I won more Japanese Toys – Crane Master a.k.a. Claw Machine Master

A few years back, I got into online crane games from a company called Toreba, and of course blogged about it (that wasn’t a sponsored post, and nor is this – I’ve received nothing from them beyond any other player would have).

I hadn’t really done it since, up until isolation was thrust upon us. I wondered if there were other crane games around, or if Toreba had changed.

Toreba itself wasn’t much different, but it seemed reasonably difficult to win at. I searched the Google Play store and tried a few others I could find, but didn’t really like any of them – until I found Crane Master/Claw Machine Master by a company called Cremas (links for Google Play and iOS app).

I did want to try Sega’s version of this which has launched in the U.S., but isn’t out in Australia yet. Maybe that’ll be released here soon.

Back on Cremas – although there’s a bit of broken English and the occasional Japanese writing instead of English, overall it’s pretty good and makes enough sense to work out what’s going on.

After deciding I actually liked this one, I spent a fair bit of time working out how it all functioned. There’s a bunch of different games and different methods of winning – some are skills based requiring several turns to win, others are much more random – but I gradually got better at working out what I could win and when.

The lure of winning a bunch of Japanese items; toys, food and gadgets is strong. The price to play isn’t cheap, but as long as you load up enough money, delivery is free for whatever you win once a week. To give an idea on the cost – if you load up 5000 yen (about $75AU) (the minimum to get a free delivery) each point costs a bit under 2 cents Australian. A single game can cost anywhere from 77 to 777 (rare) with most games in the 100-250 range. That makes each turn on a 77 credit game cost ~$1.30AU and a 250 credit game cost ~$4.50.

A few weeks of playing and getting some prizes, I requested shipping and had two boxes turn up full of interesting goodies:

Some of the notable things so far; a Chain Chomp from Mario, a weird bath fishing set, and snacks that are half science experiment – dissolving powder into liquids, then combining and creating weird jelly balls. Chocco pies were tasty, as were the cream collon snacks I had to win purely based on name.

The things I liked about Cremas were that overall it seemed like they were trying hard to make this work and give people a good experience. They have constant promotions of giving away free turns and points, promotions that when you win something someone might give you a thumbs up – you have to link them your thumbs up video and just get bonus points for spotting it. They also actually assist you to win; I was stuck a few times and they’d reposition a box, refill up pingpong balls or do something to get you there. Support is really nice too.

Here’s some videos of my actual wins. I’ve used a video for each type of game they have and I’ll explain it and give some tips. This isn’t the full set of games they have either, there’s even more I keep discovering.

This one requires you to roll the ball with the crane arms from the left side to the right side, as the poles it’s resting on become wider. Once you get it far enough to the right, then you can use the arm to push it down. Once it’s through, you win. This one is more strategy and takes several turns, but you’ll be able to get your prize if you know what you’re doing. I got a thumbs up at the end so had to contact support to get some free bonus credits :)
This one grabs a bunch of ping pong balls and drops them – if one stops in the white hole, you win. Really random, and often none of the balls at all will drop in a hole. Good for a free shot as you have a chance of getting it in one turn. This particular shot I’ve only ever had happen once, where I knocked a ball I didn’t even pick up into the white hole, it still counts.
Fairly luck driven, pick a spot to try and grab as many plastic rings as you can and hope they land on one of the cones. Doesn’t really matter how many times you play, it doesn’t seem to improve your chances.
Probably my favorite game – completely random and always a chance of winning each time. Have a look at how many balls were in this one though, huge amount of shots before it won (not all me!). Keep an eye out for how the plastic clear ring is around the hole pan, if there’s a gap the balls can fall through and it’s a lot harder to win.
I haven’t seen this game since I played this, and I won it in 2 shots. Don’t really know what I did right! Lucky bounce I think.
Another pure random game, took several shots to win. The ball has to go through the white hole in each 3 levels to win. Usually it rolls around a bit more, but this turn it just went straight through the 3 white holes.
An example of where the plastic isn’t tightly around the hole pan and a bunch of ping pong balls have got stuck. If you have a shot and the ball goes down there, it’s much harder to win.
This one took me a while to work out. Each time the box is picked up and dropped, a bit more slack is given to the line holding up the box. Another thumbs up :)
Purely luck, if the ball happens to bounce the right way and get past that lower green bar, you win. Usually a cheap game and worth a few shots if you like the prize. When picking up the ball, make sure you don’t go too far to the right or you’ll hit the barrier and not pick the ball up at all.
Yet another pure luck game, if it goes in the red hole, you win… simple.
One of the most common games you’ll see, and requires a fair bit of skill and understanding to get right. Watch this sort of game a lot to see how the object can be manipulated. It’s often a case of getting it into this position and then picking up and dropping it until it eventually angles the right way. You’re not going to 1 shot, or even 4 shot this.
A skill one, and you’ll gradually need to push the item with a very low centre of gravity off the ledge. Takes several shots at least, but can be very hard to tell how to knock it off.

