And we need to put other companies with terrible security on notice. I think the only way big companies will move is by making their executive team sweat money.
Thats how it works everywhere else in the economy - if your negligence causes harm, you're liable. Serve bad food in a restaurant? Sued. Sell sporting equipment which causes injury? Sued. Misrepresent yourself? Sued, and potential criminal charges. Medical malpractice? Sued. But somehow, if your sloppy software causes harm thats ok? What rubbish. Security malpractice should bear the same punishment as everything else.
Maybe the price of paid software will go up. Thats fine. Maybe there aren't enough qualified security engineers. Also, fine.
If you don't have the expertise to manufacture a safe car, we've decided you can't enter the car business at all. Likewise, if you don't have the technical skill to keep my data secure, you have no business storing my data at all.
This breach happened through a non-production system. Shock. Surprise.
There's no such thing as non-production/production systems imho, as long as it exists, it's a system requiring security checks and protections.
Not to diminish Optus' responsibility here but I think the Australian government should carry some of the blame for imposing this requirement.
I had activated a pre-paid Optus service (in a store, using my drivers' licence as ID) but let it lapse a year ago, and allegedly my licence number was not in the breach.
In cases where there is intentional wrongdoing, existing laws already make complicit people liable both to civil action by people harmed, plus criminal or civil penalty provisions by ASIC (or the ACCC, depending on the industry and conduct). As a plaintiff, you typically join them to increase your potential pool of recoverable assets for your clients.
The same is true if there are breaches of the Australian Consumer Law, and the person has a particular level of knowledge that is below intention.
In cases of pure negligence, like this, if the negligence rises to a criminal standard, then criminal laws and penalties already apply. How and when this works has been a topic for over 50 years, since Tesco v Nattrass in the UK.
In other words, there are already very significant legal mechanisms in place, and by and large they work - and not all of them involve having executives personally liable. In any event, many already do, and this has been worked out carefully over a long period.
The usual way around this is via a class action, and there are already at least 2 being prepared that I know of. They will run and probably settle at some point. The main thing to be policed is to avoid the funders and solicitors taking too much of the proceeds, although that process is already in hand due to recent abuses.
No. Or perhaps yes, but only in part. Our laws need to be updated to make corporate malfeasance in general an existential threat to executives and board members, as individuals. Ordinary Aussies end up in jail for unpaid parking fines. Centrelink 'customers' (ugh) get robodebted, often into depression, sometimes to death. The "law" rules us plebs with a rod of iron, and wields it with abandon. Heads of industry get away with pretty much anything. If they want to skirt a law, all they have to do is shove fines on balance sheets. Those fines can be in the millions or billions; they're just another business expense.
Suits in jail would change the so-called 'incentives' (myopic concept though that is) dramatically. "More suits in jail" should be the catchcry of the next few generations. Every T shirt. Every graffito. Every pop song.
Of course to really fix this stuff we have to go after 'investors' and eliminate the absurdity of limited liability ("gamble on destroying the world and risk only your stake!"), but that ideology is now so culturally rigidified it would require a collapse of 'civilisation' to eliminate. That may well be coming of course.
Imagine a car company which sold cheap cars that injured people. "If we fine them for their actions, the executive team will just raise prices or fire employees!". Yeah - maybe don't sell a car thats so cheap that it causes accidents.
Certainly it would be much more effective than the system we have now - where their negligence seems to have had no negative consequences for the company.
But if you're suggesting there should be personal liability for CEOs as a result of data breaches like this, then I think I could be convinced.
Honestly I trust my data with Optus way more than a company that can't build a secure MyGov app where my tax and health info are stored.
Fortunately we're able (in South Australia) to get our drivers licenses changed over free of change if impacted, which I'll do but now that's something else I need to get around to doing... I wonder how many of these costs will be forwarded on to Optus on behalf of the goverment
edit: hn is rate limiting me but like, any phone number? you need id even for a prepaid one? and why do they need to keep this on file?
This is the SA version since GP is from South Australia, all other states have the same thing too https://www.police.sa.gov.au/services-and-events/100-point-i...
I wonder if this is actually intended to be an "ask", or if this is polite language for "we will legally compel them to".
>Passport numbers are among the personal details accessed in what the federal government has described as a "basic hack".
