Years ago hotels and currency exchanges when traveling abroad would simply look at your passport, and maybe write down some info by hand. Then they started photocopying the passport. And now they scan it. Full color high-resolution scan.
I dislike this intensely. All kinds of random places are keeping hi-res scans of documents that are perfect for identity theft and fraud. I've tried suggesting that looking at the passport should be sufficient to verify my identity -- they don't need to make a copy of it -- but I've had no luck.
Has anyone had success at pushing back on this? Are there laws in any country that say that you can't take photocopies or scans of customers' passports?
It's better to assume that the data page of a passport is public information. There are far too many places in the world where storing a copy of the information (at least for foreign visitors) is a legal requirement.
Also, high-resolution scans of passports are not a new thing. They were already pretty common in the late 2000s. The biggest change from then is that hotel employees are now more likely to be comfortable with electronic documents than paper copies.
> It's better to assume that the data page of a passport is public information.
Unfortunately there's a disconnect here for what it's used for.
If that page is treated as public information, then information on it can't also be used for the 100 Points of ID that public and private organisations want.
The document number on my passport is enough to get a credit card with a high limit in my name, sent to an address that's never before been connected with my identity. Maybe some more conservative banks will want the address to match.
That information is precisely what was leaked by Optus.
A house booked and paid through booking.com wanted me to email them a copy of my passport. I said no, but they could see it in person when I arrived. When they arrived they wanted to take a photo of it. I said no, then, too.
They were really quite unhappy about that, and claimed they've had people stay on fraudulent cards before, and this was the only way to protect themselves.
Employers doing things like SOC2 are also wanting to go through third party background-check services. All of those also want things like selfies and scans of passports. They all claim the same "We delete it after the check is complete" thing, too, which I don't believe.
Interesting twist here is that after being criticised for storing all this sensitive data even years after customers left, Optus has pointed out that they are required to do so by data retention laws the government itself created.
If you accept perfect security is impossible (everyone should) then anybody creating data retention laws (ie: the government) really has to also assume some level of responsibility for the risk that the data is going to leak.
There are efforts underway to enable complying with these rules _without_ hoovering up data, but they are not progressing nearly as fast as they need to.
> The one doesn't excuse the other; if you're required to keep this data you should be treating it with the respect it deserves.
It kind of does. If Optus hires worlds most competent security person, the first comment on this subject would be "there is no commercial or technical upside to storing this data, and massive risks if it leaks. We should delete it immediately".
If the government swoops in and bans them from fixing the problem, it is a bit weird for the government to also penalise them for not fixing the problem. Optus is legally barred from putting an engineering solution in place to remove this risk.
Literally the only two outcomes here for Optus are:
Option 1 - wasted storage fees.
Option 2 - international scandal.
They aren't allowed to pick any other option. It isn't fair to get angry at them for a rather predictable outcome of spreading PII around. Sure with hindsight they could have done a better job of sticking to the first outcome, but seriously if they had the choice it would have been option 3 - take money, ask no questions. Maybe store a credit card number, maybe just use Paypal like a normal merchant.
But they do have to make it available to be accessed quickly and cheaply. Plus maybe the police have requirements that it can be accessed in bulk quickly and cheaply.
Anyway, point being, this is demanding Optus be good at something they never signed up for, don't want to be good at. It really sits with the government to decide how the data should be stored and to taxpayers to stump up the money to store it. Optus shouldn't be lumped with this sort of silly responsibility. They don't want it, don't need it and apparently aren't good at dealing with it.
> But they do have to make it available to be accessed quickly and cheaply.
Define quickly, what does the rule say? Is a day not fast enough?
> Anyway, point being, this is demanding Optus be good at something they never signed up for, don't want to be good at.
They already should be good at protecting data. This is making them protect somewhat more important data than they otherwise would, but it's not demanding any new skills.
If Optus have said that, they're lying. Data retention laws do not require you to hold identity documents. At any rate, data retention requirements do not excuse poor security.
