It was more a rhetorical question than an enquiry.
Although a fair point to consider.
Are todays demands for greater ID and digital presence all the better to meet business needs,
or
are we the victims of our calls on the convenience of the digital world?
Is it our demands or the opportunism of enterprise that has led us to where we are now? Vulnerable to exploitation at the whim of digital enterprise and to loss through the incompetence of supposed lossless solutions.
The demands of the long arm of the law (tax and services included) and curiosity of government might be raised as another cause.
An aside:
For us not so young we can relate when all that was shared was a name and street/postal address. The electricity bill, telephone bill (only some had one), weekly or fortnightly rent etc were paid either over the counter or the cheque was in the mail.
My bank did once ask for where I worked, although sighting a current pay docket was sufficient. There after presenting a passbook as evidence of being an existing customer usually sufficed, black light signature in the back a modern feature to free up custom at almost any branch. Few places including banks had photo copiers. My drivers licence resembled a tatty piece of folded paper with sex, height, eye and hair colour recorded in type added to the standard printed form. Valid until 1990. I found similar levels of identity were sufficient to record the details of my 19th century forebears in Old Maitland Goal.
I don’t look at it as being binary. I look at it as … it is more or less inevitable that entities that I deal with will be compromised and data will escape and/or entities will abuse data … how can I minimise the amount that escapes / is abused?
That means
whining at the government when the government is the problem e.g. caused the problem in the first place or e.g. failed to enforce the existing law
lying to entities where that is going to lead to acceptable (and legal) results i.e. provide false information
withholding information that is unnecessary and optional (a lot of entities just “try it on”)
refusing to deal with entities where a “normal” life is still possible but the entity displays great non-negotiable data avarice
where an entity gives options for how much data you have to sacrifice, choosing an option that is preferable (in the context of this discussion).
Everyone’s definition of “normal” may differ.
I think to an extent it becomes “abnormal” even to have to think about all those things every time some entity is seeking data - but that’s life in the Big Data Era.
This can be done in various ways. Middle name? Yes for this entity, but nada for this one and just the initial for entity number three - nothing illegal happening. Can your name be misspelt? Feel free to do so where there is no legal ramification.
Trying to combine masses of records from a variety of sources is an enormous task, and we can make it harder by using slight differences in or obfuscating what we give to all the places that demand information about us.
I don’t have a problem with organizations knowing my name (of which there are many variations used), or DOB, or address, or email address (again many) or phone number (ditto previous).
Or unique keys into certain Gov functions. TFN, Medicare number, etc.
But to me the line in the sand is organizations other than the Government for purposes like birth certificate, passport, medicare or driver’s licence, keeping a copy of official documents that authenticate my identity.
A utility or financial company may want to sight my driver’s licence or passport in order to start an account, but they should not be able to, or be required to, keep an image of that, or all the details on it. Which if leaked out could be used by scammers.
A breach that may impact consumers and customers of MS has been the subject of an article. It isn’t clear what may have been compromised yet, so it is a wait and see situation until MS decide to provide more information. HP were also affected by a breach around the same time by the same organisation, Russia’s SVR foreign intelligence service, even perhaps not just coincidentally.
Clubs NSW have had a data breach losing control of visitors details. Around 1 million people may have been affected. Why are the businesses retaining so much data?
A news article that also names a list of the clubs so far identified is linked
This has been bugging me for years. Clubs are required to collect drivers licences and yet the drivers licence is the primary identification document in many contexts. The relevant law is fairly archaic and should really really be looked at.
Worse still, if you have a drivers licence, you can’t get an identity card (by government policy) - so you can’t even separate the high priority drivers licence for identification purposes from the identity card for getting into clubs.
Obviously Data Retention is a big problem. However what was the retention period in this case and what does the the law require? (will vary from state to state in this case)
It could be if they are still active within the businesses systems, it allows the gathering of evidence which might not otherwise be possible. Outing the business may close off this opportunity.
Hopefully over time they might provide the reason.
Assuming the system is still vulnerable would knowing risk those likely impacted creating an overload of demand for access or on the call centres.
One could expect the attackers who have gained access are alerted by the revelation. It assumes they know when they have gained large scale access to a major health business. The reference to “ransom ware” says it all.
The immediate question is whether the breech has been shutdown, or whether the provider’s systems are so critical to hour by hour delivery they cannot be simply turned off. IE the systems must remain active and accessible while efforts are ongoing to find and close the entry method?
To refine my point, if not identifying the business is going to be the new normal, I would like to see the government lay out in some detail what the reason for the policy is and what criteria will be used to determine whether and when the business will be identified.
Putting that aside … why even bother to make a press release in that case?
By specifying “unnamed health organisation” they are casting aspersions unnecessarily on a large number of other companies (and this has been a generic complaint in the past about media stories that intentionally fail to name the person or other entity involved).
It should be obvious that if this was a ransomware attack, as claimed, then the intruder is not at all attempting to keep their access a secret - and the intruder can easily “out” the business whether the government or the business want that or not. (It is not credible to me that the intruder would not know the identity of the business upon whom they are intruding, in this scenario.)
Possibly but it should not be for us to speculate. It should be for the government to explain.
If they have exfiltrated data then they will know that.
Irony in the name not intended?
Does the dreaded Data Retention strike again, then?
.
