers stole data from more than one billion user accounts in August 2013
  • A different breach from one disclosed in September of 500 million accounts
  • Stolen info includes names, emails, phone numbers and dates of birth
  • The company still doesn’t know how the data from the accounts was stolen

yahoo-ceo-on-stage image www.intelagencies.com

The stolen database contains email addresses,

Key points:

  • Private email addresses, passwords belonging to politicians were obtained by hackers
  • AFP officers, judges and magistrates were also affected
  • Security experts warns the hack has the potential to cause serious embarrassment for officials

Data provided by US security company InfoArmor, which alerted the Department of Defence of the massive data breach last October, reveal more than 3,000 log-in credentials for private Yahoo services were linked to Australian Government email accounts.

InfoArmor, an Arizona-based cybersecurity firm which investigates data theft for law enforcement agencies, said the data was stolen from Yahoo in 2013 by a hacker organisation from Eastern Europe.

It said the hacker group then sold the Yahoo accounts to cyber criminals and a suspected foreign intelligence agency for $US300,000 each.

Yahoo revealed late last year that it believed hackers had stolen data from more than 1 billion user accounts in August 2013, in what is thought to be the largest data breach at an email provider.

A Department of Defence spokesperson confirmed key events to the ABC, including:

  • Defence was notified of the breach last October via an intermediary from NSW Police, two months before Yahoo announced the data breach to the public
  • It then notified its own affected employees of the breach

It remains unclear whether affected staff from other Commonwealth agencies have also been notified by their departments.

The stolen database contains email addresses, passwords, recovery accounts, and other personal identifying data belonging to a startling array of senior Australian officials.

Among those affected were Social Services Minister Christian Porter, Shadow Treasurer Chris Bowen, Victorian Premier Daniel Andrews, Liberal MP Andrew Hastie, opposition health spokesperson Catherine King and Liberal senator Cory Bernardi.

It is unclear how many of the accounts are still active.

The ABC was able to identify officials in the dataset because they had used their government emails as backups if they forgot their passwords.

Last week, the ABC approached each of these affected politicians’ offices, as well as some public servants, seeking confirmation of the authenticity of these log-in credentials. Most declined to do so.

The compromised accounts do not exclusively relate to clients of Yahoo’s email service, but also Yahoo-affiliated web services such as the microblogging site Tumblr and the photo sharing site Flickr.

A spokeswoman for Mr Porter said “as far as the Minister is aware he has never used a Flickr account”.

A spokesperson for Senator Bernardi said “to the best of his knowledge, [Senator Bernardi] doesn’t have a Yahoo account.”

One advisor told the ABC it was possible some accounts linked to politicians were set up by former staffers.

Others who did respond confirmed the log-in credentials are accurate.

Do you know more about this story? Email investigations@abc.net.au

Accounts linked to police, judges also compromised

Other government officials compromised include those carrying out sensitive roles such as high-ranking AFP officers, AusTrac money laundering analysts, judges and magistrates, political advisors, and even an employee of the Australian Privacy Commissioner.

“Perhaps records of transactions of purchases, or discussions or things they’ve done. Private conversations that they didn’t want to do on a government server. Perhaps they’ve engaged in some sort of shady activity. Or just expenses for politicians, for example, that they might have tried to keep out of official channels.

“Blackmail information is very valuable to other governments for nudging or persuading people to do things.”

Another challenge facing the Government is how to deal with compromised private accounts belonging to some Australian diplomats and special defence personnel posted overseas. Many of the officials featured in the dataset are employed in roles with security clearances that are intended to be low-profile.

“If I was in a position where my relationship with the government wasn’t to be known by others, then absolutely you shouldn’t be linking a government account to your personal accounts,” Mr MacGibbon said.

Hackers have had years to exploit data

A further problem is the protracted period between the Yahoo data breach itself, which dates back to March 2013, to the eventual public confirmation of Yahoo, over three years later.

Andrew Komarov, InfoArmor’s chief intelligence officer, said malicious hackers would have had literally years to exploit the users’ data.

“The bad actors had enough time to compromise any records they wanted as it’s a pretty significant time frame,” Mr Komarov said.

“That’s why today is pretty hard to figure out what exactly happened and how many employees in government could be compromised.”

According to InfoArmor, the hacker group responsible are an Eastern European cyber-criminal organisation motivated by profit, rather than a state-sponsored entity.