General hints – if you’re watching someone play and they’re making progress to winning, and you want the prize – reserve. It doesn’t cost anything and you don’t have to play if they give up and it’s your turn, but they might leave when they’ve run out of money and it’s easily winnable. Reserve early and often.

Most games aren’t designed to be won in 1 shot, unless you get really lucky. When looking through games you might find one that’s half done, or a bunch of ping pong balls are already played – this increases your chances of winning.

Log in a few times a day to get a bonus just for logging in – points and/or a free shot.

Log a support ticket if something goes wrong (like a game gets stuck, or you played a game that was already won), and tick which video shows it (every play is recorded). They’re quite good at giving you back what you’re owed, I’ve never had a problem.

Don’t spend too much – set yourself a budget and stick to it. Come back another day when you’ll probably get a good bonus on your first win for the day. If you spend more than you want, you probably need to stop playing altogether. This is for fun and you’ll be way behind on what you’ll spend vs the prizes you’d get – find an online Japanese shop if you just want to find cool Japanese items, or get a Japan Crate.

2 Million Views Giveaway

That’s a lot of hits! It’s taken over 7 years since I posted “I did something stupid – deleted myself!” (dated 2010, but I used the dates from when it was originally posted elsewhere) to hit this mark, and it took 4 years to get to 100,000 hits.

Not much has changed on why I keep blogging. If I can’t find it easily online and had to work it out myself, then I’ll usually write it up. In some ways it’s documentation for myself, just generalised instead of specific to my environment. Working out a good solution to a problem is satisfying in itself, moreso if you can help others hitting the same wall.

Blogging has opened many doors for me. I’m now a Microsoft MVP – originally in Cloud and Datacenter Management, now in Office Apps and Services. I get to sometimes review things I generally am a fan of – particularly devices from companies like Lenovo, but other companies such as Poly too. Lenovo even flew me to Beijing in 2019, a few years back Intel flew me to Sydney for Vivid and I would have been at Microsoft HQ in Seattle last month if it weren’t for that pesky virus. I did get to to 2 years ago though, and back in 2014 I attended Microsoft TechEd North America as Press in the most part due to Trevor Pott. He gets a special mention for helping me make a lot of this happen – and even though we don’t always see eye to eye, I don’t think I’d have nearly as much success without him in the early days.

I do paid articles for reputable websites, picking the things I want to write about. I get to talk to a bunch of smart people because of all this. I can blog how I want, when I want because it’s not a primary source of income. I can throw my ideals out there and have them picked over by the internet. I’m a quoted source of ‘“On-Premise vs On-Premises – Who Cares?” on Wikipedia. I can say I run an award winning blog, thanks to Netwrix. I’ve tried to tell everyone my ‘Secrets to IT Success and Happiness‘ from doing this stuff for 20 years now. I’ve been on a few podcasts like CIAOPS and Defrag This. I co-run a local user group called Adelaide Microsoft IT Pro Community with Brett Moffett and Andrew O’Young.

The point of all this is not to brag – I don’t think I’m doing anything special in the slightest. I’m always questioning my own abilities and knowledge – there’s always plenty of people that know more than me on every single topic I work with. However, I still find something of interest and write it up. That’s all I really do. I test things enough so I believe I’m right to be able to share it, but I’ll happily accept corrections (ESPECIALLY if I do something as amateur as misspelling ‘Windows’ in a blog post title). I’m lucky enough to have a supportive working environment and boss so I can do all this too, and I believe they benefit as much from this side work I do as I do personally.

Also since starting this blog, I’ve had two kids. Free time has gone from what feels like infinite, to little snippets here and there. It means I do less of blogging/writing/community things, but the trade off is more than worth it.

As you’ll see from the below explanations of people who’ve donated a prize, Twitter is somehow a reasonably large part of my life. I don’t spend hours on there every day, but still enough that I’ve managed to make a lot of valuable connections; valuable in the sense that I get to engage with a bunch of people I highly respect, and very occasionally with my introverted and recluse tendencies, meet in person.

Anyway, if you’re reading this I hope I’ve helped spread good information somehow. If you have an inkling that you want to do the same, then go for it. You need to start somewhere, and the more you write the better you’ll get at it. Feel free to contact me directly if you’d like any support or guidance, or even feel like trying a guest blog post I can put up here (I’ll edit and provide feedback too).