I'm furious about this data breach. I think our laws need to be updated to make sloppy security an existential threat to businesses. Optus should be fined by the australian government within an inch of their life. Its not ok to profit from sloppy security work then leave regular people to pick up the tab when it goes wrong.
And we need to put other companies with terrible security on notice. I think the only way big companies will move is by making their executive team sweat money.
Thats how it works everywhere else in the economy - if your negligence causes harm, you're liable. Serve bad food in a restaurant? Sued. Sell sporting equipment which causes injury? Sued. Misrepresent yourself? Sued, and potential criminal charges. Medical malpractice? Sued. But somehow, if your sloppy software causes harm thats ok? What rubbish. Security malpractice should bear the same punishment as everything else.
Maybe the price of paid software will go up. Thats fine. Maybe there aren't enough qualified security engineers. Also, fine.
If you don't have the expertise to manufacture a safe car, we've decided you can't enter the car business at all. Likewise, if you don't have the technical skill to keep my data secure, you have no business storing my data at all.
Optus was already subject to a enforceable undertaking for a previous breach. They were supposed to uplift their security, but they did the bare minimum required by the judge. The bare minimum in this case was to apply automatic patches to the production systems only. They ran the update tools on end-of-life products -- which does nothing -- and then marked them as done. Non-production systems were specifically excluded from updates because they weren't mentioned in the court order.
This breach happened through a non-production system. Shock. Surprise.
The Australian version of the NSA, ASD, produces very good information security guides for network design and security hardening. Obviously not read by the Optus CEO (Which is kinda insane, when did a telco stop being a tech company?).
Anyway, a key point is not to have a network design that's like a Poland where people can just drive across it with little effort. That goes for developers and hackers. It should be organizationally hard for a developer to request to connect a test application to a production system. Change control should automatically put that as a ticket for review and the network team should also be cagey about doing it. It was a big oversight.
The mixing of personal data back into a insecure test system is also a bit iffy.
If you think about classification for government secrets, sometimes a large volume of low level data will attract a high protection. Because it's loss represents significant harm.
Optus should have seen it's database of client secrets as a top secret asset and guarded it as such. The release of this information is having profound impacts on many governments, and government systems as well as the individuals (50% of Australia almost).
I think we are still too accepting of non technically literate CEO's. They don't have to know how to solve all the issues but they should know to be very very curious about their IT systems. And this is a telco!
The culture of many orgs that we would naively think of as "IT shops" is often wildly different. Telcos especially are a weird bunch because of their history and the way they run projects.
Imagine you're a project manager at a telco, and you are given a project to make a network link from a capital city to a nearby town. You hire some contractors to dig up the dirt, lay down the fibre, put the dirt back in, and then you are done. The project is finished! The budget is spent, and then there is no more money, and nothing to spend it on anyway.
Fibre does not need security patches. Fibre does not need monthly updates. You can simply forget about it, because it doesn't have an end-of-support date. Copper will eventually corrode away and need replacing, but we're talking timescales on the order of 40, 60, 80 years or more, not 4-8 years like in the software world.
Those project managers get promoted, eventually to senior management. The whole budget starts revolving around this short-term, "done and dusted" type projects. Nobody at any senior layer of management develops an expectation of anything else. You deploy things, then you move on to the next project! MOVE. ON.
The same people manage IT and software, but this is a relatively new thing. Certainly a new scale to these organisations. I've been in telco "data centres" 20 years ago, and they were... cute. Just a big office room with maybe two dozen racks in them, the majority of which were optical switching gear.
Now? Telcos might have thousands of virtual machines running tens of thousands of distinct pieces of software. Software deployed in projects run by the same project managers that were used to laying fibre and walking away.
This kind of breach is the consequence of this corporate culture. It's not just the CEO, it's also the COO, the CFO, the CIO, and all the way down to all but the last tier of random befuddled contractors wondering why they're not allowed to touch anything that's not actively being built new.