“This group has no presence on any forums or marketplaces. In the past they used two proxies: one for the Russian-speaking underground and another one for the English-speaking,” Mr Komarov said.

“They sell their data indirectly using some trusted channels, contacts and proxies. Not through any marketplaces or forums because of their security measures. They don’t need it.

“They have pretty serious contacts in the underground and some trusted rounds of various cybercriminals with whom they work.”

CLUB LIBIDO BANNER blonde on floor

Henry Sapiecha

YAHOO SPIED ON 500M USERS EMAILS REQUESTED BY FEDERAL AGENCIES

Published on 5 Oct 2016

An unsettling report says Yahoo complied with government requests to scan all incoming user emails, and even wrote a special program to do so. Between this news and the massive data breach, how can consumers trust Yahoo with their privacy?

CLUB LIBIDO BANNER THE EYES HAVE IT

Henry Sapiecha

Census: The ABS has been quietly holding on to our names for years

The Bureau of Statistics has been quietly hanging on to the names it collects with the census to conduct studies, despite a public commitment to destroy them.

Census changes

Find out why no one will be knocking at your door with census forms this year.

Australian statistician David Kalisch told Fairfax Media the Bureau had been keeping the names it collected for up to 18 months.

“They’ve done it under the guise of: ‘this is while we are processing the data’,” he said.

Australian statistician David Kalisch image www.intelagencies.com

David Kalisch says: ‘We are now being more transparent about it’. Photo: Rohan Thomson

“They’ve done linkages, they’ve done other things. What’s happening now is we are being more transparent about it.”

The studies have been conducted despite a commitment on the ABS website that “name and address information will be destroyed once statistical processing has been completed“.

They used the names and addresses on census forms to link the census answers to department of immigration records, to school enrolment records and to the Australian Early Development Index.

The names were destroyed only after the records were linked.

Separately, and without asking for consent, the Bureau has been tracking five per cent of the population (more than one million people) through what it calls the Australian Census Longitudinal Dataset.

It has been using the names on the forms to create “linkage keys”, which enable it to follow respondents over time. Each census, the same name produces the same linkage key, enabling movements to be tracked. Once each key has been created, the name itself has been destroyed. It is impossible to reverse-engineer a key to derive the name.

“In 2016, I have decided to keep names and addresses for longer,” Mr Kalisch writes in today’s Sydney Morning Herald and Age. “This will enable the ABS to produce statistics on important economic and social areas such as educational outcomes, and measuring outcomes for migrants.”

Labelled by former Australian Statistician Bill McLennan “the most significant invasion of privacy ever perpetrated on Australians by the ABS,” the decision will formalise what was happening informally before Mr Kalisch joined the ABS in 2014. It will extend the period for research using names from 18 months to four years. All names collected will be deleted by August 2020 or when studies have been completed, whichever is the soonest.

What’s happening now is we are being more transparent about it.

Australian Statistician David Kalisch

The decision is a retreat on a announcement in December that names and addresses on census forms would be retained indefinitely.

“There are extremely robust safeguards in place to protect the privacy and confidentiality of the information collected in the census, including names and addresses,” Mr Kalisch writes in today’s Fairfax Media publications. “The ABS never has and never will release identifiable census data.”

Kat Lane, vice-chair of the Australian Privacy Foundation, said the real issue wasn’t the ABS security system. It was that there was no justification for tracking or personally identifying Australians.

1dft

Henry Sapiecha

171 million VK.com [Europe’s largest social network site] accounts stolen by hackers

It’s the latest of a string in historical hacks targeting large social networking sites.

vk-hero-screen-shot image www.intelagencies.com

A hacker has obtained 171 million user accounts associated with social networking giant, VK.com.

The stolen database contains full names, email addresses and plain-text passwords, and in many cases locations and phone numbers.

The St. Petersburg, Russia-headquartered social network — formerly known as VKontakte — is said to be the largest in Europe, with over 350 million users at the last count. The hack is thought to have been carried out in late-2012 or early 2013, but the hacker who is selling the data could not be more precise.

Given the timing, the entire store of VK’s data — which at the time had just under 190 million users — is likely to have been taken in the hack.

The hacker is now selling a smaller portion of the database — 100 million accounts, which is a little over 17 gigabytes in size — on a dark web marketplace for 1 bitcoin, or about $580 at the time of writing.