I’ve also run a few giveaways before, but I figured I’d put some good effort in to source a bunch of prizes to give away as part of hitting 2,000,000 views. I asked around and found several more meaningful prizes from people I know of and respect. Probably won’t do this again :) Thanks to them all for being a part of this!

If you see any 503 service unavailable errors below, reload. Gleam.io that hosts these might be having some issues.

1. Powershell for Sysadmins: Workflow Automation Made Easy by Adam Bertram – Donated by Adam Bertram.

Adam Bertram I’ve had several chats with over Twitter as a fellow Microsoft MVP, admiring his personal passion for IT and projects he works on like TechSnips.

Competition:

1. Powershell for Sysadmins: Workflow Automation Made Easy

2. Surviving IT – Essential Advice for Building a Happy and Healthy Technology Career by Paul Cunningham – donated by Paul Cunningham.

Paul Cunningham has now transferred blogs are something that most Microsoft Exchange admins have read – Exchange Server Pro which changed into Practical365. I have Twitter banter with Paul now and then, and briefly met a few times back in the old Microsoft TechEd days. Paul offered to send me a few copies of his book – one I’m keeping for myself, and the other is being given away here.

Competition:

2. Surviving IT – Essential Advice for Building a Happy and Healthy Technology Career

3. Adopt & Embrace Microsoft Teams by Paul Woods, Helen Blunden, Benjamin Elias & Darrell Webster x 2– This group of people I don’t know very well, but they produce great content and I follow them all on Twitter. I should work on getting to know them all more! :) Thanks to the 4 of you for donating these books!

Competition:

3. Adopt & Embrace Microsoft Teams by Pauls Woods, Helen Blunden, Benjamin Elias & Darrell Webster

4. Lenovo Pack – donated by the Lenovo Insiders program and me (I bought the Smart Watch). I’m a part of the Lenovo Insiders program which has driven a lot of the reviews I’ve done – I am a general fan of their hardware (particularly the ThinkPad stuff!) and they’ve supported me greatly, including my great trip to Lenovo Tech World in Beijing. The watch I bought and had second thoughts about, so I added it into this bundle. I’ll also add a cool Lenovo backpack that’ll contain all these items!

Competition:

4. Lenovo Pack

5. Cin’s Chainmail – Industrial Strength Rainbow Stress Ball – Donated by Cin and her Cincurios Twiter account where you can see her handy work. I first met Cin a few years ago at Ignite the Tour – Sydney event. We hung out for a bit and went around to a lot of the vendors trying to get swag; and we’ve been on Twitter talking ever since. Beyond being a highly skilled IT person, she also hand makes these chain mail stress balls among other items that you can see on her site https://skyalin.com/ccc

Competition:

5. Cin’s Chainmail – Industrial Strength Rainbow Stress Ball

6. The IT Business Owner’s Survival Guide: How to save time, avoid stress and build a successful IT business x3 – Richard Tubb. Richard I’ve only met on Twitter, but he comes across as a very passionate and positive person. I’ve had a few great chats with him, and if I ever manage to make it to the UK, will definitely meet in person!

Competition:

6. The IT Business Owner’s Survival Guide: How to save time, avoid stress and build a successful IT business

7. White Ibis Soft Toy – Mark O’Shea – donated by Mark O’Shea. I don’t actually remember where I first met Mark in person, but he’s a fellow Microsoft MVP and avid animal lover. If you’ve seen him on Twitter, you’ve probably seen a picture of a White Ibis; aka a Bin Chicken. Why is Mark giving away a soft toy of his favorite animal? I’m actually not sure, you should ask him :) I get to catch up with Mark occasionally when we happen to be in the same city – if he’s over in Adelaide for work, or if we both fly to Redmond (I’ve been one time ever). Until Mark actually provides me a photo of this White Ibis Soft Toy, here’s an example of a real one:

Mark has now provided a photo of the bin chicken prize!

Competition:

7. White Ibis Soft Toy

8. Uroboros Saga Books 1, 2 and 3 by Arthur Walker. Donated by Arthur Walker. Arthur is in the same Lenovo Insiders program I’m in, as a fellow tech enthusiast. However, he has many talents outside of gadgets which includes writing an ongoing book series (8 so far), and being the creative director of a computer game. I hadn’t spoken to him too much before meeting him in person at Lenovo Tech World in 2019. Not long after meeting him, I’d realised I was missing out by not knowing him better. I had the privilege of spending the week with him and the other great Lenovo Insiders in China, and wrapping off the trip going with him and Onica Cupido to the Beijing Zoo. Anyway, after finding out that Arthur wrote books, I bought a digital copy of one to read on the way home… and really enjoyed it! I’m onto book 2 now, and was waiting for my next trip to read it, but that might be a while away. You can buy his books in digital or tree format, or read the Amazon reviews for yourself to see what people think. Arthur’s put up the first 3 books of the series as a giveaway, and you can decide if you want the digital version, or for him to send them out to you.

