PS Even improving the current verification does nothing about the “97,000” drivers licences that just got dumped by Lateral and “30,000?” that got dumped by Optus. (NB: Only covering what I believe to be valid pairs of licence number and card number that were exposed, not the much larger set of licence numbers by themselves that were exposed.) By rights, those should all be reissued no matter what changes are made around the edges.
But let’s not get too ahead of ourselves. A criminal can pick up your full licence at any club where you aren’t a member.
If you are a member, you use your membership card to swipe in. No details surrendered at that time.
If you are not a member, you use drivers licence to scan in, each and every time you visit such a club.
You have to make some assumptions but it dramatically increases the number of entities who could be attacked in order to get drivers licence information and includes a whole lot of comparatively smaller organisations, who don’t have billion dollar IT budgets (unlike an “Optus” or a “Big Four” bank).
Small in number (as far as we know so far!) but could be uncomfortable for some survey participants.
Data breach expert Jane Andrew from the University of Sydney says current data breach laws are not fit for purpose because there is no legal requirement to publicly disclose a hack.
This is something of a simplification and an exaggeration. I think there are three gaps here:
There is never a requirement to notify the public at large. However there is a requirement to notify the OAIC. So this could easily be fixed by government itself, either administratively or legislatively. That is, the company tells the OAIC and the OAIC tells the public at large (in a standard format and using a standard mechanism).
This only applies where there is “likely risk of serious harm”. This is obviously vague, and subject to opinion and judgement. It should be: a data breach is a data breach. Unauthorised access to data of any kind should be notifiable (for organisations covered by this regime at all).
Not all organisations are covered by these requirements at all. I am happy for that to remain the case i.e. put the burden on medium and large enterprises only.
The Latitude Financial data breach now appears far more significant than first reported…
What is concerning is data used to gain 100 points to meet mandatory identification requirements may have been released, making it very easy for criminals to carry out identify theft and fraudently obtain credit/purchases using its customer details.
Latitude appears to know the ramifications to its customers and recommends that (all of) its customers consider taking immediate precautions. Pertinent precautions include:
Contacting one of Australia’s credit reporting reporting agencies for a credit report so you can check if your identity has been used to obtain credit without your knowledge. In New Zealand, checking your credit record to confirm if your identity has been used to obtain credit without your knowledge. Please refer to govt.nz for further information.
Requesting the credit reporting bodies place a credit ban or suspension on your credit file via their website or by contacting them directly. Please be aware that you will not be able to apply for credit while the ban or suspension is in place.
Links to credit reporting agencies to place a credit ban or suspension are on the Latitude Financial website:
If you are or have been a Latitude Financial customer (for personal loans, car loans, credit cards or insurance) since 2005, one should consider what precautions needs to be undertaken to ensure one isn’t at risk if potential identity theft. This includes anyone who may have applied for one of its products even if the application was unsuccessful.
Firstly, customer information dating back to 2005? Latitude was established in 2015 after a buyout of GE finance.
Secondly, the number of customers Latitude claim to have, 2.5 million, is far less than the customer details admitted to have been accessed.
Thirdly, the story is that compromised employee credentials were used to access ‘service providers’. Who are these other parties that so easily and freely gave data over to Latitude?
Yep. Data Retention is evil. It is already against the Australian Privacy Principles but apparently routinely ignored or abused. From the ABC article:
Principle 11.2. states that “entities must also take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs”
(That’s not an exact quote from the Privacy Act but it captures the essence of it.)
Now I understand that government may legislate to force a company to do Data Retention but … financial data … not for 18 years.
Cracking down on Data Retention is a fairly quick win against data breaches. Yes, data breaches will still happen but former customers will not unnecessarily be part of the breach. It will scale down each breach.
(Edit: Data Retention also creates another problem. It makes it impossible for the company to notify reliably former customers about a breach. Who has changed postal address? telephone number? email address? since 2005. It won’t be everyone. Some people might genuinely be contactable under all three of those, unchanged after 18 years … but an awful lot would be difficult or impossible to contact.)
Again, I think the ABC article gets to the heart of it:
properly destroying customer data can be a costly exercise
and
I think part of the problem is that it’s cheaper to keep data than to cleanse it properly
Easier to do nothing and kick the can down the road and just keep everything (until the data gets breached).
On top of that, data has value so spending money to destroy something that has potential value to the company is not in the company’s interests. Without the government cracking down on Data Retention, there will always be a problem here.
When you sign up to any company you nearly always agree that they can transfer data to other companies under many situations, including but not limited to a change of ownership. That in and of itself isn’t a problem but data going back to 2005 should have already been destroyed long before the buyout.
Again we see the conflict of interest. When data has value, selling the company with Retained Data may increase the sale price of the company. So it is in the interests of the seller to ignore any need to destroy Retained Data.