That same for-sale database was provided ZDNet for verification.

vk-com-screen-shot-2 image www.intelagencies.com

We examined the database that was provided by searching a selection of names in VK’s public search engine — many of which turned up valid results. We reached out to many of these via email (which were listed in the breach) for confirmation, but didn’t immediately hear back — we will update the story if that changes. A handful of queries returned nothing, indicating a user was no longer a member or had deactivated their account.

LeakedSource.com, a search engine that records breaches and allows users to search their details, also obtained a portion of the database — albeit a smaller data set of about 100 million records.

Given the social network’s predominance in Russia, the most common password was “123456,” in line with other breaches. LeakedSource.com also found that the most common email address came from mail.ru, which may not be a coincidence, since VK.com was bought by the Mail.ru group in 2014. That led to the ousting of the company’s founder, Pavel Durov, who later fled Russia amid a shake-up of the country’s media laws. Durov later founded encrypted chat app Telegram.

For its part, VK.com said in an email on Monday that it “hasn’t been hacked.”

“We are talking about old logins / passwords that had been collected by fraudsters in 2011-2012. All users’ data mentioned in this database was changed compulsorily,” said a spokesperson. “Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”

An email to Durov on Sunday went unreturned.

Correction: an earlier version of this story had a headline which suggested that 171 million user accounts are up for sale, when in fact a smaller 100 million database was put up for sale. We regret the error.

BBB

Henry Sapiecha

 

Hacker places over 50 million file sharing accounts for sale on dark web

The recently-defunct IT company was once the third-largest music and video file sharing service in the US.

SAMSUNG CSC

SAMSUNG CSC

User accounts for iMesh, a now defunct file sharing service, are for sale on the dark web.

The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the “dotcom” boom. After the Recording Industry Association of America (RIAA) sued the company in 2003 for encouraging copyright infringement, the company was given status as the first “approved” peer-to-peer service.

At its peak in 2009, the service became the third-largest service in the US. But last month, iMesh unexpectedly shut down after more than a decade in business.

LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database.

The group’s analysis of the database shows it contains a little over 51 million accounts.

The database, of which a portion was shared with ZDNet for verification, contains user information that dates back to late-2005 when the site launched, including email addresses, passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack), usernames, a user’s location and IP address, registration date, and other information — such as if the account is disabled, or if the account has inbox messages.

LeakedSource said in a blog post that iMesh was likely breached in September 2013, based on the most recent records in the database.

imesh-screen-shot image www.intelagencies.com

In a message on Saturday, one of the group members said that “someone obviously hacked” the site, but did not speculate on who was responsible. “Who knows who really did it,” the person said.

For its part, the company’s chief operating officer Roi Zemmer said in an email that the company “is not aware of any hacks” and “is currently using state of the art technology to protect users’ info.”

After repeated requests, Zemmer did not confirm whether or not a sample of the database we sent him, which was provided by LeakedSource, was valid. Zemmer did not outright deny that the company had been hacked.

Attempts to follow up with Zemmer over the weekend went unanswered.

Given that the service is no longer operational, it’s difficult to verify the data. We reached out by email to a number of those who most recently to joined the service (which were listed in the breach) for confirmation, but we didn’t immediately hear back over the weekend. (We will update the story if that changes.)

What made the verification process more challenging is what appeared to be a considerable drop in user numbers in the site’s later years, based on LeakedSource’s analysis of the data. The service reached a peak of 9.4 million new users in 2009, but its growth had slowed to just 2.5 million new users by 2013 when the hack is said to have been carried out.

As many as 13 million accounts are from the US, with millions more from the UK and Europe.

The data is now up for sale on the dark web.

The hacker and seller who goes by the name “Peace,” who made a name for himself selling stolen data from Fling, LinkedIn, Badoo, and VK.com, also obtained a copy of the database — now thought to be in wide circulation among the hacker community.

In an encrypted chat, Peace confirmed that he is now selling the database on a dark web marketplace for 1 bitcoin, or about $590 at the time of writing.

SSW

Henry Sapiecha

 

Hacker claims to be selling millions of Twitter account details

The hacker has links to the MySpace, LinkedIn, & Tumblr “mega breaches.”

twitter-offices-signage image www.intelagencies.com

A hacker, who has links to the recent MySpace, LinkedIn, and Tumblr data breaches, is claiming another major tech scalp — this time, it’s said to be millions of Twitter accounts.

A Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained the database, which includes email addresses (and sometimes two per person), usernames, and plain-text passwords.