Don't think for a second that any of the other major telcos are any different or better.
I agree that treating production vs non-production as a dichotomy can be problematic, but that doesn't mean some systems aren't more sensitive than others.
Also security is not one dimensional. A system's required level of confidentiality might be very different from its required level of availability. Being explicit about this might be better than trying to lump different requirements into a "production" label.
> There's no such thing as non-production/production systems
Strongly disagree. If it's an isolated copy of your production system with fake credentials, fake data, etc, there's no associated risk. We explicitly turn off various security checks in our nonprod environment because it makes it easier to poke around and debug issues. That would never fly in prod, for obvious reasons.
I guess the main assumption here is “if it’s an isolated copy of your production system”
If that’s truly the case, and they’re fake data, I’d generally agree. That isn’t what’s happened with Optus and I dare say with many other orgs where nonprod is generally interchangeable with less secure
> There's no such thing as non-production/production systems imho
From a security point of view I agree - certainly my current employer makes no distinction and a vulnerability is a vulnerability no matter where it is.
Many are.. they're behind some minimal security because if they're truly non-production they have a pile of fake data. I think one system I worked on had over 10k users with first name john_123 because... well my name is john and I'm lazy :)
I like the way Japan approaches data leaks. The government is able to fine a company a fixed amount per person (how much depends on the nature of the PII leaked) and are also able to prevent a company from trading for a period of time. I don't have any figures to say how well it works, but I can say that companies over here are bloody afraid of the consequences.
Anecdata, but I think for pre-paid services Optus never stored that information, and only used it for the required identification.
I had activated a pre-paid Optus service (in a store, using my drivers' licence as ID) but let it lapse a year ago, and allegedly my licence number was not in the breach.
I had a prepaid Optus number too. I let it lapse years ago but I got the same email about name, number address being leaked, but not license or passport numbers.
I never used the Optus number and I have moved since then. So maybe impact is minimal. But I'm still angry.
With respect, that's not right. I've advised Australian companies of all sizes (from one-man bands to ASX-listed companies) for decades, and they are very heavily motivated by avoiding bad press from a preventable accident, avoiding company and personal reputational damage, being fired, being sued personally (noting that eg D&O insurance almost invariably excludes fraudulent acts), suffering regulatory investigation/enforcement (including eg fitness to hold licences) and because a surprising number of people believe that it is important to do the right thing, and (contrary to popular belief on the interwebs) this doesn't change just because they are employed in a business.
In cases where there is intentional wrongdoing, existing laws already make complicit people liable both to civil action by people harmed, plus criminal or civil penalty provisions by ASIC (or the ACCC, depending on the industry and conduct). As a plaintiff, you typically join them to increase your potential pool of recoverable assets for your clients.
The same is true if there are breaches of the Australian Consumer Law, and the person has a particular level of knowledge that is below intention.
In cases of pure negligence, like this, if the negligence rises to a criminal standard, then criminal laws and penalties already apply. How and when this works has been a topic for over 50 years, since Tesco v Nattrass in the UK.
In other words, there are already very significant legal mechanisms in place, and by and large they work - and not all of them involve having executives personally liable. In any event, many already do, and this has been worked out carefully over a long period.
The whole idea of forming a business entity is to limit the liability of its principals. This is an important incentive to make people go into business without risking their home and whatnot. Let's not throw out the baby with the bathwater.
I think the limited liability is for debts to creditors and shareholders, rather than limited liability against criminal or other behaviour.
Maybe I’m wrong, but as I understand it, Australian law treats a corporation as a person and the directors are answerable if the corporation breaks the law.
The real problem (as I see it) is that a company the size of Optus can afford to defend their behaviour for so long that enforcement itself becomes a burden. The closer you get to the CEO and board, the more they will spend shareholders money defending themselves.
