Data Breaches 2022 onward (including Optus)

It’s the “Impossible Dream”?

Reference outgoing ACCC deputy chair Delia Rickard.

Ms Rickard has called for a “major review” into the massive quantities of data businesses are collecting on customers and how they’re storing it, saying the hacks of Medibank and Optus should be a wake-up call as millions face having their private lives exposed by criminals.
“My daughter got a rental recently – I was appalled beyond belief by what she had to hand over,” Ms Rickard said.
“[They wanted] a tax file number, Medicare and passport documentation.
“It’s really worrying, because you don’t know, even if they take it, you have to email it and that’s an additional vulnerability. You don’t know what they’ve done with it, do they keep it forever?”

Now that the ACCC is on to it, it will only be a matter of time before….? :roll_eyes:

Don’t forget the industry is very very valuable, and may argue it’s needs with great gusto.
More than 3 million Australian homes are rented (31% of properties). The cost of the average rentals nationally is more than $500 per week. IE $1.5 billion weekly turn over or $78 billion annually. Agents take around 10% of the turn over.


I detect your cynicism but this is really an issue for government. The ACCC can only (attempt to) enforce the law as it is written. It is up to the government to say: enough is enough (and we are part of the problem).

Yes, rentals are an ugly new front in the data wars. It’s fairly obvious that the average property manager doesn’t have as strong IT resources as an Optus or a Medibank and yet even the latter were compromised. So if I were handing over those details to a property manager, I would be very worried indeed. (Is it even legal to demand a TFN???)

Sure but why do they need all the details that you mention in order to generate that turnover?

I have not personally encountered such excessive demands for details. More common, I think, is date of birth and drivers licence details - which is concerning enough.


Yes, sadly it is getting more prevalent these days.
Therefore, we are at the mercy of the corporate security practice to keep our data safe.

Nothing else we can do, when you got the data published in the internet, you can’t change your name or Date of Birth :expressionless:

Looks like Queensland has been shamed into (forced into) accelerating this: Queensland changes licence verification process after Optus hack - ABC News

That of course won’t completely help the 500,000 Queensland drivers who were already affected by the Optus data breach. But for the next data breach …

people raised concerns that it was not two-factor authentication because the numbers were present on the same card.

Is it 2FA? It is and it isn’t.

If someone picks up your purse or wallet in the street (etc.) and takes the drivers licence therefrom then this is a) not 2FA b) not very useful. (However it can be assumed that you will notice the loss quite soon, report it, get a new drivers licence, which will cause a change of drivers licence card number, therefore making the credentials useless to a criminal. So the smarter criminal would get the drivers licence without taking the purse or wallet or indeed just get the numbers from the card without taking anything.)

If a company stores only the drivers licence number but not the drivers licence card number and the company has a data breach then this is as good as 2FA. (So the company does transiently have the drivers licence card number but only for the time it takes to communicate with the Document Verification Service and get a “yes” or “no”.)

1 Like

There are plenty of film stars who have changed both to suit circumstances.

Of course companies will soon start demanding both, because your driver’s licence number is publicly accessible online following the last several breaches. At which point the issuers will add a card number number, and things will start getting ridiculous.

They are supposed to demand both - because both must be passed to the Document Verification Service in order to succeed there. However they are not supposed to store the drivers licence card number. (So it becomes analogous to the card number and CVV for credit cards for a card-not-present transaction.)

So the data breached drivers licence number becomes the “something you know” (you and every hacker) and the non-stored drivers licence card number becomes the “something you have” (because the hacker typically can’t directly get the physical card). (However this is nowhere near as strong as it should be. It’s better than nothing but …)

Funny boy. Of course you most definitely can change your name, film star or otherwise. It may be a hassle but there is a well-defined process for doing so.

1 Like

Another day, … Legal Aid ACT: Legal Aid ACT refuses to pay 'not insignificant' ransom to hackers who stole data of Canberra domestic violence survivors - ABC News

1 Like

I have had an interesting experience regarding the recent data breaches. I received an email from VinoMofo advising me that my personal data had been stolen in their recent data hack. The strange thing was that I could not recall ever signing up to become a VinoMofo member. I confirmed this by trying the password reset - my email didn’t exist in their system. So I contacted VinoMofo and asked what gives.
They advised me that they had received my details from a small vineyard of which I am a wine club member, and I was in fact a member of something called VinoDirect. I was not aware this had occurred. When I checked this vineyard’s privacy policy, it stated that while they will treat my personal information with the utmost care etc etc, they reserve the right to share it with partner providers to enable improved services etc. for the marketing and delivery of their wines.
Will definitely be more careful about signing up for memberships in the future.


And yet another.

1 Like

It is probably only a matter of time before charities (more precisely, deductible gift recipients) get sucked into the government data vortex - via mandatory collection of the TFN by the charity and mandatory data feed to the government. Therefore increasing the risk to the public.

But for now, not as bad as some of the other recent high-profile breaches. 80,000 is a bit small beer too.

Also, at this time, I don’t think they are claiming that a data breach definitely occurred - only that it may have. We may not know for sure until some sample data appears on the web.