Things are not getting better for Optus, a subsidiary of the Singapore-owned Singtel and Australia\u2019s second largest telecommunications company.\u00a0 Responsible for one of Australia\u2019s largest data breaches, the beleaguered company is facing burning accusations and questions on various fronts.\u00a0 It is also proving to be rather less than forthcoming about details as to what has been compromised in the leak.<\/p>\n
First, for the claimed story, which has been, at points, vague.\u00a0 On September 22, the telecommunications company revealed<\/a> that details of up to 9.8 million customers had been stolen from their database.\u00a0 Dating back to 2017, these include names, birth dates, phone numbers, email addresses and, in a number of cases, addresses, passport number or driver\u2019s licenses.<\/p>\n Fittingly, and perversely, a study<\/a> from the Australian Institute of Criminology that same year found that one in four Australians had been victims of identity crime or a general misuse of personal information.\u00a0 A less than comforting observation from the authors was the remark that such rates were \u201ccomparable with the 27 percent reported by respondents to the identity fraud survey conducted in 2012 for the United Kingdom\u2019s National Fraud Authority\u201d.<\/p>\n In the case of Optus, the company claims that the breach arose from a \u201csophisticated cyberattack\u201d.\u00a0 The view from those outside Optus is somewhat different.\u00a0 The attack seemed to have occurred when an application programming interface (API) was linked to an Optus customer database leaving it easily accessible.\u00a0 In basic terms, an API permits the transfer of data.\u00a0 Left naked and vulnerable, users can merrily pry their way into systems they would otherwise not have access to.<\/p>\n The almost tearful defence of the breach offered by Optus CEO Kelly Bayer Rosmarin was decidedly unimpressive, despite some prattling in the press<\/a> about \u201ca courageous and correct call to get in front of the media in a video call that felt strangely intimate and completely open\u201d.\u00a0 During a streaky display, she claimed that \u201cwe are not the villains\u201d and suggested that the API was not freely exposed.<\/p>\n Bayer Rosmarin, however, is defending a crumbling front, made almost absurdly stark by her unimpressively light burden of responsibilities.\u00a0 Among them, making<\/a> Australia\u2019s recently retired tennis star, Ash Barty, the company\u2019s Chief Inspiration Officer, and Australian Formula One racer Daniel Ricciardo Optus Chief Optimism Officer, have been foremost.<\/p>\n Less laughable is the general dislike for regulatory oversight in data security exhibited by a whole spectrum of Australian companies.\u00a0 As Tom Burton from the Australian Financial Review<\/em> sniffily remarks<\/a>, \u201cintense lobbying from financial, payment, telco, media and marketing interests\u201d retarded reforms towards \u201ca trusted, secure, reliable and efficient regulatory regime to manage the burgeoning digital economy and the data that fuels it.\u201d\u00a0 As a feature of this reluctance, Australian banks muttered and grumbled when asked to confirm bank account holder details linked to the account prior to making payments.<\/p>\n Those found wounded and floundering in terms of identity breaches have had little by way of remedial recourse.\u00a0 Australians, almost uniquely in the Anglo family of smug self-praise, have no self-standing right to sue for the civil wrong of a breach in privacy.\u00a0 The Australian common law remains perversely stubborn in articulating a clear tort on the subject, and legislators have been less than swift in moving matters into legislation.<\/p>\n The Privacy Act 1988<\/em> (Cth), given its numerous exemptions for small businesses, employee records, media bodies and political parties, is but a poor, shabby cover.\u00a0 It certainly falls far short of its European cousin many times removed, the General Data Protection Regulation (GDPR).<\/p>\n In a 2019 report<\/a> released by the Department of Home Affairs under Freedom of Information, David Lacey and Roger Wilkins, a former secretary of the Attorney-General\u2019s Department, found that \u201coverall, the response system [to data breaches] is either non-existent or performing poorly from a citizen\u2019s perspective.\u201d\u00a0 The authors \u201cobserved significant deficiencies in response standards, formal reporting channels of Government, and meaningful protection for consumers.\u201d<\/p>\n The condition was made egregiously worse by Australian legislation<\/a> mandating the retention of customer data for up to two years, though there is no strict requirement not<\/em> to keep such data after that period.\u00a0 The Department of Home Affairs states<\/a> that such a policy ensures \u201cAustralia\u2019s law enforcement and security agencies are lawfully able to access data, subject to strict controls.\u201d<\/p>\n The Telecommunications Consumer Protections Code<\/a>, overseen by the Australian Communications and Media Authority, also permits telcos to hold personal data for billing information purposes \u201cup to six years prior to the date the information is requested\u201d. This does not, however, necessitate the retention of passport details, drivers\u2019 licenses and Medicare numbers.<\/p>\n The implication of such provisions is unmistakable.\u00a0 They have encouraged companies to engage in a course of conduct that has made security feeble and breaches likely.\u00a0 They have become the shoddy handmaidens of government paranoia.<\/p>\n Entities such as Optus simply cannot be seen to be reliable in responding to such crises. The sombre assessment<\/a> from digital rights advocate Lizzie O\u2019Shea is dire. \u201cMy third law of IT is that every time there is a data breach, one of the first lines out of the spokesperson\u2019s mouth is that they take security seriously \u2013 even if they have demonstrably proven they are not.\u201d\u00a0 While accepting the obvious point that Optus is not directly responsible for the conduct, she stingingly suggests that \u201cyou can\u2019t complain that something\u2019s been stolen when you haven\u2019t locked the front door.\u201d<\/p>\n The policy implications are vast.\u00a0 Should such telcos be required to hold data as required under problematic data retention law that has been assailed in the EU?\u00a0 (In September, Germany\u2019s general data retention law was found<\/a> by the European Court of Justice to violate EU law.)\u00a0 Making such organisations holders of such information renders them rich targets.<\/p>\n Penalties have been proposed.\u00a0 In the context of the European Union and California, stiff monetary sanctions apply, a point Home Affairs Minister Clare O\u2019Neil has noted.\u00a0 Current fines in the order of A$2.2 million for companies and A$440,000 for individuals are risible.\u00a0 There are promises from Optus to fork out to replace compromised documents. But in terms of legislative protections, Australian policy makers continue to look at data protection through a lens fractured and dated.<\/p>The post Dated and Fractured: Optus and Data Protections Down Under<\/a> first appeared on Dissident Voice<\/a>.\n This post was originally published on Dissident Voice<\/a>. <\/p>","protected":false},"excerpt":{"rendered":" Things are not getting better for Optus, a subsidiary of the Singapore-owned Singtel and Australia\u2019s second largest telecommunications company.\u00a0 Responsible for one of Australia\u2019s largest data breaches, the beleaguered company is facing burning accusations and questions on various fronts.\u00a0 It is also proving to be rather less than forthcoming about details as to what has [\u2026]<\/p>\n The post Dated and Fractured: Optus and Data Protections Down Under<\/a> first appeared on Dissident Voice<\/a>.<\/p>\n","protected":false},"author":30,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[175,5686],"tags":[],"_links":{"self":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/823184"}],"collection":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/comments?post=823184"}],"version-history":[{"count":1,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/823184\/revisions"}],"predecessor-version":[{"id":823185,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/823184\/revisions\/823185"}],"wp:attachment":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/media?parent=823184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/categories?post=823184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/tags?post=823184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}