New approaches are needed to prevent another Optus-level data breach

Last week’s Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, including sensitive identity document details, with records dating back to 2017.

Although the details of the extent of the hack are still emerging, there are already important lessons we can learn – beyond the usual clichés such as “Data breaches are a matter of when, not when.” de si”, and generic tips for changing passwords and patching systems. which are recycled after each major cyber incident.

Although Optus has made it clear that no financial details or passwords have been stolen, the biggest concern is the leaking of customers’ names and dates of birth, coupled with details such as driver’s license numbers. or passport – the type of information needed to pass a 100-point identity check, and therefore the perfect ingredients for fraud, scams and manipulation.

In the short term, it is Optus’ responsibility to notify affected individuals, who then need to monitor their accounts and credit activity. Overall, Home Secretary Clare O’Neil is expected to announce reforms requiring banks and other institutions to be notified of breaches more quickly so they can protect customer accounts. We will never stop 100% of cyberattacks 100% of the time, so this could be a good step forward in improving the ability of our economy and society to recover from such incidents.

But what more could be done to reduce the risk of such violations occurring in the first place and to limit the immediate impact when they do occur?

Best practice is for organizations to store only the data they actually need and delete it when it is no longer needed. Angry Optus customers have wondered why the company has kept such sensitive information about people for so long. However, telecommunications companies operating in Australia are required to verify the identity of those to whom they provide services, as part of regulations aimed at preventing many other types of crime. This obligation means that they must also keep records of these checks for auditing purposes, usually for seven years.

If such data must be kept, how can it be made more secure? The standard response from lounge commentators is to recommend encrypting the data, which Optus claims to have done. That didn’t seem to help. This is not surprising if, as has been suggested, the attacker gained authorized access to a standard application programming interface for data, known as the API. To be useful, the API would probably have been configured to automatically decrypt the requested data before sending it to the requester.

Encryption secures data if configured correctly, but data must be decrypted for practical use. Data encryption on your laptop is useful if you lose it physically, but with normal use it automatically decrypts everything for you as you need it. Similarly, encrypting data on a server in a data center can provide protection against someone physically accessing the equipment and directly stealing the data, but not necessarily against an attacker who gains authorized or unsecured access via an online service.

Another approach could be to require that particularly sensitive information be kept in separate systems that require additional levels of authorization to access it. Thanks to online payment regulations (known as PCI-DSS), this is already happening with credit card numbers, which is likely why Optus is convinced the attacker didn’t gain access. customer payment details. Arguably, similar protections should apply where driver’s license and passport numbers are stored.

An even better answer might be to introduce innovative approaches that allow companies to verify the identity of customers without collecting or storing their personal information. One such solution that already exists is the Australian Digital Identity System, to which the government has committed to paying more than $250 million in the 2020-2021 budget. Customers register with an accredited identity service provider, such as myGovID, which verifies their identity against official government sources. They then use this verified digital identity to prove who they are to “trusted parties”.

An example that is already operational is obtaining a tax file number online, where the Australian Taxation Office (the relying party) communicates with myGovID, which in turn uses a phone app to verify the physical presence of the individual . The customer chooses what data is passed to the relying party, who then has the assurance of a verified customer identity without the need to obtain personal data directly.

There are still many barriers to widespread adoption of the systems. In particular, security and privacy safeguards and responsibilities need to be clarified, as identity service providers would become high-value targets. Further work is also needed on an appropriate legislative framework, acceptable governance arrangements and a pricing framework.

The previous government published a Digital Identity System Bill at the end of 2021 that would help stimulate much-needed debate on this topic, but the new government has yet to make progress. Perhaps this incident will provide the encouragement needed to broach this thorny topic and find a way forward that could truly stop a repeat.

Comments are closed.