>Optus says the data breach was due to a "sophisticated" operation.
It would be good to know more details of the hack itself.
Not much but there's this article from the ABC (Australian Public Service broadcaster) https://www.abc.net.au/news/2022-09-23/optus-rejects-claim-h...
QUOTE STARTS
"[They] wanted to make integrating systems easier, to satisfy two-factor authentication regulations from the industry watchdog, the Australian Communications and Media Authority (ACMA)."
The process allegedly involved opening up the Optus customer identity database to other systems via what's known as an Application Programming Interface, with the assumption that the API would only be used by authorised company systems.
QUOTE ENDS
Also this one https://www.theregister.com/2022/09/23/cyberattack_optus/ although it's six days old.
This is a summary of the statements made by Optus https://whirlpool.net.au/wiki/optus_sept_2022_breach .
There's been some chatter on Twitter that at some point an Optus flack characterised the attack as "sophisticated" because the attackers "used Postman" so that's obviously caused a few laughs https://twitter.com/search?q=optus+postman+until%3A2022-10-0... .
Companies should only collect data that they really need. One way to encourage this behavior is to punish them when a breach happens based on the amount of data they collect.
A data breach on a service that only has an email address on it matters a lot less to me than one that has my name, phone, address or picture of my id.
These are all really good questions.
It sounds like a convenient caveat to an agreement to pay ransom to the hackers, and I wouldn't put it past a big company here in Australia to pull that kind of PR trick.
We live in the Lucky Country after all, I doubt we'll ever know the truth.
ASD and ASIO have despised Singtel since they bought out C&W in the late 90's and want them out of the country. This whole media fiasco is a blessing for everyone. Might be able to finally cancel their carrier licence.
If you accept perfect security is impossible (everyone should) then anybody creating data retention laws (ie: the government) really has to also assume some level of responsibility for the risk that the data is going to leak.
That said, yes: government legislators and regulators have been zealously telling private companies to hoover up sensitive PII for years. Here's ACMA's rules for customer auth for telcos: https://www.acma.gov.au/customer-identity-authentication-rul...
There are efforts underway to enable complying with these rules _without_ hoovering up data, but they are not progressing nearly as fast as they need to.
It kind of does. If Optus hires worlds most competent security person, the first comment on this subject would be "there is no commercial or technical upside to storing this data, and massive risks if it leaks. We should delete it immediately".
If the government swoops in and bans them from fixing the problem, it is a bit weird for the government to also penalise them for not fixing the problem. Optus is legally barred from putting an engineering solution in place to remove this risk.
Literally the only two outcomes here for Optus are:
Option 1 - wasted storage fees.
Option 2 - international scandal.
They aren't allowed to pick any other option. It isn't fair to get angry at them for a rather predictable outcome of spreading PII around. Sure with hindsight they could have done a better job of sticking to the first outcome, but seriously if they had the choice it would have been option 3 - take money, ask no questions. Maybe store a credit card number, maybe just use Paypal like a normal merchant.
Yeah, 2.x% sounds like a small percentage of the ~10M records.
It's still 2.x million people's records.
Post-paid generally is a lot stricter e.g. most telcos want 100 points of ID with at least one primary document such as driver's license or passport [2]. Not sure if that's a legislative requirement though, or just good business practice.
[1] https://www.acma.gov.au/acmas-rules-id-checks-prepaid-mobile...
[2] https://www.telstra.com.au/support/account-payment/id-check-...
So about 1-2%.
All sims need personal data - otherwise overseas could be a loophole to get a ghost sim.
I dislike this intensely. All kinds of random places are keeping hi-res scans of documents that are perfect for identity theft and fraud. I've tried suggesting that looking at the passport should be sufficient to verify my identity -- they don't need to make a copy of it -- but I've had no luck.
Has anyone had success at pushing back on this? Are there laws in any country that say that you can't take photocopies or scans of customers' passports?
Also, high-resolution scans of passports are not a new thing. They were already pretty common in the late 2000s. The biggest change from then is that hotel employees are now more likely to be comfortable with electronic documents than paper copies.
Unfortunately there's a disconnect here for what it's used for.
If that page is treated as public information, then information on it can't also be used for the 100 Points of ID that public and private organisations want.
