Over 300,000 attempts to use Australian data for fraudulent purposes have been blocked thanks to protection measures introduced following the notorious 2022 data breach at Optus, but there remains doubt that the government is not going far enough to protect people’s identities.
After some 10 million Australians saw their data compromised during the telecommunications provider’s data breach, the Albanese government moved quickly to mitigate harm for those whose crucial identity documents such as passports and driving licences were exposed.
Further to recent strategic and legislative adjustments, the government introduced a credential protection register in 2022 which has already discovered and blocked more than 300,000 fraudulent attempts to use Australians’ stolen data.
Attorney-General Mark Dreyfus said the register protects those who have fallen victim to data theft from “suffering further harm”, namely by preventing their compromised credentials from being used as forms of identity.
“The Government acted swiftly to pass new laws to increase the maximum penalties for serious or repeated privacy breaches and establishing the Identity Verification Service Credential Protection Register,” Dreyfus said.
“This rapid response will also help prevent black market sales of stolen identity credentials and disrupt other illegal activities that rely on those stolen credentials, such as scams, money laundering and fraud.”
The register prevents verification of known compromised credentials through the Document Verification Service (DVS) – a platform used by more than 2,600 government and private organisations to determine whether the details on a given identity document match those on its original record.
For participating organisations, this effectively stops compromised credentials from being used for fraudulent identity verification purposes, albeit with one small (but undoubtedly necessary) caveat: rightful owners of the credentials will not be able to use them online.
New credentials issued following a data breach, however, will work as intended.
According to IDMatch, the inclusion of compromised credentials on the register is “automatically done by the organisation that issues the credential”.
Protection measures optional, not mandatory
Mark Culhane, director at Australian tech consultancy Zoak Solutions, suggests the register alone may not be sufficient protection for victims of data theft.
“Using the Commonwealth Credential Protection register and DVS is optional – even for the very specific subset of organisations with legal requirements regarding identity validation,” Culhane said.
He explained the register effectively requires businesses opt into the service, and further suggested the government may be overstating its overall efficacy.
“In my opinion, some of the federal government's publications regarding this initiative are potentially misleading,” Culhane said.
“I am not sure most Australians would understand that the register is part of an optional service that businesses could use, if they wanted to – but have zero obligation to use.
“Whilst it appears to be a useful 'option' – it is just an option. It does not address the market failure that exists for protection of our personal identifiable information.”
As noted on government website IDMatch, prior to the register’s establishment, compromised credentials would simply verify through the DVS as though they were valid and belonging to real people – effectively leaving compromised persons at risk.
“[The Optus] data breach exposed the fact that after a wasted decade for digital reform, Australia’s laws and protections were woefully inadequate for the digital age,” the Attorney-General said.
The register was announced some three weeks after the Optus breach went public, during which time over a third of the population was left anxiously waiting to find out if they’d been affected and what actions were being taken to ensure their safety.
Dreyfus notes the Albanese government provided $3.3 million to “enhance” the initiative in 2023, forecasting speedier turnarounds as document issuers and other trusted organisations will be able to directly update the register in “near real time”.
“Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones,” said Dreyfus.
“When they are asked to hand over their personal data they expect it will be protected.”
Since the disastrous data breaches at Optus and health insurer Medibank, the government has bulked up the maximum penalties for serious or repeated privacy breaches, passed a controversial, privacy-focused Digital ID Bill, conducted a lofty review of the Privacy Act and, in December last year, bolstered legislation for the Commonwealth’s identity verification services.