Tessa88 is selling the cache for 10 bitcoins, or about $5,820 at the time of writing.

The seller said they obtained 379 million accounts as early as 2015. That would be far more than its 310 million monthly active users, but could account for cumulative accounts, such as inactive users.

An analysis of the database by LeakedSource, a breach notification site which received the database from the seller on Wednesday, showed there are in fact over 32 million purported accounts in the database, after duplicates were removed.

LeakedSource said in a blog post that it was unlikely that Twitter was breached, and pointed to malware as the culprit.

“The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” the blog post said.

The group said it was able to verify the passwords associated with 15 users. LeakedSource shared a portion of the database with me. Two colleagues whose email addresses were in the database were able to verify their password. A third colleague said they had not used the email address found in the database to join Twitter.

LeakedSource said that the passwords were likely “stolen directly from consumers, therefore they are in plaintext with no encryption or hashing.” The groups said it did not believe that Twitter stored data in plain-text at the time the data was taken, thought to be around 2014.

“These credentials however are real and valid,” said the group. “The lesson here? It’s not just companies that can be hacked, users need to be careful too.”

As we’ve seen in recent data breaches, the most common password was “123456,” with the third and fourth password being “qwerty” and “password” respectively.

A Twitter spokesperson said in prepared statement: “We are confident that these usernames and credentials were not obtained by a Twitter data breach — our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”

In a recent tweet, the company also said that it periodically checks its data against recent password leaks to ensure that accounts stay secure.

Given the high-profile Twitter account takeovers in recent days — which included Facebook co-founder Mark Zuckerberg — it would be an easy assumption to make that Twitter had been hacked.

But Zuckerberg’s account was not in the database obtained by LeakedSource, the blog post said.

The hackers who took over Zuckerberg’s account said at the time they acquired his “dadada” password from the LinkedIn breach.

When asked, a LinkedIn spokesperson declined to comment, pointed to a recently-updated company blog post, but ruled out any new breach, and advised users to change any re-used passwords on other sites.

f6

Henry Sapiecha

MySpace hackers place another 427 million passwords up for sale

Password theft should make victims change credentials they have re-used for other sites.

security-lock-abstract-thumb image www.intelagencies.com

In another haunting hack from the past, Time Inc. has confirmed the theft of 427 million passwords from MySpace, the aging social networking site the media company acquired just three months ago.

The records were offered for sale on the dark web by the same hacker who posted for sale a trove of 117 million stolen LinkedIn passwords nearly two weeks ago. The posted price for MySpace credentials is 6 bit coins or about $3,200 at today’s rate.

The MySpace incident is tied to a June 11, 2013 hack, according to LeakedSource, while the LinkedIn episode dated back to 2012. LeakedSource is the same web site that confirmed the LinkedIn theft.

The important similarity of these dated incidents lies in the fact that hackers could use these recently posted stolen passwords to break into current accounts of victims who re-use passwords across many sites, including banking and health services.

The recent 2016 Verizon Data Breach Investigation Report showed that 63% of confirmed data breaches involved weak, default or stolen passwords.

Social media users made light of the aging passwords, including Paul Hosford, a reporter with the Irish media site thejournal, “If MySpace hackers have managed to get hold of my password, can they tell me what it is?”

But even past its prime, MySpace reports today 50 million visitors per month. On its blog, MySpace said the stolen passwords have been inactivated on its site, and it encouraged users to set new passwords on accounts where they used the same or similar password from their MySpace account.

LeakedSource reported that the MySpace passwords were stored in SHA1 with no salting, a process that makes decrypting passwords exponentially harder. MySpace confirmed the stolen data included user login data “from a portion of accounts that were created prior to June 11, 2013.”

Time Inc., which own titles such as Fortune and Sports Illustrated, acquired MySpace when it bought parent company Viant Technology in February. Terms of the deal were not disclosed, but at the time Time Inc. chairman and CEO Joe Ripp, said, “This acquisition is game changing for us.” Today, the change seems to be dealing with a major hack of private account data.

Since its heyday early in this century as the world’s largest social media site, MySpace was acquired in 2005 by News Corp. for $580 million and again in 2011 for $35 million by Justin Timberlake and Specific Media Group.

www.socialselect.net

7745

www.scamsfakes.com

Henry Sapiecha

“Skynet” is 4 real, and maybe flag you as a terrorist

National security

terminator-skynet image www.intelagencies.com

A scene from “Terminator.” (Screenshot: Warner Bros. via CNET/CBS Interactive)

It may not be quite the self-aware computer network that takes over millions of computers and machines, but “Skynet” is real.

