A significant data breach at Australia’s second-largest telco has underscored the need for businesses and government agencies to minimise the sensitive personal information they store, and renewed calls for a mechanism for consumers to seek compensation.
Optus on Thursday revealed a cyberattack had resulted in the disclosure of personal data belonging to current and former customers, including driver’s licence and passport numbers for a “subset of customers”.
At a media briefing on Friday, Optus chief executive Kelly Bayer Rosmarin said the worst case scenario for the number of records accessed is 9.8 million, but that it would likely be significantly less.
She also said it was too early to determine whether the attack – described as “sophisticated” – was at the hands of a criminal organisation or a state-based actor, with “no ransomware demands” yet to be made.
The Australian Federal Police on Friday received a referral from Optus “about an alleged mass data breach” and will now conduct a “complex, criminal investigation” with the assistance of the Australian Signals Directorate.
Ms Bayer Rosmarin said Optus customers should expect a notification in the “next couple of days” that outlines what data has been exposed, with priority given to those customers with the most compromised data.
In the meantime, the Australian Competition and Consumer Commission’s Scamwatch has urged Optus customers to take steps to secure their accounts, including by changing account passwords and enabling multi-factor authentication for banking.
But the extent of the data breach – which could end up being one of the biggest by an Australian company – calls into question the need for organisations to hold onto such sensitive data, and whether identity documents in use remain fit-for-purpose.
Electronic Frontiers Australia chair Justin Warren said the data breach was the latest example of an organisation failing to “keep our information secure” and urged changes to the Privacy Act to address “systemic problems”.
“The Privacy Act must be amended to prevent organisations from collecting and storing information they don’t truly need. There must be penalties for systemic failures to keep our information safe, and they must be enforced,” he said.
Mr Warren called for a “private right of action”, which has long been recommended by the Australian Law Reform Commission and was canvassed as part of the ongoing review of Australia’s privacy laws.
A direct right of action, as the Office of the Australian Information Commissioner refers to it, would give individuals greater control over their personal information by “providing an additional avenue of redress under the Privacy Act”.
Mr Warren said the restrictions and penalties must be “particularly strong” for those organisations collecting and storing personally identifiable data, especially sensitive documents like passports and driver licences.
He said this would create a “very direct financial incentive” for businesses and government agencies to protect the information they need to store and jettison the data they don’t.
Mr Warren also called for the federal government to “stop passing legislation that requires collecting too much private information”, pointing to laws like the Telecommunications (Interception and Access) Act.
“If these organisations don’t collect the data, then they get into trouble from the government or regulators, but if they over collect the data nothing happens. Well, not nothing, we get a data breach and we as individuals suffer,” he told InnovationAus.com.
Digital identity is regarded as one way to help minimise the sensitive data stored by businesses and government, but this is complicated by the need to identify someone if they misuse a carriage service, for instance.
“What we need is a way to provide assurance that a person is authorised to act in that way, it doesn’t actually mean you need to know who I am,” Mr Warren said while pushing back against the government’s existing digital identity system.
“If you could do that without having to hand over, certainly permanently, any of these identity documents that can then get lost. If there’s a privacy preserving way to be able to do that over the internet, that would help.”
“That sounds like a great thing to start working on now that computers have arrived here in 1960.”
The Privacy Act review is also investigating whether a statutory tort for serious invasions of privacy is needed, the effectiveness of enforcement powers and the feasibility of an independent certification scheme to monitor compliance.
The Attorney-General’s Department is expected to present the government with a final report from the review before the end of the year, which Attorney General Mark Dreyfus has said will be used to reform the legislation for the “digital age”.
Mr Warren said that any laws to result from the review would still need to be “passed and not watered down and not changed” in favour of vested interests.
“We need to make it so that personal data is a liability not an asset for these companies. Data is the new asbestos,” he said.
