Ms Rickard has called for a “major review” into the massive quantities of data businesses are collecting on customers and how they’re storing it, saying the hacks of Medibank and Optus should be a wake-up call as millions face having their private lives exposed by criminals.
“My daughter got a rental recently – I was appalled beyond belief by what she had to hand over,” Ms Rickard said.
“[They wanted] a tax file number, Medicare and passport documentation.
“It’s really worrying, because you don’t know, even if they take it, you have to email it and that’s an additional vulnerability. You don’t know what they’ve done with it, do they keep it forever?”
Now that the ACCC is on to it, it will only be a matter of time before….?
Don’t forget the industry is very very valuable, and may argue it’s needs with great gusto.
Note:
More than 3 million Australian homes are rented (31% of properties). The cost of the average rentals nationally is more than $500 per week. IE $1.5 billion weekly turn over or $78 billion annually. Agents take around 10% of the turn over.
I detect your cynicism but this is really an issue for government. The ACCC can only (attempt to) enforce the law as it is written. It is up to the government to say: enough is enough (and we are part of the problem).
Yes, rentals are an ugly new front in the data wars. It’s fairly obvious that the average property manager doesn’t have as strong IT resources as an Optus or a Medibank and yet even the latter were compromised. So if I were handing over those details to a property manager, I would be very worried indeed. (Is it even legal to demand a TFN???)
Sure but why do they need all the details that you mention in order to generate that turnover?
I have not personally encountered such excessive demands for details. More common, I think, is date of birth and drivers licence details - which is concerning enough.
That of course won’t completely help the 500,000 Queensland drivers who were already affected by the Optus data breach. But for the next data breach …
people raised concerns that it was not two-factor authentication because the numbers were present on the same card.
Is it 2FA? It is and it isn’t.
If someone picks up your purse or wallet in the street (etc.) and takes the drivers licence therefrom then this is a) not 2FA b) not very useful. (However it can be assumed that you will notice the loss quite soon, report it, get a new drivers licence, which will cause a change of drivers licence card number, therefore making the credentials useless to a criminal. So the smarter criminal would get the drivers licence without taking the purse or wallet or indeed just get the numbers from the card without taking anything.)
If a company stores only the drivers licence number but not the drivers licence card number and the company has a data breach then this is as good as 2FA. (So the company does transiently have the drivers licence card number but only for the time it takes to communicate with the Document Verification Service and get a “yes” or “no”.)
There are plenty of film stars who have changed both to suit circumstances.
Of course companies will soon start demanding both, because your driver’s licence number is publicly accessible online following the last several breaches. At which point the issuers will add a card number number, and things will start getting ridiculous.
They are supposed to demand both - because both must be passed to the Document Verification Service in order to succeed there. However they are not supposed to store the drivers licence card number. (So it becomes analogous to the card number and CVV for credit cards for a card-not-present transaction.)
So the data breached drivers licence number becomes the “something you know” (you and every hacker) and the non-stored drivers licence card number becomes the “something you have” (because the hacker typically can’t directly get the physical card). (However this is nowhere near as strong as it should be. It’s better than nothing but …)
Funny boy. Of course you most definitely can change your name, film star or otherwise. It may be a hassle but there is a well-defined process for doing so.
I have had an interesting experience regarding the recent data breaches. I received an email from VinoMofo advising me that my personal data had been stolen in their recent data hack. The strange thing was that I could not recall ever signing up to become a VinoMofo member. I confirmed this by trying the password reset - my email didn’t exist in their system. So I contacted VinoMofo and asked what gives.
They advised me that they had received my details from a small vineyard of which I am a wine club member, and I was in fact a member of something called VinoDirect. I was not aware this had occurred. When I checked this vineyard’s privacy policy, it stated that while they will treat my personal information with the utmost care etc etc, they reserve the right to share it with partner providers to enable improved services etc. for the marketing and delivery of their wines.
Will definitely be more careful about signing up for memberships in the future.
It is probably only a matter of time before charities (more precisely, deductible gift recipients) get sucked into the government data vortex - via mandatory collection of the TFN by the charity and mandatory data feed to the government. Therefore increasing the risk to the public.
But for now, not as bad as some of the other recent high-profile breaches. 80,000 is a bit small beer too.