Companies exist to limit the liability of shareholders / investors, not principals. The idea is that you can buy equity and receive dividends if the company goes well, without standing to lose more than you put in if the company harms others through mismanagement. The company doesn't shield the directors from personal liability for that mismanagement as a matter of law, it just pays for high quality legal representation if the allegation is made.
Oh let's. Please. The 'baby' is killing our entire living world, and nothing short of removing the idiocy of limited liability is very likely to save it.
Actions without proportional consequences were never going to lead to anywhere but destruction. Folk psychology told us that was likely (however much virtual-economists feigned ignorance). Empirical reality has confirmed it.
It's also fair to shareholders of public companies who are often also getting screwed by their executives who are abusing an agency conflict of interest in order to pad their own bonuses, at expense to both the shareholders and society.
This is a straight up case of negligence, just via a different means and with different damage from usual. The only impediment to suing is the cost of doing so vs the damage suffered, which is still too high for the average person.
The usual way around this is via a class action, and there are already at least 2 being prepared that I know of. They will run and probably settle at some point. The main thing to be policed is to avoid the funders and solicitors taking too much of the proceeds, although that process is already in hand due to recent abuses.
> I think our laws need to be updated to make sloppy security an existential threat to businesses.
No. Or perhaps yes, but only in part. Our laws need to be updated to make corporate malfeasance in general an existential threat to executives and board members, as individuals. Ordinary Aussies end up in jail for unpaid parking fines. Centrelink 'customers' (ugh) get robodebted, often into depression, sometimes to death. The "law" rules us plebs with a rod of iron, and wields it with abandon. Heads of industry get away with pretty much anything. If they want to skirt a law, all they have to do is shove fines on balance sheets. Those fines can be in the millions or billions; they're just another business expense.
Suits in jail would change the so-called 'incentives' (myopic concept though that is) dramatically. "More suits in jail" should be the catchcry of the next few generations. Every T shirt. Every graffito. Every pop song.
Of course to really fix this stuff we have to go after 'investors' and eliminate the absurdity of limited liability ("gamble on destroying the world and risk only your stake!"), but that ideology is now so culturally rigidified it would require a collapse of 'civilisation' to eliminate. That may well be coming of course.
If this company is fined a large a amount of money or goes out of business because of those fines; executives will be fine as they often have a diversified portfolio, savings, and friends. However, to make up that loss they could raise prices or fire employees.
Its not perfect, but I think levying massive fines would still be quite effective. Nobody wants to be the CEO at the helm when a successful company was ruined, or where the stock price tanked due to bad management decisions.
Imagine a car company which sold cheap cars that injured people. "If we fine them for their actions, the executive team will just raise prices or fire employees!". Yeah - maybe don't sell a car thats so cheap that it causes accidents.
Certainly it would be much more effective than the system we have now - where their negligence seems to have had no negative consequences for the company.
But if you're suggesting there should be personal liability for CEOs as a result of data breaches like this, then I think I could be convinced.
I don't think the CEO has direct knowledge of the companies security and the only method of control is to hire who they think is the best CTO. Then the same for the CTO and whomever he hires, etc. The general attitude I've seen is that you hire someone below you and put nearly 100% trust in them, they are in control. Anything else is considered just inappropriate, like micromanagement for example.
"Nobody wants to be the CEO at the helm when a successful company was ruined"
Are successful people really concerned about pride? I always thought it was money and I'm not being sarcastic. I tried to find some data to back this up but couldn't. However as an anecdotal example Henry Ford II was the CEO/chairman/president from 1945 to 1980. This includes the period where the Ford Pinto (70-80) existed and received huge amounts of negative press. It's also when imports were started to take a major toll on American car manufactures (late 70s) The only reason he retired was the mandatory retirement age at Ford.
To fix this I think we need to ignore punishments for now and focus on prevention. A government agency, funded by fees, should do yearly audits on companies that have more than X users or some other variable to confirm compliance.
And yes, Boeing has this but they were too chummy with the regulators and this and that. Even though it's not perfect it's a first step. We can fix the problems similar to what came about in the aerospace industry later.