Competition:

8. Uroboros Saga Books 1, 2 and 3 by Arthur Walker

OK, that’s all the prizes. I’ve broken them all up into separate competitions so people can just enter for the prizes they’d like to win.

Stay safe during these uncertain times everyone, and thanks for being a part of my little part of the internet.

Stopping Skype for Business Autostarting in Windows 10

Should be simple, right?

I installed Skype for Business for Office 365 on my home PC. I had Office 365 ProPlus, and the version of Skype for Business has to match that.

Worked great, and realising I didn’t want it running all the time on my home PC, I changed the option to ‘Automatically start the app when I log on to Windows’ in the Personal options:

The next day over the weekend, I noticed that Skype for Business had decided to still launch at login. Weird, so I checked what Task Manager had to say:

Skype for Business wasn’t even listed. I started mucking around a bit more, ticking the option to automatically start, pressing OK, turning it off, pressing OK, rebooting – but every time, Skype for Business just turned up, like a strange uncle you never invite to dinner but somehow still finds out and turns up every night.

Maybe it’s in the Startup folder in the Start Menu? Is that still a thing in Windows 10? Yes it is. It’s under C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup – replacing ‘username’ with what you’re thinking you should replace it with. Except, there was nothing there.

I also checked the standard Run locations in the registry, and then even searched for all instances of lync.exe which is still what runs Skype for Business… no hits that make any sense to it running at startup.

Of course, my next step is to complain on Twitter:

Interesting – Skype for Business runs at user login, but it’s not listed in Task Manager > Startup, or in the registry’s Run locations. The app even has ‘run at startup’ turned off. Not in the Start Menu Startup folder either. Don’t understand what’s triggering it…— Adam Fowler (@AdamFowler_IT) April 12, 2020

No winners in the responses – I checked sysinternaltools autoruns as suggested by Neil Clinch, and Guy Leech had a suggestion on how to completely block lync.exe from running ever, but I still wanted to use Skype for Business.

My Googling hadn’t fared any results, and I was getting desperate. I actually took a chance and read some answers.microsoft.com threads (which are usually sfc /scannow or unhelpful answers that didn’t read the question properly) and user Daniel Wherle had responded to a thread with my exact problem.

The answer was a setting called ‘Use my sign-in info to automatically finish setting up my device and reopen my apps after an update or restart’. This is hidden in Windows 10 Settings > Accounts > Sign-in options. It’s down the very bottom:

After I turned this option off and rebooted, Skype for Business no longer launched at startup. I even launched it manually, and restarted while it was running.

I turned the setting back on and rebooted, Skype for Business still didn’t autostart – that is, until I ran it with the option on, exited and rebooted.

It’s worth noting that even after completely exiting Skype for Business, lync.exe still ran in the background. I suspect this is part of the problem, because it also won’t re-open until that task is killed. I don’t have any other Office apps open, and it seems like a common enough problem that others will hit it – maybe with other programs too and this Windows 10 option enabled.

A strange one, but probably as far as I’ll dig on the issue.

Windows Hello for Business – A less forceful rollout option

When I first looked at Windows Hello for Business at launch, I was impressed by it but also concerned. Turning the option on would prompt all users or devices that had the policy on, strongly encouraging them to go through the Windows Hello for Business setup with their fingerprint/face recognition and PIN.

It was a bit intrusive to have this almost forced registration process as a user might not be in a position to go through the setup and be trying to do something urgent first thing in the morning, but even more of a concern was the style of the userbase I support – anyone expects to be able to log onto any computer anywhere. Windows Hello for Business doesn’t follow the user around for good reason (you’re tying the things you have to a single device), so each new device will go through the prompts.

I also had concerns around desktop users who didn’t have any other method of authentication beyond the PIN, and the perception than a PIN is less secure than a password (again the PIN is tied to a single device, while the password can be used to log onto any device).

Thankfully, a new option turned in Group Policy under the ‘Use Windows Hello for Business’ policy, located under both the Computers and Users areas Policies > Administrative Templates > Windows Components > Windows Hello for Business. The tickbox ‘Do not start Windows Hello provisioning after sign-in’. (To be fair, this has now been there for a while and I just wasn’t aware):

This will instead provide a little warning in Windows Security under Account Protection, saying Windows Hello isn’t set up. It doesn’t pop up and alert this, but instead shows a yellow exclamation mark against the shield icon in the taskbar. A user can then click through this at their leisure and set up Windows Hello for Business.

