As time passes we are starting to see more considered comments on the issue.
Here for example:
Optus data breach reveals ad hoc and immature response system
The near 10 million Optus customers at the centre of the identity credential scandal were essentially left to fend for themselves.
Tom Burton Government editor
Oct 2, 2022 – 2.39pm
Revelations that nearly 10 million Australians have had key identity credentials potentially breached finally provided the shock needed to modernise the country’s antiquated data management, security and privacy systems.
For years, under intense lobbying from financial, payment, telco, media and marketing interests, Australia has slow-walked reforms that would create a trusted, secure, reliable and efficient regulatory regime to manage the burgeoning digital economy and the data that fuels it.
Identity theft, fraud, criminality and scams have ballooned amid a plodding, patchwork response from policymakers. A 2017 Australian Institute of Criminology study found one in four Australians had been a victim of identity crime at some point.
That was before COVID-19 “uberised” the online economy, opening a cornucopia of opportunity for bad actors. The emergence of near real-time payment systems has also created a new fertile field for scammers. Officially known as Authorised Push Payment (APP) fraud, a typical scam involves bad actors duping renovators or property buyers into sending payments to them rather than the legitimate builder or vendor.
Privacy backwater
Attempts to require lenders to confirm account holder details (the name of the account) before making these payments, for example, have been resisted by Australian banks. This is despite a 35 per cent drop in fraudulent and mistaken payments when British authorities mandated confirmation of payment for intra-bank account payments.
At the same time, privacy regulators have been pleading for stronger enforcement powers, with graduated and meaningful penalties and straightforward powers for courts to award compensation.
As Home Affairs Minister Clare O’Neil noted, if Optus had breached basic privacy protections in other jurisdictions (notably Europe and California), it would be facing fines in the hundreds of millions of dollars.
Australia is almost alone among Anglo peers in not having any personal right of privacy nor any broader tort under which to sue for privacy breaches.
Vastly more here:
Also here:
Optus fiasco shows how lost we are on digital security
11:00PM October 2, 2022
One good thing about crises is that they provide opportunities to learn. We will be working through the consequences of the cyber attack on Optus for years.
A steadier government voice on the Optus mess has been Clare O’Neil, Minister for Home Affairs and Cyber Security. Last week she told Channel 9’s A Current Affair: “It’s really important that everyone enters this conversation with a little bit of humility. The truth is we are probably five years behind where we need to be with cyber security in this country and government is not immune from that.”
Few players come out of this crisis with reputations intact. The government’s handling has involved multiple ministers all separately racing to sheet home blame to Optus for what, frankly, is a shared responsibility.
Optus must carry the blame for what, on our current knowledge, looks to be a human not technological error exposing over 10 million customer records via inappropriate testing of an application program interface.
A knowledgeable cyber specialist told me a savvy 15-year-old could have achieved this hack. Time will tell if that is true, but we should be sceptical for the moment about online claims of responsibility. Optus carries responsibility for the cyber breach but setting the policy framework for cyber security is squarely a government task and managing the consequences of breaches is shared between the public and private sectors.
There is a lot of blame to be shared. While the Morrison government did strengthen national laws around the security of critical infrastructure, it unaccountably chose to exclude telecom-munications providers from the more stringent reporting and management rules set out in the 2021 Security of Critical Infrastructure Act. It was claimed existing telecommunications laws would “better manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities”.
More here:
And here:
The easy way to prevent a data breach: don’t collect data
They also have to hand over their email address and phone number.
Regardless of whether they opt into Sonoma’s mailing list, its ordering app – written by the Brisbane-based hospitality software provider Bopple – won’t let them pay for their coffee and baked goods if the email and phone number fields are left blank.
Anna Johnston, a former deputy privacy commissioner for NSW, who now runs the consulting firm Salinger Privacy, says it’s an example of the excessive and oft-times illegal data-gathering that has crept into Australian society since COVID-19 got everyone in the habit of pulling out their phones and checking into government apps whenever they entered an establishment.
Attorney-General Mark Dreyfus, responding to the Optus data breach last week, promised to crack down on excessive data harvesting, which is believed to have exacerbated the problems caused to Optus customers by exposing Medicare, driving licence and passport details that the telco may not have been required to keep.
“For too long, we have had companies solely looking at data as an asset they can use commercially,” Mr Dreyfus said.
