The government has opened the door for Optus to share information about the 9.8 million customers affected by its data breach with banks and government agencies in the hopes of protecting them from fraud and other financial crimes.
Changes to the Telecommunications Regulations 2021 will allow for Optus to tell banks and government services providers exactly whose information was exposed in the cyber security incident so they can be extra watchful.
It’s only a temporary measure lasting 12 months, but one which Communications Minister Michelle Rowland said was necessary to reduce risk of fraud.
“What this is all about is trying to reduce the impact of this data breach on Optus customers and to enable financial institutions to implement enhanced safeguards and monitoring,” Rowland told the media last Thursday.
Numbers of ID documents including passports, drivers licences, and Medicare cards were exposed in the Optus data breach leading to concerns that certain customers had 100 points of ID leaked.
Optus confirmed a total of 1.2 million valid ID numbers had been breached and was called upon to front the cost of its customers changing their passports and drivers licences.
Only financial services regulated by the Australian Prudential Regulation Authority (APRA), excluding foreign banks, will be eligible to access data about who was affected by the Optus breach.
But they can only use the data to prevent and respond to cyber security incidents, fraud, scams, or identity theft.
Banks who take on the data will have to agree to a set of protocols about how it is handled and must provide “written attestation” that they will manage the data in accordance with APRA’s information security standard.
Anna Johnstone, founder of consultancy Salinger Privacy, called the government’s amendments “privacy theatre” and called for meaningful reform of Australia’s privacy laws.
“Privacy advocates and industry experts were right about the dangers of legislation creating honeypots for hackers by requiring telcos to collect and store identity data,” she wrote in a blog post last week.
“So those with privacy expertise should be listened to now, instead of the political classes blindly coming up with ‘we have to do something’ ideas masquerading as solutions.”
Johnstone warned that letting Optus hand over its data to banks so they can figure out which of their customers might be at risk results in a situation in which personal data is “swilling about multiple organisations, including some whose data security may be no better than Optus’s was”.
“This makes the honeypot problem so much worse, and saddles those organisations with a bigger cybersecurity risk profile to manage,” she wrote.
The difficulty of sharing this kind of data is demonstrated by Services Australia’s description of its data matching arrangement with Optus.
Services Australia said it will use data about the breach to flag people whose identity has been compromised and “apply proactive security measures” on their records.
But first, as per the published data sharing protocol, it has to get the data from Optus either by secure email, a government document sharing platform like Macquarie’s SIGBOX, or via a USB.
If needed, Services Australia will cleanse the data on an air-gapped machine before migrating it to a “secure shared drive” on the government agency’s network.
Services Australia promises the Optus data will be protected by “security features” such as “passwords, two-factor authentication, and security groupings”.