To me, this is a great way of allowing all staff the chance to set it up when they’re ready to do so, and in a staggered fashion without really having to manage it. Each business is different of course, and some will prefer or require the heavy handed approach of Windows Hello for Business on all devices – but I’m glad this more relaxed option exists.

Note that Windows Hello for Business is supported in both Azure AD connected and Hybrid Azure AD devices. For further info, read Microsoft’s documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification

Small Business Data Breaches in Australia and My Experience with One

What happens when a company you deal with in Australia has a data breach, and their annual turnover is less than $3 million? I thought I’d find out, after this happed to me. Here’s the events in chronological order with some information censored:

The Dropbox Email

I receive an email from my Strata Management company in October 2019 whom I’d already regarded quite low in their digital actions – emailing without unsubscribe options, using email addresses given to them purely for Strata related comms for commercial purposes – but this was more concerning again:

To me this was immediately dodgy and cried out of an account being compromised. The file is still there right now, ~ 6 months later. It’s a standard jump file – redirecting you off to phish your creds.

The credential stealing page you get to from the ‘Access Document’ link above is down – the entire domain doesn’t respond, so at least nobody will get caught by this link.

I email back with what I thought was correct information from a quick Google on it, but the details are their problem to work out and send an email to the address listed on the website, rather than the compromised account:

From: Adam Fowler
To: admin@company

Hi,It appears XXX account has been compromised by a third party, which includes my personal contact details on it. You’ll need to comply with the government’s Data breach standards: https://www.oaic.gov.au/privacy/data-breaches/

Under law I believe you have 30 days to disclose this breach: https://www.oaic.gov.au/privacy/data-breaches/make-a-data-breach-complaint/

Thanks
Adam Fowler

Two weeks pass… nothing. I follow up:

From: Adam Fowler
To: admin@company, person@company

Hi,

Any chance of getting a response on this?

Thanks
Adam Fowler

I get an out of office from the person, but it doesn’t take long for their manager to respond:

From: Manager@company
To: Adam Fowler

Hi Adam,

Thank you for your email and I apologise for the delayed response – the front office thought it may have been another scam email due to the multiple links and opted to delete and ignore it.

As you are aware, we do have 30 days to respond to this with the breach happening 15 days ago we still have time on our side. In saying that, we actually have our IT guys coming in today again to assist me with the lodgement and I will be finalising it either tonight or over the weekend.

I can confirm we acted promptly on the issue and our IT guys responded extremely fast as well.

Thank you for your concern and notification, I will confirm with you once this has been lodged.

Have a great weekend.

This sounded sort of promising – beyond the weird conclusion my email was another scam, they seemed to be treating this seriously and properly. I was content with this and waited for the confirmation that was promised.

That confirmation didn’t come, so 1 month later I followed it up. This is where it went downhill:

From: Manager@company
To: Adam Fowler

Hi Adam,

I did lodge this and I spoke with the Office of the Australian Information Commissioner.

As far as I am aware from them there was no further action required from us on their end.

Kind regards,

OK… that’s great that they’ve met legal requirements, but that’s not really what I cared about:

From: Adam Fowler
To: manager@company

Hi Manager,

I’m more concerned if any of my personal data was compromised after your investigation rather than what data breach notification steps you’ve taken with the government?

Thanks
Adam Fowler

Another concering response:

From: Manager@company
To: Adam Fowler

Hi Adam,

No personal details have been compromised from this. They did not have access to our server.

Kind regards,

This takes me to a conclusion pretty quickly that they really have no idea what they’re talking about, or just trying to get rid of me because I’m a hassle. I call them on it:

From: Adam Fowler
To: manager@company

Hi Manager,

That’s obviously incorrect, my email address is personal information, and XXX’s mailbox may have contained other personal information that I’ve emailed them, such as the address of my unit.

Apparently what I’ve asked for hasn’t processed and they’ve given up:

From: Manager@company
To: Adam Fowler

What would you like for me to do Adam, I’m not sure on what steps you are asking me to take? 

This got me annoyed. I have no idea what data they have on me and what could have potentially been accessed, so I did a bit of research and shot off what I wanted, outlining why I was concerned:

From: Adam Fowler
To: manager@company

Advise on what data of mine was actually accessed. “None” isn’t true or I wouldn’t have received a phishing email. The responses you’re giving don’t give me any confidence that you’ve actually had this investigated, or have any reasonable understanding of the statements you’re making. My next step is to lodge a complaint with the OAIC, which I’d rather not bother to do.