Would this apply to government run entities? Like should the person who headed the CovidSafe app do time or cop a fine? I'd be cool with getting Mr Morrison in front of a judge for pushing that.
Honestly I trust my data with Optus way more than a company that can't build a secure MyGov app where my tax and health info are stored.
Yeah, you are talking about a death penalty for corporations (corp-death). It’s been suggested before. Thing is that probably the main reason corporations were invented is to limit liability, thus enabling them to do amazing industrial and technical feats. Making a covid vaccine for example. At the same time, it also gives you Big Tobacco. Changing this faustian bargain will have quite large effects. Corporate access to capital will become more expensive. Executives will become less bold. Corporations will become even more bureaucratic. Employees will spend a lot of time shifting responsibility around. It could be net negative. I don’t know what the solution is.
Affected Optus customer here (received email indicated I was impacted). They never had my passport details (there have been some links going around when logged in to see the payload of your PI involved in the breach) but they certainly have my name, address, phone number and drivers license number in the data.
Fortunately we're able (in South Australia) to get our drivers licenses changed over free of change if impacted, which I'll do but now that's something else I need to get around to doing... I wonder how many of these costs will be forwarded on to Optus on behalf of the goverment
Also in SA, and also contacted by Optus. The thing that shits me is that I haven’t been a customer in a couple of years. They really shouldn’t have details unnecessarily stored unless there is some government requirement.
why in the world did a telco need your drivers license in the first place? i assume you don't have to be a licensed driver to get phone service in australia.
edit: hn is rate limiting me but like, any phone number? you need id even for a prepaid one? and why do they need to keep this on file?
In addition to what other siblings already said, in Australia we have a scoring system to prove your identity (called "100 point identification") and depending on the score needed, drivers licence can get you there so it's used very often. This system is for Government entities but private companies often take inspiration from it
An interesting thing is that "100 point ID" applies to physical documents, but somehow it's been conflated with the number on the document being equivalent. One is obviously more easily copied than the other, and scales better for fraudulent use.
KYC for a gd phone number... honestly the whole attacks on E2EE make a lot more sense now with the background of that kinda shady stuff going on beforehand. praying for y'all, hope the digital rights situation gets better there.
I had the exact same experience as you (no passport details leaked). I wonder if the passport data is more for tourists getting Optus sims. Nice to see another South Aussie here!
Well, it will be whatever you used for your 100 points of ID to open an account to begin with. So most people would have used a drivers license. My guess is that the passports is mostly people without a drivers license.
With luck, this may be the precedent the world needs to shake up lax privacy everywhere.
If the Australian Government actually goes through with its threat to make Optus pay millions to cover the cost of the damage its lax security has caused then the idea may catch on elsewhere.
It seems to me that at the risk of going bankrupt over a breach of its customers' privacy a company would want to divest itself of as much information about its customers as was possible.
Would the have to pay millions for the covidsafe leaks?
I mean I hope the Government goes after that Service NSW Data Breach too. Would be cool to see huge fines put to them. Would I get some of my tax back for that?
People should 100% sue, but that the Gov says anything is laughable.
"We are outraged.".. "Didn't you have a breach last year?".. "I said we are outraged. Don't look over there. Look over here."
I find amusing that in some countries those numbers are treated as secret. In mine all that information is public, you can even look for somebody by name or ID in a government website.
It's what happens when a country dismisses a proper national ID number/card -- the nearest available substitute gets used, sometimes regardless of how well the substitute works as an ID. The United States Social Security card/number comes to mind as a particularly egregious example, though I'd also consider drivers' licences (as is common in Australia) to also be a bad substitute.
For anyone interested in Data Erasure requests.
I've been using the service Mine lately. It scans your mailbox to identify and prioritise businesses that you've dealt with who likely hold financial and other personally identifiable information on you.
You can then select the businesses you would like to forget about you and Mine will send pre-written emails on your behalf and monitor for replies.
