Australia gov wants telco Optus to pay for new passports for data breach victims
I wonder if this is actually intended to be an "ask", or if this is polite language for "we will legally compel them to".
>Passport numbers are among the personal details accessed in what the federal government has described as a "basic hack".
>Optus says the data breach was due to a "sophisticated" operation.
It would be good to know more details of the hack itself.
Fortunately we're able (in South Australia) to get our drivers licenses changed over free of change if impacted, which I'll do but now that's something else I need to get around to doing... I wonder how many of these costs will be forwarded on to Optus on behalf of the goverment
And we need to put other companies with terrible security on notice. I think the only way big companies will move is by making their executive team sweat money.
Thats how it works everywhere else in the economy - if your negligence causes harm, you're liable. Serve bad food in a restaurant? Sued. Sell sporting equipment which causes injury? Sued. Misrepresent yourself? Sued, and potential criminal charges. Medical malpractice? Sued. But somehow, if your sloppy software causes harm thats ok? What rubbish. Security malpractice should bear the same punishment as everything else.
Maybe the price of paid software will go up. Thats fine. Maybe there aren't enough qualified security engineers. Also, fine.
If you don't have the expertise to manufacture a safe car, we've decided you can't enter the car business at all. Likewise, if you don't have the technical skill to keep my data secure, you have no business storing my data at all.
I dislike this intensely. All kinds of random places are keeping hi-res scans of documents that are perfect for identity theft and fraud. I've tried suggesting that looking at the passport should be sufficient to verify my identity -- they don't need to make a copy of it -- but I've had no luck.
Has anyone had success at pushing back on this? Are there laws in any country that say that you can't take photocopies or scans of customers' passports?
If the Australian Government actually goes through with its threat to make Optus pay millions to cover the cost of the damage its lax security has caused then the idea may catch on elsewhere.
It seems to me that at the risk of going bankrupt over a breach of its customers' privacy a company would want to divest itself of as much information about its customers as was possible.
Wouldn't it be great if that were to happen.
If you accept perfect security is impossible (everyone should) then anybody creating data retention laws (ie: the government) really has to also assume some level of responsibility for the risk that the data is going to leak.
You can then select the businesses you would like to forget about you and Mine will send pre-written emails on your behalf and monitor for replies.
The experience has been enlightening. This is what I've found after sending 50ish requests:
- A small number of businesses already have a process in place to deal with such requests and action immediately without further correspondence
- Others ask that you fill in a form (pdf or web) to start the process
- A large number won't get back to you for around a week or two and eventual responses appear to be written by a person
- A small number tell you the can delete some data but not all. e.g. Compare the Market. In the past I've used compare the market to purchase insurance products, that sale is linked to my personal details and so they can not delete. I'm not sure why this is the case. Maybe there are compliance reasons but it is a little worrying that these middle-men companies that live on commission either can't or won't erase my data.
The big one that's been mentioned in other HN threads on this is Car Rental companies. I made it a priority to deal with them first. They have all manner of sensitive information and their size, tenure and CX don't instill me with confidence.
In Israel you use your ID number, if a citizen, or passport number if not, in tons of transactions (as a citizen it somehow flows to your yearly taxes, not sure exactly), even stuff as mundane as getting gas needs an ID number.
If passport numbers are meant to be secret I suspect a lot of people are in for a rude surprise.