You hold money that is partly mine, my personal details and I’m not sure what else.

Separately, I’ll actually request you provide a copy of all personal information you hold on me, as per https://www.oaic.gov.au/privacy/your-privacy-rights/your-personal-information/access-your-personal-information/

Access your personal information — OAIC
Australian privacy law gives you a general right to access your personal information.This includes your health information.. An organisation or agency must give you access to your personal information when you request it, except where the law allows them to refuse your request.www.oaic.gov.au

Please let me know what other details you need from me for this request.

Three days later I get this answer:

From: Manager@company
To: Adam Fowler

Hi Adam,

Below is all of the information we have for you.

Salutation: Mr Fowler

Mr Adam Fowler

*My home address*

*my mobile*

*email address different to the one they’ve sent this email to*

We don’t have your bank details and as I mentioned, they did not have access our server so they would not have received the above information.

I’ve searched XXXs emails over the past two days and you do reference your unit, but never your home address.

It was obvious they weren’t doing this properly. They didn’t list the address of the ACTUAL PROPERTY they managed for me, nor the email address they’d just emailed me on. I decided to just stop responding and lodge a complaint with OAIC; I didn’t really have anything to lose by doing so. Lodging a complaint was pretty easy, there wasn’t too much info I had to provide and I included the email thread above.

The next day after filling in the form, I received a fairly generic email which contained the case number I’d been given:

From: OAIC
To: Adam Fowler

Dear Adam Fowler

Thank you for your correspondence received on 2 December 2019. The Office of the Australian Information Commissioner (OAIC) has registered this matter as a privacy complaint by you about STRATA MANGEMENT COMPANY

We aim to contact you further about your complaint as soon as we are able to. Information about what happens to your privacy complaint is available on our website, www.oaic.gov.au.

Actions you can take now

·      Generally for us to consider your complaint you first need to have complained to the respondent. While waiting to hear from us, we recommend that you continue to pursue resolution of your complaint with the respondent organisation.

·      You may also be able to lodge your complaint with a recognised External Dispute Resolution (EDR) Scheme. A list of recognised EDR schemes is available on the OAIC’s website. These EDR schemes cover financial services (including credit reports), telecommunications, and energy and water providers. If the OAIC considers your complaint would be more effectively or appropriately dealt with by a recognised EDR scheme, we may decline to investigate the matter.

·      If your matter relates to consumer credit, please forward a copy of your credit file to this office, as well as copies of any correspondence you have received from the credit provider, credit reporting bodies and any dispute resolution body you have complained to about this matter. You should also include the relevant password if the copy of your credit file is password protected.

Next steps

Unfortunately we are not able to allocate all complaints to a case officer as soon as they are received. At present there are delays on some matters being allocated because we have had an increase in the number of complaints we have received.

At this time, it may be several months before an officer contacts you about your matter. We will contact you earlier if we are able to.

Once your complaint is allocated a staff member will contact you to discuss the next steps in our complaints handling process. The OAIC aims to resolve privacy complaints by conciliation, whereby the parties resolve the matter through discussion and negotiation. Unless we consider it inappropriate to do so, your complaint will likely be referred to the respondent for it to contact you directly to try and resolve the matter.

Please let us know if your contact details change, if the matter has been resolved directly with the respondent or if other circumstances change.

You can write to us or call on our Enquiries Line on 1300 363 992 (local call cost, but calls from mobile and pay phones may incur higher charges). If you do contact us it will help us if you quote your complaint reference number which is found at the top left hand side of this correspondence.

We will arrange for letters and telephone calls to be translated if you would like to communicate with us in a language other than English. You can also let us know if you need other assistance, including documents in other formats or larger fonts.

Yours sincerely

Enquiries Team

Office of the Australian Information Commissioner

That didn’t give me much hope, so I left it at that and moved on.

2 months later, I received a call on my mobile. It was from the OAIC who had started to review my case. We had a chat, she understood the situation, completely agreed they hadn’t appeared to have done their due diligence in the data breach or provide me with my personal data as requested.

It sounded promising and I was a bit nervous. Their standard approach was to talk to the company and somehow come to an early resolution. She emailed me what was discussed too:

From: OAIC
To: Adam Fowler

Dear Mr Fowler

I refer to your privacy complaint about STRATA MANAGEMENT COMPANY , made under s 36 of the Privacy Act 1988 (Cth).

I am conducting preliminary inquiries under s 42 of the Privacy Act. The purpose of the inquiries is to establish whether this matter can be resolved quickly by the Early Resolution Team.

