Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Australia Privacy

Australia To Overhaul Privacy Laws After Massive Data Breach (theverge.com) 32

Following one of the biggest data breaches in Australian history, the government of Australia is planning to get stricter on requirements for disclosure of cyber attacks. From a report: On Monday, Prime Minister Anthony Albanese told Australian radio station 4BC that the government intended to overhaul privacy legislation so that any company suffering a data breach was required to share details with banks about customers who had potentially been affected in an effort to minimize fraud. Under current Australian privacy legislation, companies are prevented from sharing such details about their customers with third parties.

The policy announcement was made in the wake of a huge data breach last week, which affected Australia's second-largest telecom company, Optus. Hackers managed to access a vast amount of potentially sensitive information on up to 9.8 million Optus customers -- close to 40 percent of the Australian population. Leaked data included name, date of birth, address, contact information, and in some cases, driver's license or passport ID numbers. Reporting from ABC News Australia suggested the breach may have resulted from an improperly secured API that Optus developed to comply with regulations around providing users multifactor authentication options.

This discussion has been archived. No new comments can be posted.

Australia To Overhaul Privacy Laws After Massive Data Breach

Comments Filter:
  • Closing the door on this one is a bit late. I'm also confused as to why they want the companies losing your data to notify banks.

    any company suffering a data breach was required to share details with banks about customers who had potentially been affected in an effort to minimize fraud. Under current Australian privacy legislation, companies are prevented from sharing such details about their customers with third parties.

    Dumb Company A loses your data, Now Banks B put you on a watch list. What I don't see is what is done, if anything to notify the consumer.
    Data breaches are on the rest and companies that have lax standards, poorly written software, and obscure policies in dealing with violations need more skin in the game. In the US "we'll buy you a year of credit monitoring" isn't cutting it anym

    • by Gimric ( 110667 )

      There is already legislation in place that requires data breaches to be reported to customers. The discussion about telling financial institutions comes about because the Optus data breach included enough points of ID to open a bank account and carry out fraud. The idea is to warn banks that they need to take extra steps to verify the identity of people whose details have been leaked.

      Optus has already announced that they will provide one year of credit monitoring. Meanwhile, some Australian states won't let

      • There is already legislation in place that requires data breaches to be reported to customers. \

        How about we actually put in some effort to stop the breaches? I know, I know, the CEO really needs Password1, to be his because his kids want to play with his ipad at home to surf pron, but otherwise, this has happened, is happening, and will coontinue to happen.

        A year of credit monitoring means absolutely nothing at all.

        The people pulling these stunts have enough CC information they can wait 2 years or more.

        I suspect a majority of humans who have banking and credit cards are already pwned. Just a

        • by Gimric ( 110667 )

          Would be nice if CEOs prioritised information security in order to prevent breaches. The Optus breach appears to be the result of an unsecured API used for testing. Completely irresponsible for a major Telecom.

          The problem is that there doesn't seem to be any real repercussions to large companies for data breaches, so they just don't care.

          • Would be nice if CEOs prioritised information security in order to prevent breaches. The Optus breach appears to be the result of an unsecured API used for testing. Completely irresponsible for a major Telecom.

            The problem is that there doesn't seem to be any real repercussions to large companies for data breaches, so they just don't care.

            Good grief - not even a challenge to break into. Yes, and this sort of thing will keep recurring until there is a CIO or another who has veto power over the entire C-Suite in these matters. People who do not understand computers and networking will not prioritize them, and look at people concerned about security as a bunch of paranoids.

            For all of the security theater over passwords and the usual blame the victims, it almost always boils down to simply giving the data away with no hurdles.

      • Optus has already announced that they will provide one year of credit monitoring.

        Ah, the thoughts and prayers of data breaches.

  • by BardBollocks ( 1231500 ) on Monday September 26, 2022 @02:01PM (#62915557)

    laws to disclose breaches are not the solution.

    Not storing data for the purposes of monetizing it and having everything possible stored with Zero knowledge and no idiot backdoors is the solution.

    An entire industry has been created spying on us (insert alternative euphamism if you can't handle the word spying) and that data makes us vulnerable, not only to idiots in intelligence agencies and government, but to hackers.

    We can't let these industries put their financial gains above the public's safety and privacy.

    Good luck getting anywhere with legislation - though it is a good litmus on how corrupt a political process has become when Big Data Profits and Surveillance trumps the public interest.

    • Re: (Score:2, Offtopic)

      laws to disclose breaches are not the solution. Not storing data for the purposes of monetizing it ...An entire industry has been created spying on us (insert alternative euphamism if you can't handle the word spying)

      This is about a bank data breech. I think banks really do need to know their customer's names and address and bank account numbers. This is not "spying;" if banks don't know their customer's bank account information, it's kinda missing the point.

    • laws to disclose breaches are not the solution.

      Yah, you're right about that.

      Not storing data for the purposes of monetizing it and having everything possible stored with Zero knowledge and no idiot backdoors is the solution.

      Merely collateral damage. The bad guys have your Credit card already, and probably your checking and savings. They have so much information on almost everyone, it's just a matter of who gets chosen when to exploit.

  • "second-largest telecom company...Leaked data included name, date of birth, address, contact information, and in some cases, driver's license or passport ID numbers."

    Can someone please explain why a telecom company has drivers license or passport ID numbers?

    No, I'm not saying other countries are any better with this abuse. Pisses me off when some random service provider asks for anything more than name, address, and contact information. The hell do you need identity-robbing amounts of PII for in order to sell me a phone line.

    More citizens should start asking WHY when they ask for this kind of information.

    • "second-largest telecom company...Leaked data included name, date of birth, address, contact information, and in some cases, driver's license or passport ID numbers."

      Can someone please explain why a telecom company has drivers license or passport ID numbers?

