{"id":75487,"date":"2022-09-29T12:40:23","date_gmt":"2022-09-29T02:40:23","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=75487"},"modified":"2022-09-29T12:37:00","modified_gmt":"2022-09-29T02:37:00","slug":"new-approaches-needed-to-prevent-another-optus-level-data-breach","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/","title":{"rendered":"New approaches needed to prevent another Optus-level data breach"},"content":{"rendered":"
<\/figure>\n

Last week\u2019s Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, including sensitive identity document details, with records going as far back as 2017.<\/p>\n

Although details of the extent of the hack are still emerging, there are already important lessons we can draw\u2014beyond the usual cliches such as \u2018Data breaches are a matter of when, not if\u2019, and the generic advice to change passwords and patch systems that get recycled after every major cyber incident.<\/p>\n

Although Optus has been clear that no financial details or passwords were stolen, the biggest concern is the leaking of customers\u2019 names and dates of birth, matched with details like driver\u2019s licence or passport numbers\u2014the sort of information needed to pass a standard 100-point ID check, and hence the perfect ingredients for fraud, scams and manipulation.<\/p>\n

In the short term, the onus is on Optus to inform the affected individuals, who then need to monitor their accounts and credit activity. In the bigger picture, Home Affairs Minister Clare O\u2019Neil is expected to announce reforms requiring banks and other institutions to be notified more quickly about breaches so they can safeguard customers\u2019 accounts. We will never stop 100% of cyberattacks 100% of the time, so this could be a good step forward to improve the ability of our economy and society to recover from such incidents.<\/p>\n

But what more could be done to reduce the risk of such breaches occurring in the first place and to limit the immediate impact when they do occur?<\/p>\n

Best practice is for organisations to store only the data they actually need and delete it as soon as it\u2019s no longer needed. Angry Optus customers have questioned why the company kept such sensitive person information for so long. However, telecommunications companies operating in Australia are required to verify the identities of those they provide services to, as part of regulations to prevent many other types of crimes. That obligation means they also need to keep records of such checks for audit purposes, typically for seven years.<\/p>\n

If such data needs to be held, how can it be made more secure? The standard response of armchair commentators is to recommend encrypting the data, which Optus claims to have done. That didn\u2019t seem to help. This is unsurprising if, as it has been suggested, the attacker got authorised access to a standard application programming interface to the data, known as an API. In order to be useful, the API would probably have been set up to automatically decrypt the requested data before sending it out to the requestor.<\/p>\n

Encryption does secure data if it\u2019s set up correctly, but the data must be decrypted for practical use. Encrypting data on your laptop is useful if you physically lose it, but in normal use it conveniently automatically decrypts everything for you as and when you need it. Similarly, encrypting data on a server in a data centre may provide protection against someone physically accessing the equipment and directly stealing the data, but not necessarily against an attacker who gains authorised or unsecured access through an online service.<\/p>\n

Another approach could be to mandate that particularly sensitive information be kept in separate systems that require additional layers of authorisation to access. Thanks to the regulations for online payments (known as PCI-DSS), that already happens with credit card numbers, which probably explains why Optus is confident the attacker didn\u2019t get access to customers\u2019 payment details. Arguably, similar protections should apply when driver\u2019s licence and passport numbers are being stored.<\/p>\n

An even better answer could be introducing innovative approaches that allow companies to verify customers\u2019 identities without collecting or storing their personal information. One such solution that already exists is the Australian Digital Identity system<\/a>, to which the government committed more than $250\u00a0million in funding in the 2020\u201321 budget. Customers sign up with an accredited identity service provider, such as myGovID, which verifies their identities against official government sources. They then use this verified digital identity to prove who they are to \u2018relying parties\u2019.<\/p>\n

One example already in operation is obtaining a tax file number online, where the Australian Taxation Office (the relying party) communicates with myGovID, which in turn uses a phone app to verify the physical presence of the individual. The customer chooses which data gets passed to the relying party, which then has the assurance of a verified customer identity without needing to directly obtain any personal details.<\/p>\n

There are still many barriers to achieving broad uptake of the systems. In particular, security and privacy safeguards and responsibilities need to be clarified, since identity service providers would become high-value targets. More work is also needed on a proper legislative framework, acceptable governance arrangements and a charging framework.<\/p>\n

The previous government published draft digital identity system legislation in late 2021 that would help stimulate the necessary debate needed on this subject, but the incoming government hasn\u2019t progressed it yet. Perhaps this incident will provide the encouragement needed to take on this thorny subject and find a way forward that could genuinely stop a repeat.<\/p>\n","protected":false},"excerpt":{"rendered":"