Also, at this time, I don’t think they are claiming that a data breach definitely occurred - only that it may have. We may not know for sure until some sample data appears on the web.
email from Goto/Lastpass this morning about their latest … let’s hope their security model for password databases is as secure as they say
Dear valued customer,
In keeping with our commitment to transparency, we wanted to inform you of a security incident that our team is currently investigating.
We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement.
We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.
We are working diligently to understand the scope of the incident and identify what specific information has been accessed. As part of our efforts, we continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent further threat actor activity. In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around the setup and configuration of LastPass, which can be found here.
Yes, the Telstra press release sort of says what happened. One part of a data set of customers with silent numbers was collected for inclusion in the regular director listings data set. How that occurred may be left unexplained, leaving many to ask if it could happen again. I’m assuming it would not be readily apparent to anyone looking for a contact which of the contact details in the general directory were from the silent number data set.
Who else might now have a copy of the directory including those added listings is worth a response from Telstra.
I too, was notified by Optus, that my data had been hacked. I requested a new Medicare card, flagged my Driver’s Lic. with VicRoads, and “did what I could do”…i.e. very little. NOW though, I have an “off-shoot” problem…I had used my Credit Card to pay my Optus Account, and lo and behold…an unauthorized $30+ USD purchase has been debited to my Credit card, for an online purchase (apparently a book?), from Germany!!! This was NOT me, and WestPac are supposedly investigating…a month later, and all they have done is issue a Complaint number to me. Optus said NOTHING about my payment details having been part of the hacked data…Has any one else amongst the 9.+ million victims experienced similar? The Bank issued a new Credit card, which I have NOT activated (and will not…just yet)…so, has this happened to anyone, in any of the aforementioned hacking incidents?..I doubt I am alone
Optus was very clear in their disclosures that payment details such as CCs were not compromised.
I would be looking at other places you may have used your CC and all the details copied, and in particular where the CVV might have been retained on an online site.
Nothing like being top of the ‘hit parade’. At least in one view.
Not the type of hit that can make you a millionaire, with all the benefits going to someone else!
Ouch!
P.S.
It’s just one assessment provided by a business interested in selling VPN services. Reality may differ, better or worse?
“Globally, data breaches have gone down by 70.8 per cent from October to November,” Surfshark lead researcher Agneska Sablovskaja said on Tuesday.
“In Australia, however, data breaches have surged by 1550 per cent –
It all depends on who you ask - and what. The Massachusetts Institute of Technology (MIT) ranks Australia on top of its Cyber Defense Index 2022/23.
A drill-down shows that Australia is number one in critical infrastructure, organisational capacity and policy commitment - but ranks a lowly ninth on cybersecurity resources.
Feel free to drill into the details and data and point out all the problems with this report.
Laws will not protect privacy of citizens, unless EU-style of regulations are brought in.
As saying goes " Operation successful, patient died".
Recently, one Australian organization was asking for proof of identity and listed passport and driver’s licenses as valid documents. Here is how I replied:
I do not have a problem with anybody verifying who I am, but I have serious concerns with how it is done and who will guarantee my privacy. I cannot accept “no-liability” for my data by any professional organization.
I do not think it is necessary to provide passport number, driving license number, and similar. That information has been abused so much (I know, IT Security is my business and see too many idiots working in the profession). So, there must be a reasonable way to resolve this issue.
The company then stopped asking for those documents.
Do not trust anyone taking care of your documents and minimize exposure to privacy.
I’ve recently been informed by Medibank that " We’re deeply sorry to inform you that we believe some data relating to your membership has been stolen and released on the dark web in the recent cybercrime event."
They don’t “believe” that my credit card and banking details were stolen, but list all of the “Data that has been impacted” - i.e. name DOB, email, home address, phone number, medical claims history…
It reads as though it was written by a PR specialist and vetted by their lawyers. It also “helpfully” suggests the steps I can take to protect my information…while failing to identify the steps Medibank OUGHT to have taken to prevent such a simple hack from succeeding. The only saving grace is that I have recently racked up some hefty private health bills post-hack (not by choice) and I have some much more substantial bills to come.
Australian corporate laws are grossly inadequate. If executives are not genuinely penalised for their failure to take reasonable steps to protect customer data, these hacks will continue. Has anybody here heard of executives having their bonuses held in escrow for two or three years to ensure that decisions they made while earning them did not leave open a hole for hackers to waltz through and steal customer data that the same executives had an implied duty to protect?