The experience has been enlightening. This is what I've found after sending 50ish requests:
- A small number of businesses already have a process in place to deal with such requests and action immediately without further correspondence
- Others ask that you fill in a form (pdf or web) to start the process
- A large number won't get back to you for around a week or two and eventual responses appear to be written by a person
- A small number tell you the can delete some data but not all. e.g. Compare the Market. In the past I've used compare the market to purchase insurance products, that sale is linked to my personal details and so they can not delete. I'm not sure why this is the case. Maybe there are compliance reasons but it is a little worrying that these middle-men companies that live on commission either can't or won't erase my data.
The big one that's been mentioned in other HN threads on this is Car Rental companies. I made it a priority to deal with them first. They have all manner of sensitive information and their size, tenure and CX don't instill me with confidence.
Ideally, but I'm willing to trade... temporarily, only because it's not my primary, or even my personal inbox.
Why waste 100 hours of my own time, minimum, going through my hundreds of thousands of emails adhoc to find examples like receipts from 10 years ago from an obscure ecommerce site?
Yeah, I definitely see the appeal on that. I'd pay for this as an offline app that doesn't hand over all my emails to a random third party though. Pity it's only Goog/MS/Yahoo so far too. Really, it should be any IMAP server and offline only. Someday maybe?
"Optus is not aware of any security events which would warrant revisiting the security obligations imposed on regulated entities,” the telco’s submission stated."
Despite concerns that data retention could create a ‘honey pot’ for hackers, telcos already had in place security measures to protect customer data they already retained for commercial purposes, the department argued.
“Given this, it did not follow that the proposed data retention scheme presented an unmanageable level of risk to customer privacy,” its submission stated. “The evidence to date supports that the existing data security arrangement have been effective.”
To add more colour, the here’s the first para of the linked article:
> Data retention: Government gave Optus ‘exemption’ from encrypting metadata
> Editor, Computerworld | 17 JULY 2019 6:46 AEST
> Optus says that it would have struggled to comply with its legislative obligations without a decision by the government that exempted it from a requirement to encrypt all metadata collect as part of Australia’s data retention regime.
The government 100% has some responsibility in this. I can’t express how much this pisses me off, and I’m not even an Optus customer. The OAIC, it turns out, is a farce.
I wish governments would heavily penalise companies that doesn’t take data security seriously. The threat of heavy fines is the only thing that will make large corporations do the right thing.
> Foreign Affairs Minister Penny Wong has asked Optus to cover passport application fees for anyone caught up in last week's massive data breach, which affected millions of Australians.
I wonder if this is actually intended to be an "ask", or if this is polite language for "we will legally compel them to".
>Passport numbers are among the personal details accessed in what the federal government has described as a "basic hack".
>Optus says the data breach was due to a "sophisticated" operation.
It would be good to know more details of the hack itself.
"[They] wanted to make integrating systems easier, to satisfy two-factor authentication regulations from the industry watchdog, the Australian Communications and Media Authority (ACMA)."
The process allegedly involved opening up the Optus customer identity database to other systems via what's known as an Application Programming Interface, with the assumption that the API would only be used by authorised company systems.
There's been some chatter on Twitter that at some point an Optus flack characterised the attack as "sophisticated" because the attackers "used Postman" so that's obviously caused a few laughs https://twitter.com/search?q=optus+postman+until%3A2022-10-0... .
And this is why they should be made to pay for it.
Companies should only collect data that they really need. One way to encourage this behavior is to punish them when a breach happens based on the amount of data they collect.
A data breach on a service that only has an email address on it matters a lot less to me than one that has my name, phone, address or picture of my id.
> Companies should only collect data that they really need.
Collecting and keeping this data is a regulatory requirement for Optus.
The problems with this breach have their roots in how identity is proven and verified in Australia. Far too much relies on possession of a physical document.
in America i usually prove identity for postpaid services with something like a utility bill which is at least not a government id document. i understand a telco wants some identity before extending credit for any postpaid plan but can y'all not do the same?
