Only a matter of time
Governments want you to ID yourself online for all manner of services.
Everything we provide is ripe for the picking, eventually*
* if not already
Australian authorities have asked the United States Federal Bureau of Investigation (FBI) to assist with investigations into the data breach at local telco Optus. Attorney general Mark Dreyfus yesterday revealed the FBI was asked to help identify the entities involved in the attack, which saw Optus leak data describing over …
No we should not put up with this
They stored these details unhashed and allowed employee's to query it
this is exactly like passwords were stored previously before anyone with a clue started to have doubts (think 1970)
they should have been hashed (so you can compare still easily enough) and only unencrypted by a select few i.e. legal when dealing with warrants.
this is exceptionally bad design
its going to cost the government (taxpayers) a lot of pain and money dealing with the fall out of a private companies failure
Hey Simon,
What do you think of the idea that there should be a one time use against a govt API to do identity verification and then the token is kept and nothing more?
I know that there is systems in place to do online document verification (Drivers license / passport) against govt systems, why not mandate something like this instead?
Berny
The thing that kills me here is that due to metadata retention requirements, when you close your account - these companies keep your information on file.
I've since found out that Telstra still have my personal information after closing my account with them over 6 years ago.
There are better ways to store this kind of data, especially since it's only used for ID checking when you initially open an account and are credit-checked.
"after closing my account with them over 6 years ago."
From what I've read here and elsewhere, they have to keep the data for 6 years. So if they still have it after 6 years, then it's time they ought to be deleting it. I don't know if they have a legal requirement to delete after the minimum retention period though. Odds are, that wasn't part of the law as written, ie minimum retention time is stated but no maximum.
I fully agree with what Berny says above though. There's no real need to keep any data long term, just a token confirming the data has been seen, verified and then deleted. No need to store most of it any longer than it takes to verify.
FBI is busy doing TV shows right now. Much to busy to work on anything that involves "laptop" computers from hell.
But, since this would make a good episode and can be PG rated comparted to laptop's X rating, ya know, they might just help, as they can make money off of it. Watch for previews of the case series this spring on CBS....
"... and therefore hopes very much that the company soon explains itself in a way that displays sincere regret and an intention to restore trust."
Oh, sure, no problem. You'll probably get an email later (or maybe a post on their Facebook page or such, if individual emails are too much of a hassle), explaining that "the security of [our] customers' information is our topmost priority", that it was "a sophisticated attack", probably by "state-sponsored hackers", that "only a small number of [our] customers are affected", "there is no evidence of any actual damage" from the theft, and that you're invited to supply your data to some credit-protection company (do they have that in Australia?), so that they can lose it, too.
Because of the data retention laws?
Probably something like someone gets a phone. Gives some fake ID. Say passport with real number and "biomtrrics" but fake none the less. Lets say a dew months later he is sharing in the most heinous of crimes (okay say kiddie fiddler, but more often it's not paying the bill for device and/or long term contract that is longer than some mortgages because Telcos are so freaking importatnt). Now someone has to be blamed.