Documents published by The Intercept, leaked by NSA whistleblower Edward Snowden, confirm that the Skynet program exists — at least in name only. Its name comes from the intelligent computer defense system in the “Terminator” films, which later destroys most of humanity in a nuclear apocalypse.

The National Security Agency program analyzes location and metadata from phone records to detect potentially suspicious patterns, according to the publication. In one example, it was used to identify people that act as couriers between al-Qaeda leadership. (This may have been the program that helped identify Osama bin Laden’s courier, leading to his targeted killing in Pakistan by US forces in 2011.)

According to one of the documents, it uses “behavior-based analytics,” such as low-use phones that only take incoming calls, SIM card or handset swapping, or frequent disconnections from the phone network (such as powering down cellphones). Also, repeated trips mapped out by location data, including visits to other countries or airports, can flag a person as being suspicious — or a potential terrorist.

More than 55 million cell records collected from major Pakistani telecom companies were fed into the Skynet system to determine targets of interest, the document said.

But questions remain around why the program flagged a prominent Al Jazeera journalist as a “member” of al-Qaeda. It’s probably not a surprise that the system alerted on Ahmad Muaffaq Zaidan, a Syrian national, based on his frequent travel between Afghanistan and Pakistan. But the fact that it identified him as a member of a terrorist group is a mystery, as well as a great concern.

Zaidan “absolutely” denied that he is a member of al-Qaeda, and criticized the US government’s “attempt at using questionable techniques to target our journalists.”

5FY6RBJU

Henry Sapiecha

Inside the global terror watch-list that secretly shadows millions

The database contains profiles on millions of “heightened-risk individuals,” and is used by dozens of leading banks, governments, and spy agencies

thomson-reuters-times-square image www.intelagencies.com

Thomson Reuters building in Times Square, New York. (Image: file photo)

There is a private intelligence database, packed full of personal details of millions of “heightened-risk” individuals, which is secretly having a devastating effect on those who are on it. Most have no idea they’re under the watchful gaze of some of the world’s largest and most powerful organizations, governments, and intelligence agencies.

But for its worth and value, it wasn’t nearly kept secure enough.

A copy of the database, dating back to mid-2014, was found on an unsecured server hosted by a London-based compliance company, which specializes in “know your customer” profiling and anti-money laundering services.

Chris Vickery, a security researcher at MacKeeper, who found the database, told me that it was stored on a server configured for public access.

This influential yet entirely unregulated database called World-Check lists over 2.2 million corporations, charities, and individuals — some notable, like politicians and senior government officials — which might be connected to illegal activities, like sanctions, violations or financial mismanagement.

Some have been pinned under the database’s “terrorism” category, or are thought to be connected to financing violence.

This data could affect a person’s ability to be lent money by a bank, their employment opportunities, and even influence the people who do business with them — simply based on a designation.

Word of the database first widely emerged earlier this year when Vice News disclosed the existence of the project. It said the database was “secretly wielding power over the lives of millions” who are said to have “hidden risk,” such as those who are violating sanctions or have laundered money or a connection to criminals — which has been linked to account closures and bank blacklisting. As the news site pointed out, simply being a high-profile individual can label someone at risk of bribery.

The report said the database now has over 2.7 million entries — including over 93,000 records relating to those associated with terrorism.

No wonder it’s popular with law enforcement agencies and government departments, which subscribe to the database in an effort to uncover potentially improper conduct. Most of the world’s largest banks and law firms, and over 300 government and intelligence agencies are subscribers, according to a 2015 sales document from its owner, information and finance giant Thomson Reuters, which in 2011 bought the company for $530 million .

Because of the sensitivity of the data, access is limited to a few thousand customers, which have been carefully vetted and are bound by secrecy and non-disclosure agreements.

Vickery reported the leak to Thomson Reuters, but he still went public in an effort to spark a debate on whether these profiling databases are being run appropriately.

“If governments and banks are going to alter lives based upon information in a database like this, then there needs to be some sort of oversight,” he said in an email.

The problem is, there isn’t.

Vickery shared access to the database with ZDNet.

Each profile lists a person’s potential risks such as “narcotics” or “terrorism,” “organized crime,” or “politically exposed person.” Given the list’s potential power to alter a person’s opportunities, many would not approve of their name being on it.

