Some fallout most don’t think about, and there are so many similar lapses regarding new Australians from transnational pensions to tax (equalisation) treaties. An interesting comment from the US is for US passport holders not to worry so long as they have their passports in hand - somewhat different from the local version? Or could it be hubris to cap concern?
That jumped out to me too. What the US spokesperson is saying is not wrong and applies equally to any chip passport, regardless of country, including Australia, but that is limited by the fact that the spokesperson clearly didn’t understand the actual problem.
Remember what passports are actually for? What the US spokesperson said applies to this case. Just because Optus data got breached doesn’t mean that someone can clone your US passport and travel across international borders pretending to be you. As long as you still physically have your US passport, there is no need to report it as lost or stolen and get a replacement passport.
However when passports are abused for identification purposes by a telco (as compelled by Australian law) that’s where the problem is - since the passport and basic personal data that was leaked is sufficient for someone else to pretend to be you when setting up a new customer account with a telco. Perhaps they don’t do this **** in the US and that’s why the US spokesperson genuinely didn’t understand.
Again, the onus is on the Australian government to think about the problems here and consider whether they can improve upon the current regime as far as it relates to new arrivals. Clearly the government is in a much stronger position as it relates to new arrivals since the government can very rigidly determine the conditions, restrictions and procedures for entry. Or maybe they just don’t care. No votes in it for sure.
1 Like
The strength of a modern passport is when it is used at a border control and with the supporting government database as a reference/ID check.
The weakness when used as an ID check for financial services is the lack of immediate access to the same level of security.
Is the greater risk someone using your passport details to produce a fake passport or simply using your dob etc to facilitate a scam/fraud by other means? I suspect the second to be most likely.
Aside from border security or for a DL a police officer, does anyone ever check the photos on a doc are correct per the originally issued?
True except you don’t necessarily need a database. The information on the chip can be digitally signed using public key encryption and the public keys can be, well, public and hence available offline and to all and sundry. With that information alone it is possible to verify that the passport was validly issued by the relevant government and that it has not been subsequently tampered with (and also obviously that it has not expired).
So if I use my Australian passport and front up in, say, Singapore, the Singapore border authorities can perform the above verification on my passport without ever having access to the Australian passport database (which Australia would not likely want to give access to, for any country).
Hence
in theory this need not be true if you are physically present in a branch (if you can get to one these days 
).
If you are just using the document number online then, yes, it is much weaker security - and a drivers licence (excl Vic, Qld) may in fact be more secure at the moment.
I agree. In terms of the number of fraud events per year, in my opinion, the latter would be much more prevalent.
In theory though, for a chip passport, it is not possible to make a fake passport (unless you are the issuing government, which does happen).
Good question. I had a look at the prepaid mobile regulations (since I downloaded them the other day in relation to the Optus hack and the discussions here) but they do not explicitly state this. They could be taken to imply it.
Also those regulations allow a telco to create, lodge and use a compliance plan of their own devising providing that it is approved by the government. It is possible that some telcos have done that and it is possible that such a plan may explicitly require the photo to be compared with the person.
The recent data breach of Optus customer identity data brings up a lot of questions:
- Why did Optus retain the identity information longer than they were required to?
- Why are the fedeal government requirements for pre-paid mobile phones also used for post-paid telephone (and internet) services? Isn’t this an over reach?
- Should the federal government requirements for establishing identity of purchasers of pre-paid mobile phones (and SIM cards) be changed so that once the identity data has been used for this purpose it is no longer stored - rather like once credit card information is used for transaction it is not stored. Or as this is a government requirement make the government responsible for using the identity data for this purpose, and also for proper disposal & retention of the identity data.
- Does Australia need penalties for companies using information for purposes other than the legislated purpose? For example Qld law says that drivers licence is only to be used to establish ability to drive on public roads (and not for shopping rewards systems, buying a phone, entry to council garbage disposal sites, etc)
Maybe so. But this is in direct contradiction with what the government currently demands. The government currently demands that the telco retain sufficient data to demonstrate compliance with this particular part of the law for the entire time that the service is active - and then some data must be retained for 2 years after the service is deactivated - and then the government encourages telcos to retain the latter data longer.
I already proposed a technical solution to this but I really don’t think the government has any inclination to take ownership of this problem.
Would that apply to governments as well? 
Logically the same government identification requirements should apply regardless of whether pre-paid or post-paid. Logically, if one were easier to rort than the other, wouldn’t criminals simply gravitate towards the easier one?
The commercial requirements may in fact be more severe with a post-paid service since they are extending you credit. In addition, the provision of credit may then trigger additional government requirements.
Another day, another data breach.
AFP classified documents hacked in data leak, exposing agents fighting drug cartels - ABC News
While this is not the Australian government, it is the Colombian government, it is nevertheless embarrassing for the Australian government, and ultimately could be far more dangerous than the Optus hack. These drug cartels don’t have much of a sense of humour.
5 million AFP emails and tens of thousands of documents were hacked
the details of 35 AFP operations
Great …
Woolworths Group's MyDeal hit by breach exposing data of 2.2 million customers - ABC News
Woolworths Group completed the acquisition of approximately 80 per cent of the online marketplace MyDeal.com.au on 23 September 2022.
The Woolworths Group said none of its other platforms or the Everyday Rewards records had been impacted.