“We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians. It’s not to be misused, it absolutely has to be protected. And if the Privacy Act is not getting us those outcomes, then we need to look at reforms to the Privacy Act.”
But collecting email addresses and phone numbers of customers just to take an in-store coffee order or allow someone to make an in-store purchase could be a breach of the existing Privacy Act, Ms Johnston said.
One necessary reform is as simple as funding Australia’s Privacy Commissioner to police the law.
“It’s symptomatic of a failure of Australian businesses to constrain their collection of personal information,” Ms Johnston told The Australian Financial Review.
Data collection practices that had become prevalent since COVID-19 were “absolutely excessive”, she said.
“What was necessary for public health reasons in a pandemic is entirely different from what’s necessary just to order a coffee.
“There is a widespread failure of businesses to understand that there is actually a law that says you’re not supposed to collect personal information unless it’s reasonably necessary for a particular function.
“And it’s not necessary to collect someone’s name or email address or phone number just to order a coffee.”
The best data security can have to prevent a data breach is to not collect the information in the first place.
— Privacy expert Anna Johnston
Bopple did not respond to questions about why its app required customers to enter their personal information when it already knew which table they were seated at. It also did not respond to questions about its data retention and destruction policies, and about its cybersecurity standards and history of data breaches.
In its app, which it “white labels” to several hospitality chains around Australia, customers are informed that “unless you opt in to receive new and exclusive offers, your phone number will only be used to communicate with you about your order”.
But on its website, Bopple points its hospitality customers to other advantages of collecting data from customers using its app.
“Build a customer database and own the data. Track ad performance and re-target your most valuable customers to drive repeat sales,” the company advertises.
Online marketing
Elsewhere on its site, under the headline “Online marketing channels collect a lot of data – use it”, Bopple tells its customers: “With [direct-to-consumer] marketing being heavily online, it’s easy to gather customer data and get a clear insight into buying behaviours.”
Alexander Avramides, managing director of Sonoma Baking Company, which runs the bakeries, said “Sonoma has never had cause, nor has it ever accessed the customer data collected by Bopple.”
Giving customers no option but to enter their personal details when ordering in-store was a default setting in the Bopple app that Sonoma was unable to change, he said.
In response to questions from the Financial Review, Mr Avramides said “Sonoma has requested this option and is waiting on a reply from Bopple”.
More here:
When you put all this together it is totally clear that the Optus event is a sad symptom of regulatory neglect and a failure of both Government and Business to take seriously the responsibilities to protect our private personal data.
It has been a situation of ‘so far, so good’ while waiting for a problem to arise! Well arise it has and we need an effective, considered and in-depth response – and at speed and with care.
Frankly when compared with the approach of Europe with the General Data Protection Regulation (GDPR) we really can be seen to have totally dropped the ball – with even California and whole range of other countries adopting the EU model holus-bolus!
See here:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
We really only have ourselves to blame for the mess we are in and it is up to Government and Industry to work urgently to get Australia into the 2020’s.
It is really pretty sad just how the privacy and security expectations of Joe Citizen have just been ignored - largely to save money I suspect!
If you have been damaged by this mess you really do have the right to be ‘pretty bloody angry’ at the slack incompetents who just chose to do nothing and wait for the hammer to fall!
David.
If you need to renew your passports or other government document prepare for a very very long wait. The existing que was 6-9 months, there is no priority and you don’t get updates.
ReplyDeleteGee, things must have got worse. I renewed my Australian passport in May. It took 4 weeks from application to being delivered.
ReplyDeleteDoes appear that to fast track (6 weeks) you need to pay $225. There does appear to be extended delays but cannot confirm 6-9 months.
ReplyDeleteI cannot see the passport office dealing with an influx of renewals due to Optus - if you need to renew multiple forms of ID then 6-9 months would not surprise me. I have experienced the lack of progress update, the government departments are terrible for it and the more “digital” they get the more withdrawn they get.
As I have so often observed the more widespread the use of various forms of digital health applications the greater the amount of fragmentation we are seeing across the health system.
ReplyDelete"As I have so often observed the more widespread the use of various forms of digital health applications the greater the amount of fragmentation we are seeing across the health system."
ReplyDeleteThat can't possibly be true. My Health Record was designed to solve the data fragmentation problem, so that's all you need. Just go to a patient's My Health Record and it will all be there, automatically and without any fuss.
And everyone lived happily ever after.
So, children, that's the end of the fairy story. You can go back to reality now.