Last week\u2019s Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, including sensitive identity document details, with records going as far back as 2017. Although …<\/p>\n","protected":false},"author":979,"featured_media":75489,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[2175,1799,2362,728,1477,3369],"class_list":["post-75487","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-data","tag-data-breach","tag-digital-identity","tag-hacking","tag-identity-fraud","tag-optus"],"acf":[],"yoast_head":"\nNew approaches needed to prevent another Optus-level data breach | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New approaches needed to prevent another Optus-level data breach | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Last week\u2019s Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, including sensitive identity document details, with records going as far back as 2017. Although ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2022-09-29T02:40:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-29T02:37:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1215127929.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Rajiv Shah\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rajiv Shah\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI's analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1215127929.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1215127929.jpg\",\"width\":1024,\"height\":683,\"caption\":\"PERTH, AUSTRALIA - MARCH 27: A security guard in an Optus retail store removes a barrier for a customer to exit the store on March 27, 2020 in Perth, Australia. Further restrictions on travel and movement have been put in to place as the federal government works to tackle the spread of COVID-19 across Australia. All international travel is banned, with exceptions for aid workers along with compassionate, work-related and other essential travel. All libraries, museums, galleries, beauty salons, tattoo parlours, shopping centre food courts, auctions, open houses, amusement parks, arcades, indoor and outdoor play centres, swimming pools are closed and indoor exercise activities are now banned. This is in addition to the closure of bars, pubs and nightclubs which came into effect on Monday. Restaurants and cafes are restricted to providing takeaway only. Weddings will now be restricted to five people including the couple while funerals are limited to 10 mourners. All Australians are now expected to stay at home except for essential outings such as work, grocery shopping and medical appointments. Exercising outdoors alone is still permitted. Australia's confirmed number of COVID-19 cases is fast approaching 3000, while 13 people have now died. (Photo by Paul Kane\/Getty Images)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/\",\"name\":\"New approaches needed to prevent another Optus-level data breach | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#primaryimage\"},\"datePublished\":\"2022-09-29T02:40:23+00:00\",\"dateModified\":\"2022-09-29T02:37:00+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3def05952f118aabebffcfc7995bc633\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New approaches needed to prevent another Optus-level data breach\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3def05952f118aabebffcfc7995bc633\",\"name\":\"Rajiv Shah\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4dd3f3db75e372dfd31d34b9170d0733?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4dd3f3db75e372dfd31d34b9170d0733?s=96&d=mm&r=g\",\"caption\":\"Rajiv Shah\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/rajiv-shah\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New approaches needed to prevent another Optus-level data breach | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/","og_locale":"en_US","og_type":"article","og_title":"New approaches needed to prevent another Optus-level data breach | The Strategist","og_description":"Last week\u2019s Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, including sensitive identity document details, with records going as far back as 2017. Although ...","og_url":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2022-09-29T02:40:23+00:00","article_modified_time":"2022-09-29T02:37:00+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1215127929.jpg","type":"image\/jpeg"}],"author":"Rajiv Shah","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Rajiv Shah","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI's analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1215127929.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/09\/GettyImages-1215127929.jpg","width":1024,"height":683,"caption":"PERTH, AUSTRALIA - MARCH 27: A security guard in an Optus retail store removes a barrier for a customer to exit the store on March 27, 2020 in Perth, Australia. Further restrictions on travel and movement have been put in to place as the federal government works to tackle the spread of COVID-19 across Australia. All international travel is banned, with exceptions for aid workers along with compassionate, work-related and other essential travel. All libraries, museums, galleries, beauty salons, tattoo parlours, shopping centre food courts, auctions, open houses, amusement parks, arcades, indoor and outdoor play centres, swimming pools are closed and indoor exercise activities are now banned. This is in addition to the closure of bars, pubs and nightclubs which came into effect on Monday. Restaurants and cafes are restricted to providing takeaway only. Weddings will now be restricted to five people including the couple while funerals are limited to 10 mourners. All Australians are now expected to stay at home except for essential outings such as work, grocery shopping and medical appointments. Exercising outdoors alone is still permitted. Australia's confirmed number of COVID-19 cases is fast approaching 3000, while 13 people have now died. (Photo by Paul Kane\/Getty Images)"},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/","url":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/","name":"New approaches needed to prevent another Optus-level data breach | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#primaryimage"},"datePublished":"2022-09-29T02:40:23+00:00","dateModified":"2022-09-29T02:37:00+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3def05952f118aabebffcfc7995bc633"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/new-approaches-needed-to-prevent-another-optus-level-data-breach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"New approaches needed to prevent another Optus-level data breach"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/3def05952f118aabebffcfc7995bc633","name":"Rajiv Shah","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4dd3f3db75e372dfd31d34b9170d0733?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4dd3f3db75e372dfd31d34b9170d0733?s=96&d=mm&r=g","caption":"Rajiv Shah"},"url":"https:\/\/www.aspistrategist.ru\/author\/rajiv-shah\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/75487"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/979"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=75487"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/75487\/revisions"}],"predecessor-version":[{"id":75490,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/75487\/revisions\/75490"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/75489"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=75487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=75487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=75487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}