The document number on my passport is enough to get a credit card with a high limit in my name, sent to an address that's never before been connected with my identity. Maybe some more conservative banks will want the address to match.
That information is precisely what was leaked by Optus.
A house booked and paid through booking.com wanted me to email them a copy of my passport. I said no, but they could see it in person when I arrived. When they arrived they wanted to take a photo of it. I said no, then, too.
They were really quite unhappy about that, and claimed they've had people stay on fraudulent cards before, and this was the only way to protect themselves.
Employers doing things like SOC2 are also wanting to go through third party background-check services. All of those also want things like selfies and scans of passports. They all claim the same "We delete it after the check is complete" thing, too, which I don't believe.
If the Australian Government actually goes through with its threat to make Optus pay millions to cover the cost of the damage its lax security has caused then the idea may catch on elsewhere.
It seems to me that at the risk of going bankrupt over a breach of its customers' privacy a company would want to divest itself of as much information about its customers as was possible.
Wouldn't it be great if that were to happen.
+1 super hope equifax finally has to own up to their damages on society (on many levels, including beyond data breaches)
I mean I hope the Government goes after that Service NSW Data Breach too. Would be cool to see huge fines put to them. Would I get some of my tax back for that?
People should 100% sue, but that the Gov says anything is laughable.
"We are outraged.".. "Didn't you have a breach last year?".. "I said we are outraged. Don't look over there. Look over here."
Likewise, but I won't hold my breath whilst waiting.
This is probably the end for Singtel in retail telecommunications in Australia, and I don't know who would buy their network now that TPG and Vodafone have merged. They may just convert it to a much smaller wholesale only operation.
You can then select the businesses you would like to forget about you and Mine will send pre-written emails on your behalf and monitor for replies.
The experience has been enlightening. This is what I've found after sending 50ish requests:
- A small number of businesses already have a process in place to deal with such requests and action immediately without further correspondence
- Others ask that you fill in a form (pdf or web) to start the process
- A large number won't get back to you for around a week or two and eventual responses appear to be written by a person
- A small number tell you the can delete some data but not all. e.g. Compare the Market. In the past I've used compare the market to purchase insurance products, that sale is linked to my personal details and so they can not delete. I'm not sure why this is the case. Maybe there are compliance reasons but it is a little worrying that these middle-men companies that live on commission either can't or won't erase my data.
The big one that's been mentioned in other HN threads on this is Car Rental companies. I made it a priority to deal with them first. They have all manner of sensitive information and their size, tenure and CX don't instill me with confidence.
Why waste 100 hours of my own time, minimum, going through my hundreds of thousands of emails adhoc to find examples like receipts from 10 years ago from an obscure ecommerce site?
"Optus is not aware of any security events which would warrant revisiting the security obligations imposed on regulated entities,” the telco’s submission stated."
Despite concerns that data retention could create a ‘honey pot’ for hackers, telcos already had in place security measures to protect customer data they already retained for commercial purposes, the department argued.
“Given this, it did not follow that the proposed data retention scheme presented an unmanageable level of risk to customer privacy,” its submission stated. “The evidence to date supports that the existing data security arrangement have been effective.”
> Data retention: Government gave Optus ‘exemption’ from encrypting metadata
> Editor, Computerworld | 17 JULY 2019 6:46 AEST
> Optus says that it would have struggled to comply with its legislative obligations without a decision by the government that exempted it from a requirement to encrypt all metadata collect as part of Australia’s data retention regime.
The government 100% has some responsibility in this. I can’t express how much this pisses me off, and I’m not even an Optus customer. The OAIC, it turns out, is a farce.
In Israel you use your ID number, if a citizen, or passport number if not, in tons of transactions (as a citizen it somehow flows to your yearly taxes, not sure exactly), even stuff as mundane as getting gas needs an ID number.
If passport numbers are meant to be secret I suspect a lot of people are in for a rude surprise.
Can telcos do sufficient KYC without?
(Edited)
What more could they possibly do?
When the data companies want on you becomes a liability in case of data breaches, one of 2 things will happen:
1. They'll drastically improve their security
2. They'll stop asking for a lot of data just because they think they might use it later or because they want to sell it to others.