Take one example. Maajid Nawaz ran for the British parliament as a Liberal Democrat in the last election, as profiled by Vice. He is a former member of the radical Islamic group Hizb ut-Tahrir, which calls for its own Islamic state. He was detained in Egypt for five years, but is best known for his publicized and well-documented transition away from radical views. He later set up a think-tank dedicated to challenging the extremist narrative, and advised former prime ministers from Tony Blair onwards on Islamic extremism. And yet, after looking up his profile on the World-Check database, created in 2002, it’s still maintained with a “terrorism” tag and updated as recently as August 2013, despite “no further information recorded,” let alone any connection to extremists or terrorists.

nawaz copy www.intelagencies.com

He called the database “archaic,” and said that the inclusion of his name has had a “material impact” on his life.

It’s not just individuals who are designated as affiliates with terrorism, despite equally publicly available data to suggest the contrary.

A BBC investigation last year showed the process behind banking giant HSBC’s bid to shut down accounts associated with several prominent British Muslims. A mosque in North London was given a “terrorism” label, despite new management that was installed more than a decade ago.

Other names in the database include diplomats and ambassadors, and senior ranking officials associated with global financial institutes, such as the World Bank, as was previously reported.

Based on how profiles are built, potentially anyone with an internet footprint could be included.

Much of the data comes from law enforcement sources, political information, articles, blog posts, and social media, among other sources. From the records we looked at, the data would often contain names, locations, and dates of birth and details of education. but also in some cases social security numbers, and citizenship and passport numbers were included.

The profiles themselves often have little or no justification for the entry. From our searches, we found high ranking global government officials who were named in the files yet there was no visible or clear justification for why they were there. In most cases there were just a handful of external links to publicly available documents, like speeches, election results or pages linking to official government websites for justification of their presence.

Many of the “reports” list a person’s risk as “to be determined,” suggesting there were no improprieties, illegal activities, or even an apparent reason for a profile, except for their status as a public figure.

The database we examined is two years old, and the records may have changed since, however.

A spokesperson for Thomson Reuters didn’t specifically respond to a question in relation to how profiles are built, vetted, or designated, but pointed me to the World Check privacy policy, which reiterates its effort to get data based on information in the public domain.

This entire market of “know your customer” and profiling remains unregulated and ungoverned — despite being used by some of the most powerful countries and organizations today. This industry is growing at a rapid rate — some say by over $30 billion by the start of the next decade. Even though the service has to stand up to strict European and UK data protection rules, a lack of public scrutiny and accountability makes that task almost impossible.

Those who are named in the database have little or no recourse to have their data corrected or removed.

In Nawaz’s case, Thomson Reuters reportedly removed his profile earlier this year. But given that the contents of the database are shrouded in secrecy, not everyone will have the same luck, let alone know they’re on a database in the first place.

SDNN
Henry Sapiecha

We should widen protection for whistleblowers, offer financial rewards say supporters

Whistleblowers have long suffered from limited protection.

The limitations of legislation, in Australia and overseas, have become more apparent in the wake of the the Panama Papers, Swiss Leaks and Lux Leaks. All were based on revelations of wrongdoing from individual whistleblowers, not tax authorities.

Bradley Birkenfeld, a former banker, received $104 million from the US Treasury for exposing a multi-billion dollar tax fraud by Swiss investment bank UBS and other institutions image www.intelagencies.com (2)

Bradley Birkenfeld, a former banker, received $104 million from the US Treasury for exposing a multi-billion dollar tax fraud by Swiss investment bank UBS and other institutions.

In the May budget the Turnbull government, under public pressure to take a tougher stance against tax dodging, announced it would introduce whistleblower protection for people who disclose information about tax misconduct to the Australian Taxation Office.

The Corporations Act already has some protection for those who make disclosures to corporate watchdog ASIC, but it is limited and does not apply to tax misconduct information given to the ATO.

Panamanian law firm Mossack Fonseca,image www.intelagencies.com

John Doe’, the anonymous source who handed German newspaper Süddeutsche Zeitung internal data belonging to the Panamanian law firm Mossack Fonseca, wants whistleblowers to have immunity from government retribution. 

“Whistleblowers will have their identity protected and will be protected from victimisation and civil and criminal action for disclosing information to the ATO,” the headline government announcement said, without offering detail about how such a scheme would work.