      Australia doesn't really have a SSN equivalent. There's your tax file number, but that's only for tax purposes and has never been used as an identification number. The nearest thing there is is the driver's license number or the passport number. Both are verifiable against government databases.

      Years ago, there was a push for a national identification system called the Australia Card. Massive public backlash killed the proposal, even though the government of the day fought hard to get the legislation through

      • ...Thus, banks and other major institutions (such as telcos) need to rely on secondary forms of primary identification such as passports and driver's licenses.

        Uh, hold up there. A "telco" no matter how large, is not a bank. The porn industry is massive globally. Does that mean it's a "major institution" on par with a bank? No.

        Again, tell me WHY a provider of phone service needs to identify a customer to that degree. I provide a service, you pay a bill. You don't pay the bill, I shut off the service. Within 30 days, and you charge a deposit to cover risk of non-payment. it's that simple.

        Reason it's not is because your PII is being bought and sold for prof

        • Uh, hold up there. A "telco" no matter how large, is not a bank.

          It's not a bank, but it is providing credit - whether it's the post-paid plan that you're on, or the purchase plan for the mobile device attached to the plan. They need to know who you are so they can run credit checks to determine if they should provide a service to you.

          Again, tell me WHY a provider of phone service needs to identify a customer to that degree. I provide a service, you pay a bill. You don't pay the bill, I shut off the service. Within 30 days, and you charge a deposit to cover risk of non-payment. it's that simple.

          And what about the $2,000 phone that I got on a purchase plan, but I suddenly decide "nope, not gonna pay for that anymore?" Under your plan you might have some money from me already, but you'll likely be out for a very large part of the co

        • by Gimric ( 110667 )

          In Australia even a pre-paid mobile phone requires some basic ID. You can't have an anonymous mobile phone number, it has to be linked to an identifiable person, hence the ID.

          Why they need to retain it in an easily accessible way doesn't really make sense. Should be air-gapped if at all possible.

          • by twosat ( 1414337 )

            In New Zealand I can buy a prepay SIM at the supermarket and get an anonymous phone number, no questions asked or ID required.

            • In New Zealand I can buy a prepay SIM at the supermarket and get an anonymous phone number, no questions asked or ID required.

              That's because NZ is an infinitely more sensible country than Australia (says an Australian)

            • In New Zealand I can buy a prepay SIM at the supermarket and get an anonymous phone number, no questions asked or ID required.

              OMG! New Zealand enables evil terrorisms!!1!

              Oh, wait, no. It's fine. It's almost as if Optus in Australia just harvested this data, then retained it in case it could be useful later. Fuck Optus, and fuck the Howard government's "terror" laws for enabling this sort of nonsense.

    • Can someone please explain why a telecom company has drivers license or passport ID numbers?

      While they are at it, could they also explain why the compass app on my smartphone needs to access its camera. I'm obviously not smart enough to understand these things, so in words on one syllable please.

    • Re:Ask WHY. (Score:4, Insightful)

      by _merlin ( 160982 ) on Monday September 26, 2022 @04:12PM (#62915961) Homepage Journal

      Post-9/11 paranoia. You used to be able to get a SIM card with no ID at all, but after 9/11, they got paranoid about terrorists using mobile phones to detonate bombs and instituted ID requirements. Since then, you need to provide ID like a driver's license or passport to get mobile phone service in Australia.

      • Damn near half a country had their PII leaked, all because police officers wanted to be able to use a label maker to put a name on the baggie of burnt dust that used to be a terrorist?

        You sure they didn't just get paranoid FOMO as other countries profit massively off the buying and selling of PII, 'cause I have this craaaazy follow-the-money theory...

        • by _merlin ( 160982 )

          Nah, it's just because law enforcement wanted to be able to tie a SIM card to a person. "Terrorism!" was a convenient way to get the law passed to allow that, just like all those other intrusive laws passed around the world after 9/11. You know the old saying, never let a tragedy go to waste.

          • It's rather ironic they took advantage of 9/11 as the excuse for that, since we were literally staring at names and student ID pictures of the 9/11 terrorists almost immediately after the attack, since they received flight training as US students.

            And law enforcement certainly aren't the business entity profiting massively off the buying and selling of customer data. If you need to collect it for law enforcement mandate, fine. You don't get to sell it.

    • A lot of people get there phones on a plan or with a handset bundles in which requires a credit check, as the Telco is basically leasing you a phone with no residual.

      In Australia for a credit check you need 100 points of ID which include a mixture of the above.

      These are split into 30 categories where you need 1 with a photo ID.

      Optus specific: https://www.optus.com.au/for-y... [optus.com.au]

    • There is some legislation, that expects really bad people to used their real name when obtaining burner phones. Today OPTUS told me I must physically come into one of their offices and present ID as they cannot SMS me on a prepaid number not used in 2 years. There is no office in USA - or Antartica or APY land, Melville island etc. If you are blind/cant drive or rural remote - you get nothing. Not that I would trust them with a brand new passport and Mil card as they already leaked plenty!
  • Because in case of fraud, the banks have to reimburse the customer. Their loss. Bank lobbies want to curb that. And because other industries make money out of your data off course.
  • Laws requiring companies to notify you of a breach are only useful if the company is aware of a breach. Better still would be to require minimum standards for data storage, and significant penalties (preferably to the CEOs) for not complying with them.
  • The only way that companies take privacy and cyber security seriously is to make the punishment for breaches eat into their bottom line in a big way. Not a $100K fine for a company that makes millions of profit. Make it a sizeable percentage of profit, distributed to the customer's that are affected. The company will either put proper safeguards in place or stop doing business. "We take your privacy seriously" is probably the most meaningless statement on a company's website these days.

You are always doing something marginal when the boss drops by your desk.

Working...