The Early Resolution team aims to resolve matters within 4 weeks. If the complaint cannot be resolved by 28 February 2020 and the OAIC determines further review or investigation is required then the matter will be referred to an investigations officer in another team.

If the matter is referred to another team, it can take several months to be allocated to a case officer. We therefore encourage both parties to try and resolve the matter through this early resolution process.

Next steps

We have provided a copy of your complaint to STRATA MANAGEMENT COMPANY and requested it provide the OAIC with a response to your allegations and to your proposed resolution.

We have also invited to contact you directly to try and resolve this matter. In our experience, direct contact between the parties leads to a higher chance of resolution.

We have requested STRATA MANAGEMENT COMPANY provide an update in a week’s time.

I am happy to discuss this matter and to clarify any questions you may have about our Early Resolution process. If you have any questions, please feel free to contact me directly on XXX or email to oaic.gov.au.

Yours sincerely 

Investigations Officer
Dispute Resolution Branch

The same day though, my hopes of anything were completely shot down:

From: OAIC
To: Adam Fowler

Dear Mr Fowler

In my conversations with  STRATA MANAGEMENT COMPANY it appears it is a small business operator and may therefore not have any obligations under the Privacy Act 1988 (the Privacy Act).

The APPs apply to businesses and not-for-profit organisations with an annual turnover of more than $3 million and to all private health service providers irrespective of turnover.

I have asked  STRATA MANAGEMENT COMPANY to respond to questions to confirm it is a small business operator and to provide evidence of their turnover or a statutory declaration.

If  STRATA MANAGEMENT COMPANY is a small business operator we will be unable to take any further action in the matter. I will write to you to let you know if this is the case along with our intention to decline to investigate the matter.

I was rather confident this company didn’t turn over $3 million a year. However, the manager did still call me and after advising he didn’t have to respond legally. I didn’t really say much since I had no legal standing now and in the laws eyes, they were in the right. They attempted to reset the password so I could access my own data from their systems – he couldn’t get that working so I did a password reset myself. Their password reset process actually sent me an email that contained my old password in plain text – ‘dontsendthisout’ – which I’d set a few years ago after they’d sent me my password in plain text via snail mail, along with the username and login URL. As I said at the start, I didn’t expect much from this company.

The data they had on me they said, would all be in this app. Again this of course isn’t true because of the data in their emails, but I felt defeated and didn’t press on this.

It was of course confirmed that they didn’t turn over $3 million a year:

Dear Mr Fowler

I refer to your privacy complaint about STRATA MANAGEMENT COMPANY, made under s 36 of the Privacy Act 1988 (Cth) (the Privacy Act).

The Office of the Australian Information Commissioner (OAIC) conducted preliminary inquiries into your complaint under section 42 of the Privacy Act.

I have reviewed your complaint and I do not consider there has been an interference with your privacy on the basis that  STRATA MANAGEMENT COMPANY appears to be a small business operator. The reasons for this view are explained below. You now have an opportunity to comment before I make a final decision.

Small business operator exemption

The Australian Privacy Principles (APPs) in the Privacy Act cover many private sector businesses in Australia, but there are exceptions. In particular, many small businesses are exempt from the obligations outlined in the APPs in the Privacy Act. Under the Privacy Act, a small business operator is a business with an annual turnover of $3 million or less that:

·      is not a health service provider

·      does not trade in personal information

·      is not a contracted service provider for a Commonwealth contract

·      is not a credit reporting body

·      is not related to a body corporate that carries on a business that is not a small business

·      does not operate a residential tenancies database.

In response to our inquiries,  STRATA MANAGEMENT COMPANY provided information, including its Business activity statements (BAS) to establish that its annual turnover and activities are such that it meets the Privacy Act’s definition of a small business operator.

This means that  STRATA MANAGEMENT COMPANY is not covered by the APPs in the Privacy Act and therefore there can be no interference with your privacy under the Privacy Act through STRATA MANAGEMENT COMPANY’s actions in this instance.

Next steps

Section 41(1)(a) of the Privacy Act gives the Commissioner the discretion not to investigate a complaint if she is satisfied that the act or practice complained about is not an interference with privacy, as defined in the Privacy Act.

As STRATA MANAGEMENT COMPANY appears to meet the Privacy Act’s definition of a small business operator, I intend to decline to investigate your complaint under section 41(1)(a) of the Privacy Act.

However, before I make a final decision I invite you, should you wish to do so, to provide a written response to this email. I would appreciate receiving any response by 11 March 2020. If I do not hear from you by this date, the OAIC will make a decision based on the available information and close your complaint.

If you would like to discuss your complaint, I may be reached XXX during business hours, or email oaic.gov.au.

