Optus Cyberattack is the Government’s Fault
Customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers.
However, it appears that bank account information and customer account passwords weren’t hacked. While the company’s mobile and internet services are still running and also unaffected by the attack.
Optus decided to alert the media first because it felt this was the quickest way to inform its millions of customers that their personal information may have been compromised. The company has since begun contacting customers directly to let them know whether they have been affected and to what extent.
Needless to stay, the personal information of millions of people is an attractive target for hackers and others wanting to do harm. Like banks adopting strong physical and, more recently, online security to stop bank robbers, companies should implement strong protections, including encrypting the data they collect and store, to stop hackers.
It seems Optus failed to stop the hackers and should definitely shoulder some of the blame. However, it is not yet clear whether this was the result of Optus not properly securing its customers’ data.
The government is at fault
What has been lost in much of the media coverage of this debacle is that the government requires Optus (and other companies) to request personal information such as your date of birth and drivers’ licence or passport number when you first become a customer. Ostensibly this requirement is so companies can verify that you are who you say you are.
Under relevant laws, the company is then required to keep your personal information for up to 6 years.
To me this is the main problem revealed by the Optus cyberattack. Namely, that companies are required by law to not only ask for your sensitive personal information but to also keep it for up to six years.
At the very least, once you have been verified, companies should be required to delete sensitive personal data to prevent this type of thing occurring. Hopefully, one good thing that may come out of this debacle is changes to the law to this effect.
Increasing chances of personal information being stolen
But why are companies required to verify their customers in the first place?
The reason is to make sure an imposter isn’t trying to sign up for a product, loan or whatever and then rack up debts in your name. If this were to occur, then your credit would be negatively affected and you would have difficulty the next time you try to obtain a home loan, personal loan and so on.
In other words, it is required by the Australian government in order to combat potential financial fraud.
So under the 100 points process to check your ID, you are required to reveal sensitive personal information to a provider such as Optus before you can buy their products. This information is like manna from heaven for criminals, hence the Optus cyberattack and others.
However, the customer verification process does nothing to stop people fraudulently stealing money from your bank account, debit or credit card. Instead, it merely confirms that you are who you say you are, that you live at the address you say you live at, etc.
Ironically, by legislating the requirement for Optus and other companies to verify you, the government has actually increased the chances of your personal information being stolen and used to commit fraud.
Nice work by the regulators, don’t you think!
Note: for those concerned that they may have been affected by the Optus cyberattack, Optus’s recommendations are here: https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack