> Foreign Affairs Minister Penny Wong has asked Optus to cover passport application fees for anyone caught up in last week's massive data breach, which affected millions of Australians.

I wonder if this is actually intended to be an "ask", or if this is polite language for "we will legally compel them to".

>Passport numbers are among the personal details accessed in what the federal government has described as a "basic hack".

>Optus says the data breach was due to a "sophisticated" operation.

It would be good to know more details of the hack itself.

Affected Optus customer here (received email indicated I was impacted). They never had my passport details (there have been some links going around when logged in to see the payload of your PI involved in the breach) but they certainly have my name, address, phone number and drivers license number in the data.

Fortunately we're able (in South Australia) to get our drivers licenses changed over free of change if impacted, which I'll do but now that's something else I need to get around to doing... I wonder how many of these costs will be forwarded on to Optus on behalf of the goverment

Interestingly, no mention of those of us who traveled abroad to Australia somewhat recently and got an Optus SIM.

aaaaand the cost will go back to the Optus customers.

I'm furious about this data breach. I think our laws need to be updated to make sloppy security an existential threat to businesses. Optus should be fined by the australian government within an inch of their life. Its not ok to profit from sloppy security work then leave regular people to pick up the tab when it goes wrong.

And we need to put other companies with terrible security on notice. I think the only way big companies will move is by making their executive team sweat money.

Thats how it works everywhere else in the economy - if your negligence causes harm, you're liable. Serve bad food in a restaurant? Sued. Sell sporting equipment which causes injury? Sued. Misrepresent yourself? Sued, and potential criminal charges. Medical malpractice? Sued. But somehow, if your sloppy software causes harm thats ok? What rubbish. Security malpractice should bear the same punishment as everything else.

Maybe the price of paid software will go up. Thats fine. Maybe there aren't enough qualified security engineers. Also, fine.

If you don't have the expertise to manufacture a safe car, we've decided you can't enter the car business at all. Likewise, if you don't have the technical skill to keep my data secure, you have no business storing my data at all.

Years ago hotels and currency exchanges when traveling abroad would simply look at your passport, and maybe write down some info by hand. Then they started photocopying the passport. And now they scan it. Full color high-resolution scan.

I dislike this intensely. All kinds of random places are keeping hi-res scans of documents that are perfect for identity theft and fraud. I've tried suggesting that looking at the passport should be sufficient to verify my identity -- they don't need to make a copy of it -- but I've had no luck.

Has anyone had success at pushing back on this? Are there laws in any country that say that you can't take photocopies or scans of customers' passports?

With luck, this may be the precedent the world needs to shake up lax privacy everywhere.

If the Australian Government actually goes through with its threat to make Optus pay millions to cover the cost of the damage its lax security has caused then the idea may catch on elsewhere.

It seems to me that at the risk of going bankrupt over a breach of its customers' privacy a company would want to divest itself of as much information about its customers as was possible.

Wouldn't it be great if that were to happen.

Re prepaid sims - in order to protect Australian voters from dreadful terrorists, activation of the Sim requires entering some form of id.

Interesting twist here is that after being criticised for storing all this sensitive data even years after customers left, Optus has pointed out that they are required to do so by data retention laws the government itself created.

If you accept perfect security is impossible (everyone should) then anybody creating data retention laws (ie: the government) really has to also assume some level of responsibility for the risk that the data is going to leak.

I find amusing that in some countries those numbers are treated as secret. In mine all that information is public, you can even look for somebody by name or ID in a government website.

I wish governments would heavily penalise companies that doesn’t take data security seriously. The threat of heavy fines is the only thing that will make large corporations do the right thing.

For anyone interested in Data Erasure requests. I've been using the service Mine lately. It scans your mailbox to identify and prioritise businesses that you've dealt with who likely hold financial and other personally identifiable information on you.

You can then select the businesses you would like to forget about you and Mine will send pre-written emails on your behalf and monitor for replies.

The experience has been enlightening. This is what I've found after sending 50ish requests:

- A small number of businesses already have a process in place to deal with such requests and action immediately without further correspondence

- Others ask that you fill in a form (pdf or web) to start the process

- A large number won't get back to you for around a week or two and eventual responses appear to be written by a person

- A small number tell you the can delete some data but not all. e.g. Compare the Market. In the past I've used compare the market to purchase insurance products, that sale is linked to my personal details and so they can not delete. I'm not sure why this is the case. Maybe there are compliance reasons but it is a little worrying that these middle-men companies that live on commission either can't or won't erase my data.

The big one that's been mentioned in other HN threads on this is Car Rental companies. I made it a priority to deal with them first. They have all manner of sensitive information and their size, tenure and CX don't instill me with confidence.

[1] https://www.saymine.com/

Since when are passport numbers secret? If that's real that's totally new to me.

In Israel you use your ID number, if a citizen, or passport number if not, in tons of transactions (as a citizen it somehow flows to your yearly taxes, not sure exactly), even stuff as mundane as getting gas needs an ID number.

If passport numbers are meant to be secret I suspect a lot of people are in for a rude surprise.

Its not ok that Optus even has peoples passport info (even if it may be forced on them to store it)