Yours sincerely


Investigations Officer
Dispute Resolution Branch

I briefly responded saying I couldn’t dispute their annual turnover, and the act is the act.

The final emails redeemed themselves a bit, when the CEO emailed me without further prompt:

Dear Adam,

I understand you have made a complaint in relation to the dropbox email that was sent out when XXX’s email was hacked. As you were not satisfied with our responses, I have contacted my IT team and asked them to email me an explanation of what happened and what would have been hacked.   Please find below an email from our IT Company.   YYY is happy for you to contact him directly if you need, but I would ask that you cc me in on any email.  I have not copied him into this email to protect your email address.

I have inserted his email below.

Hi Adam,

It is our understanding that the breach was caused by XXX clicking through a link in a scam email and it tricked her into putting in her email password. As such that gave the hackers access to her Office 365 based email account. Once noticed, that day, we changed her password and confirmed they didn’t have access anymore.

It did not give them access to any other email accounts, though we changed all passwords to be sure anyway.

And it did not in any way give them access to the server where STRATA MANAGEMENT COMPANY store files and run their management databases. The server is not linked to Office 365 at all, and even if she used the same password for 365 as her PC/server then it wouldn’t matter as she didn’t have remote access allowed on her account, and our remote access also requires a certificate that the hackers didn’t have access to. So I am certain they never had access to the server.

Subsequently there has also been no signs of any breach of the server or anything further on her email account.

So in short you can be assured that only her email was breached.

As for what they did access or download from her email I cannot say, we can’t tell that from the logging available in 365. It seems unlikely to me they did download information. The usual thing with these hacks is they use the compromised account to perpetrate another scam to force a bank transfer. I’d say that they worked out she wasn’t responsible for bank transfers and so instead used her account to try to hack more email accounts.

So the only data that they could have about you is anything you emailed to XXX, with the exception of anything she deleted after you sent it and before they hacked in.

Let me know if you want any more information.

I felt that at least they’d now had a better understanding as to what happened, and MAYBE cared a bit more about the impact of it.

From: Adam Fowler
To: CEO@comany

Hi CEO,

Thanks for the additional details and the explanation makes sense. I’d also expect they’d do basic searches for things in an account like credit card information and bank details which is why I was asking what XXX may have had in her inbox in relation to me.


The other question is why you didn’t have MFA in place on your Office 365 accounts – easy to do and protects the data that I send your company from these threats. I hope you’ve implemented it since, as it’s a relatively easy setting to turn on.

Thanks
Adam Fowler

The CEO thanked me for this email and said they’d pass it on to their IT department. I hope they’ve actually implemented MFA now as it seems their external IT support is reasonable, and I wouldn’t expect a smaller company to have advanced Office 365 logging features available in an E5 plan to see what was accessed exactly. They’re still the company that holds the money for the Strata pool of funds, so I care that our money isn’t stolen.

Finally, the OAIC closed the case:

Hi Adam

Thank you for your emails and feedback on the Office of the Australian Information Commissioner’s (OAIC) 26 February 2020 view that there had not been an interference with your privacy on the basis that STRATA COMPANY, is a small business operator.

As a small business operator, STRATA COMPANY does not have to follow the Australian Privacy Principles (APPs), so it does not have to provide you with a copy of your personal information, or follow any of the other APPs in relation to security, use or disclosure of your personal information in the Privacy Act. It may have other legal obligations in relation to how it handles personal information.

I acknowledge your concerns and view that regardless of the technicalities of the Privacy Act 1988 (Cth) (the Privacy Act), your privacy has been breached.

However, as defined in the Privacy Act , an interference with privacy can only occur when an APP entity breaches an APP in relation to personal information about the individual (section 13). As STRATA COMPANY meets the definition of a small business operator in the Privacy Act, it is not an APP entity which is subject to the provisions of the APPs in the Privacy Act, and it cannot interfere or breach your privacy as specified in the Privacy Act.

Decision

Section 41(1)(a) of the Privacy Act gives the Commissioner the discretion not to investigate a complaint if she is satisfied that the act or practice complained about is not an interference with privacy, as defined in the Privacy Act.

As STRATA COMPANY is exempt from the provisions of the APPs in the Privacy Act, I have decided under s 41(1)(a) of the Privacy Act not to investigate the complaint on the grounds that there is no interference with your privacy as defined in the Privacy Act.

The file is now closed.

Thank you for bringing this matter to the attention of the Commissioner. I am sorry we are unable to assist you.

Yours sincerely

Investigations Officer
Dispute Resolution Branch

Although I could say that nothing happened out of this 5 month experience, I hope it was a valuable lesson for the staff there – and the CEO knows a bit more about it.