In my opinion the requirement for “serious harm” should be removed from the legislation. All data breaches that are covered by the Privacy Act should be required to be reported to the OAIC and the OAIC should be required to publish the details on their web site. The company should not have to or get to judge for themselves whether the breach is “serious”. There should be no “anonymous” reports. (This would not remove the obligation on the company to notify directly the individual customers who are affected.)
Unfortunately the article indicates that among the issues being reviewed in the Privacy Act, some of the important issues (like whether it has to reach a threshold of “serious” and who judges that and whether the report is made public) are not up for review … so while the Albo government is quick to blame the previous government for inaction, it seems like that might be the pot calling the kettle black.
However the sheer scale of data breaches in Australia is now so large that I think we need to reassess at a bigger picture what is going on.
As I was personally involved in the Optus breach (and only by good luck avoided the Medibank breach), I raised the bigger picture with “the government”. To paraphrase their response:
The problem doesn’t just involve us so we will leave it to someone else and do nothing.
I don’t disagree with the spirit of this, but you underestimate how many situations qualify as a data breach.
If you forget to lock your computer and have someone’s personal details up, and the cleaner walks past and can see your screen that’s a data breach. You leave an invoice on the lunchroom table before realising and going back for it five minutes later, that’s a data breach. You can’t find a bag to put a file in so you carry it across the workplace with the name on the front visible, that’s a data breach.
These type of breaches can only be effectively tackled at a workplace level. (Auto-lock after 5 minutes of inactivity on a computer, document storage and handling procedures etc.)
Every time someone has legitimate access to your data?
Every time your data might be accessible to some one other than the immediate legitimate need?
Or every time someone who has no legitimate need gains access and collects your data?
The ability to distinguish between could and have seems relatively well defined.
We all have HR and pay records. Kept for tax purposes and in many industries for the term of our natural lives if a returning future employee or one day future work related health claims.
I get that. I imagined (and we are of course talking about hypothetical changes to legislation that the government has already made clear that it has no interest in making) … that companies would be required to report in standard form and mechanism so that the overhead for the OAIC in complying with what I wrote is negligible.
The OAIC would have to have their own internal thresholds for what they might look more closely at. That is, I didn’t specify that the OAIC actually has to investigate or seek further information regarding any particular data breach.
I don’t resile from the fact that it would put a burden on a company. If they don’t like the overhead of reporting data breaches to the OAIC then they should find ways to reduce the number of times that data breach happens.
The legislation could be amended to define “data breach” so as to exclude some of the relatively minor situations that you mention, if it becomes a real problem. My main point was that when a company gets to decide for itself whether a “data breach” is “serious” that is a clear conflict of interest.
I guess things could be tightened up so that the following are always reportable (always “serious”):
data relating to more than X people was breached (where the legislation specifies a value for X), or
a data breach involving unauthorised access to a computer
(while not necessarily excluding some other situations).
Most of the breaches being discussed here would meet either condition anyway but the first bullet point would also cover the situation where someone puts documents relating to X people into a dumpster (like the ANZ breach above).
Then I hope you encrypt this data and airgap the old data. If Optus had at least encrypted their (our) data then all the hackers can sell is encrypted data… useless unless you have massive super computer access. I now wonder if Latitude encrypted the data they held. The fact that they all say our data won’t be sold to 3rd parties but then that company (and all it’s assets, data included) gets acquired (or SOLD in layman terms) and that data then ends up on the dark web screams out that that company does NOT take your private data seriously… it’s just an acquisition that they believe they can do whatever they want with.
Possibly my short hand phrasing has left interpretation open. It was intended to be a reference to the data that others hold relating to current or past employment. I’ve no control over how it is being maintained. Reality - over time how often have job applicants or new starters been provided with a document telling us how those records might be managed or subsequently used? The word ‘confidential’ may be used in company policy to describe the content, it’s to what effect.
Tax file numbers, photocopies of licenses, statutory qualifications/registrations, dob, NOK, banking details and a collection of employee ID card photos. In these days of work from home there are many more opportunities for system defences to be found wanting.
Perhaps big companies know how to keep such details more secure than their customer facing systems? It’s a big if.
Not the be all and end all because ultimately the data has to be available somewhere inside the company in plaintext (except in niche scenarios that I will gloss over). So it comes down to
what level the data is encrypted at, and
what level the data is breached at.
Don’t get me wrong though. Companies should be encrypting sensitive data at (at least) the database level i.e. columns stored encrypted - so that if the entire database is copied, or a backup of the entire database is copied, then no sensitive data is available in the breach. Indeed it is my understanding that for credit card details this is a requirement but I could be wrong about that.
Tax records must be kept (by the taxpayer) for seven years. I see no reason why HR records would be needed for a longer period for people who are no longer employees.
I seem to recall that non retention of employee details, such as pay and tax details, was a real problem for those targetted by the infamous robodebt system. How to demonstrate the debt was not warranted if the past employer no longer had the details.