Those who speak out face threats

Transparency International says despite their critical role in uncovering corruption and other malpractice, “too often people who speak up in the public interest face threats, intimidation and lawsuits”.

‘John Doe’ – the anonymous source who handed German newspaper Süddeutsche Zeitung (and in turn the International Consortium of Investigative Journalists) internal data belonging to the Panamanian law firm Mossack Fonseca in a manifesto released earlier this year called for whistleblowers to be given immunity from government retribution.

“Until governments codify legal protections for whistleblowers into law, enforcement agencies will simply have to depend on their own resources or on-going global media coverage for documents,” he wrote.

Jeff Morris blew the whistle image CBA. www.intelagencies.com

Jeff Morris blew the whistle at CBA. 

Bradley Birkenfeld, who was awarded $US104 million in September 2012 for information that lead to US authorities chasing down Swiss bank UBS and other banks facilitating tax evasion, has previously expressed similar sentiments.

Birkenfeld, who himself served prison time for his crimes, said: “If whistleblowers are afraid to bring information to the authorities for fear of prosecution, they will stay silent, bank secrecy will continue, and illegal offshore tax havens will operate free of scrutiny, taking money out of taxpayers’ pockets, and making the super-rich even wealthier.”

Antoine Deltour is now on trial for “stealing” and leaking documents about how Luxembourg granted secret “sweetheart” tax deals to multinationals including Apple and IKEA (the French journalist Edouard Perrin, who Deltour leaked to is also on trial), but at his trial he said it was a “necessary evil”.

Beefing up the Corporations Act

Closer to home there’s also been discussion about how to beef up the Corporations Act to improve protection for whistleblowers.

Too often people who speak up in the public interest face threats, intimidation and lawsuits

Transparency International

Jeff Morris who exposed the Commonwealth Financial Planning Limited scandal reported by Fairfax Media, told a recent Senate hearing that Australia needed a scheme, similar to the United States, where whistleblowers who disclose corporate misconduct get rewarded.

He says when he took the allegations against CBA to ASIC in 2010, he was told in as many words, ‘Thanks for sacrificing yourself.’ “[He was] just being frank’ about the limitations of the whistleblower protections,” Morris said. “The whistleblower protections basically, as he said, [are] not worth much.”

The Senate Economics References Committee has released a paper calling for greater protection for local whistleblowers, including protection for those who come forward anonymously. The government has noted its suggestions, but as yet, has not made any changes.

A.J. Brown, Griffith University’s leader for Public Integrity & Anti-Corruption in the Centre for Governance and Public Policy, who has worked with regulators including ASIC on how to improve protection for whistleblower, says that the level currently offered under the Corporations Act is inadequate.

He welcomes the budget announcement, but hopes it is not just a “thought bubble” that results in no useful policy. “The question the government should be asking is; ‘is there a way of doing this that encourages people to cover all types of information, not just tax misconduct,” he says.

Rewarding whistleblowers

He also wants financial rewards for whistleblowers who give information that leads to prosecutions. In the United States, under the Internal Revenue Code, a whistleblower can receive 15 per cent to 30 per cent of the amount collected by the IRS.

Maurice Blackburn lawyer Josh Bornstein says a reward system would increase the chance of people coming forward. “If we are to improve corporate culture, whistleblowers should be rewarded and seen to be rewarded,” he says.

Tax Justice Network spokesman Mark Zirnsak says since 2008 the IRS recovered $4 billion through whistleblowers exposing tax evasion. “Whistleblower protection and reward should also apply to other forms of corporate wrongdoing, such as bribery, fraud and embezzlement,” he says.

But not everyone is supportive of a reward system. Herbert Smith Freehills partner Andrew Eastwood says rewards leave a “real risk that you may in fact be rewarding people who were in some way involved in the misconduct”. But he does support greater protection for whistleblowers under the Corporations Act.

Chartered Accountant’s tax leader Michael Croker also warns “whistleblowers will not always have clean hands and immunity, or reduced sentences, become an issue in such cases”. Nevertheless, he says there’s elements of the US model, including specialist IRS teams that deal with whistleblowers, Australia may be able to adopt.

Professor A.J Brown says the government has a real opportunity to revamp legislation to give genuine protection to whistleblowers. “If it’s not done properly, it ends up being window-dressing. That’s what we need to avoid.”​

USA $$ ICON MONEY MEN BANNER

Henry Sapiecha