The Prime Minister Anthony Albanese said on Brisbane Radio 4BC in response to the recent data breach at Optus:
“This is a huge wake-up call for the corporate sector, in terms of protecting the data which is there. And we want to make sure, as well, that we change some of the privacy provisions there so that if people are caught up like this, the banks can be let know, so that they can protect their customers as well,”
In my professional opinion, this is insanity gone rogue and it needs to be stopped before there is no such thing as privacy for anyone ever again. That’s a big claim to make, so let’s look at what’s being said here and ask ourselves if this is a future we want to live in.
The data breach at Optus will be investigated for years to come. Optus itself appears to be treating it as a public relations issue, using Press Releases and Twitter to disseminate the information before informing their customers. Industry “insiders” claim that it’s because of the age of the various networks, blaming their 1990’s heritage for this loss of data as if the intervening 25 years didn’t bring any change or improvement to their systems.
Cause and effect aside, I’d like to explore the response, specifically that of our Government and the impact its decisions might have on our collective future.
Based on what the Prime Minister has said, the Government is apparently trying to make legislation to force companies to share the breach data with banks to “protect their customers”. This seems like a force for good, protecting customers is a lofty goal and if we can legislate it, why not?
So, how do we actually tell our banks what breach has happened? How do we securely transmit all that data from the company who was breached to the bank? Do we send them a hard-disk with all the data on it, do we email it to them, put it up on Dropbox, or to simplify things for the banks, given that this is going to happen on a daily basis across the Australian corporate economy, specify an automatic process, an API, to submit such breach information? What happens if a bad actor starts “sharing” invalid or modified breach data?
What information should this data contain? Your name? Is that enough? How about people with the same name? What about adding a date of birth? Name and DOB should be enough to uniquely identify everyone, right? In case you’re wondering, it’s not. How about we include an ID? A drivers’ license number, or a passport number, perhaps both?
How do we deal with mistaken identity? It’s not like the banks have never done that...
If that’s not enough, which bank do you share this information with? The top four, or more? Where is the boundary for this sharing of breach data? Why should every bank in Australia have all my personal data? What about banks that trade in Australia but are based in other jurisdictions? How do we share data with them? Should we share all this information with all banks across the globe?
Once this data is shared with a bank, what happens next? What happens if you approach a bank to open a new account or to transact? What if your identifying information was part of a breach notification? What if you don’t have other forms of identity? Will a bank forever distrust any person who was subject to a notification and who regulates this?
It gets better.
Legislation in Australia already requires that certain organisations “know their customer”. Companies like PayPal, eBay and Airbnb use this to gather identity documents from Australian citizens, passports, drivers’ licenses and the like. Those companies are not subject to our laws of disclosure and some actively create different companies to move data and responsibilities to other legal entities and countries. If you’re interested, have a look at the terms and conditions you agree to when you sign up with Airbnb. You’ll soon discover that your data is scattered around the globe and hosts and guests are clients of different legal entities in different countries.
How do you compel an international company trading in Australia to comply with any breach legislation? Is there a certain size or turnover that a company needs to be to be subject to this requirement? What about individuals?
It’s likely that legal regulations lead Optus down the path it travelled but it does make you ask the question, why was Optus storing drivers’ licence and passport details at all? How relevant are these details? What possible use are they beyond authenticating a user at the time of checking? Makes you also wonder if the bank still has that copy of your drivers’ license they took when you opened an account in 1986? Yes, they do.
This also raises questions about other uses of that data. Can someone access this private identifying data within an organisation and use it for other purposes? What purposes? Fraud? Marketing? Research?
I was last an Optus customer in 2008. Last year, in 2021, I started receiving monthly invoices for $0.00 using account numbers that were not mine, I checked. I know of others who received similar invoices. It took months to get Optus to stop and at no point was I advised why this happened and what was done to prevent its recurrence. Why was my data in the Optus system at all, 13 years after I stopped being a customer? Was my drivers’ license in that same database? What else was stored there? What are the legal requirements for this and where is the oversight to protect me as a customer?
The Government wants to protect us by sharing our information with more people. As an IT professional I can tell you that this only increases the so-called attack surface. This makes it easier for breaches to happen more often and as a member of society this makes your information less private, not more.
The real question to ask is:
“What do you actually need to store, for how long, and what purpose does it have for the customer?”
Based in Perth, Western Australia, Onno Benschop makes complicated technology simple.