Presumably, given the recency of the transaction, that level of integration had not yet been achieved (fortunately for existing Woolworths customers).
I must admit that I had never heard of MyDeal but from the sounds of it, you are only at risk if you were an existing MyDeal customer, before or even long before the acquisition by Woolworths.
It said MyDeal did not store […] drivers licence or passport details
You think? Of course they don’t collect, much less store, these details … because they are not required by legislation to do so. (It should be the opposite. They should be barred by legislation from doing so.)
If I signed up to a random web site and it demanded drivers licence or passport, I would forget about using that web site.
3 Likes
Online wine seller Vinomofo suffers major data breach
Online wine seller Vinomofo has disclosed a major data breach in which an intruder accessed customers’ personal information including names, dates of birth, addresses and contact details.
In a statement posted online, Vinomofo said the intruder accessed a database on a testing platform that was not linked to its primary website. It nonetheless contained real customer information. {Italics added}
Sound familiar?
3 Likes
More than 85,000 applications for new Queensland licences after Optus hack
Queensland Optus hack victims lodge driver licence renewal applications - ABC News
1 Like
And another one.
But why don’t we hear about the hundreds of data breaches reported each year?
1 Like
Convenient timing. Hold your reporting until two other large breaches are reported, and you end up just looking like the minor breach in comparison.
2 Likes
The designer behind Australia’s most famous logos says Optus needs a rebrand
“To me [the size of the hacks] basically say they never had a serious security system in place for that to happen. Well, that’s not good enough. And they need to clearly do something about it.”
That is pretty straight to the point. But then …
The mastermind behind some of Australia’s biggest logos and brands says scandal-plagued Optus and Medibank may need to completely rebrand or change their names in a bid to halt an exodus of customers.
Hulsbosch designed the logo and brand for Qantas that was used from 2007 to 2016 – and said decisions about the angles of letters, the tones of the red, and the shape of the iconic kangaroo at the tail of every aircraft were all based on building trust for the Spirit of Australia.
So if Optus and Medibank change their names and get the font right all will be well. Obviously by altering their names nobody will associate their failures with the new name. What a cunning plan!
But does it work the other way? if Maybe Ioseb Jughashvili didn’t become Joe Stalin the world would have been a better place.
Silly me, I thought a trustworthy reputation came from showing that you are trustworthy. Marketdroids’ minds must be wired differently, or they just excel at self promotion.
4 Likes
Choosing the wrong logo can apparently be a bit of an issue. (Warning: contains some things you cannot unsee.)
2 Likes
Sometimes what is wrong is too subtle or too ambiguous to be a problem for anyone but, well, a logo designer.
Definitely some LOL moments there but, for me, the out and out English language fail is #26. Maybe it is safer in Swedish.
I think #12 might actually be an example of “epic success” i.e. there’s no such thing as bad publicity. You’ve never heard of this company. Their logo goes viral with the internet’s derision but now they have brand recognition that money can’t buy.
However perhaps we stray a little too far from Data Breaches.
1 Like
I think a lot will depend on whether they get their messaging right.
If most people see them as victims (which is literally true but in practice more complex) then the public may be more forgiving.
If most people see them as reckless and irresponsible with the corporate handling of the public’s data then rebrand or M&A.
You can see the former in Medibank’s messaging where they bluntly refer to “criminals” several times.
You can see the latter in the government’s messaging where they talk of increasing the fines to an attention-grabbing $50m. (It’s a pity that the government is more part of the problem than part of the solution.)
Edit: PS And obviously companies can point out that government is part of the problem (e.g. forcing them to collect passport numbers, drivers licence numbers, … and forcing them to retain the data for X years after the customer ceases to be a customer). So that should be part of their messaging too.
12 posts were merged into an existing topic: Security by encryption, salting, hashing, obscurity and other means
Another day, another breach: Real estate agency Harcourts reveals data breach, customer details potentially accessed by unknown third party Harcourts Melbourne City real estate agency advises customers of data breach - ABC News
This is particularly concerning because of the large sums of money involved in real estate, and the government’s obsession with mandatory data collection, which among many other sectors also applies here.
1 Like
As I posted back in 142, the number of reportable and reported breaches is far greater than we hear about in the news.
The rules were expanded on July 1 this year, and I suspect we will see far more this year than last.
But we will just treat it as ho hum not unlike Covid19 has become.
Another day, another …
A cyber attack targets a technology group which provides services to government departments, with hackers believed to now hold stolen data.
Technology group providing services to Victorian government departments hit by cyber attack - ABC News
For a change, this does not include me, as I am not in Victoria. Well I hope so anyway …
Lots of updates on the Medibank breach e.g. Medibank refuses to pay ransom for hacked data as affected customer number doubles to 9.7m - ABC News
For my personal data breach journey … I spent a long time on the phone to Medibank the other day and they were quite unable to tell me when/whether they had deleted my data (as an ex-customer, left many years ago).
There are able to authenticate me, so I think that is a bad sign. If they had truly deleted me then they would also be completely unable to authenticate me.
One thing that emerged from that call is that the state government is not the only problem here. The Federal government is also a problem, on account of Lifetime Health Cover (LHC).
It is an unholy trinity of governments, corporations and hackers. Who will cut the Gordian Knot?
2 Likes