To have an account with Optus, you need to provide a Primary ID such as an Australian Drivers Licence or current passport. (See: https://www.optus.com.au/for-you/support/answer?id=9438) They probably kept it on file, instead of verifying and discarding, potentially due to regulatory requirement.
My understanding is that it's a regulatory requirement, the Govt wants to know who specifically owns what SIM. If I remember right, this was introduced post 9/11. I may be spectacularly wrong on both fronts, though!
You are correct, but I’m pretty sure for prepaid services under a low threshold (4 SIMs?) a bank card is sufficient.
That doesn’t stop these companies just going for the big ID though, and for postpaid they are offering credit and will definitely require 100 points of ID.
Yes, they claimed they needed it to stop terrorism.
Then they detained an innocent person for the longest time without charge in recent history, including solitary for 23 hours per day, and not letting him access legal advice or contact his family, because terrorism.
From memory, you could get a prepaid SIM without an ID well after 9/11. I think it was introduced to get rid of burner phone SIMs back when SMS was still a thing.
wait y'all can't get burner phones in aus? how do y'all make private phone calls or send private text messages if you can't dispose of the number after?
Most countries in the world require some form of ID to activate a new SIM card. The justification is usually that "burner phones are for terrorists and criminals". In US, for example, Faisal Shahzad is often cited as an example.
And why is it stored in clear text. And why was it exposed to a regular API. And why was real data being used on a dev API. And why wasn't that API secured at all?
The answer for pretty much all of these are "woeful incompetence".
Knew a guy who used to work for Optus, he said their business SIP service was constantly getting hacked and their strategy for dealing with it was just to eat the losses and give out account credit like water, because their infrastructure was so outdated and poorly designed that it was functionally impossible to secure.
Honestly, Ausgov should rip Optus to shreds for this... not only for the data breach specifically, but also as a critical infrastructure operator they should be held to a far far higher standard than an ordinary business.
Well, both sides of politics are talking about updating the privacy act with a significant punitive component, and it can always be made retroactive if Optus is not feeling sorry enough.
I would like to know why the alleged hacker backed down, stating that they have withdrawn the ransom request and deleted the stolen data.
It sounds like a convenient caveat to an agreement to pay ransom to the hackers, and I wouldn't put it past a big company here in Australia to pull that kind of PR trick.
We live in the Lucky Country after all, I doubt we'll ever know the truth.
Probably someone at ASD called the kid responsible at home and had a polite and friendly chat. Might have told him to make his bed, clean up his room and throw out his cumsock while they were at it.
ASD and ASIO have despised Singtel since they bought out C&W in the late 90's and want them out of the country. This whole media fiasco is a blessing for everyone. Might be able to finally cancel their carrier licence.
Since when are passport numbers secret? If that's real that's totally new to me.
In Israel you use your ID number, if a citizen, or passport number if not, in tons of transactions (as a citizen it somehow flows to your yearly taxes, not sure exactly), even stuff as mundane as getting gas needs an ID number.
If passport numbers are meant to be secret I suspect a lot of people are in for a rude surprise.
Optus are trying to contact everyone that's been impacted, and it sounds like it's only a small percentage of their total customer base. So at this stage you may be fine.
Yeah my math sucks -- off by one (order of magnitude) error.
Also the 2 million number was what I had heard in the news, seems the number is actually 3.8 million records having a document number, according to this screenshot[1]
ACMA [1] state you just need name, DOB, and address for prepaid service.
Post-paid generally is a lot stricter e.g. most telcos want 100 points of ID with at least one primary document such as driver's license or passport [2]. Not sure if that's a legislative requirement though, or just good business practice.
I understand that, I had been under the impression there was also legislation requiring telcos to verify customer identity (so you couldn't have an anonymous phone plan, or easily have one under a false identity). But I can't seem to find it, or it may not have been real to begin with.
"ghost sim" damn they really sold y'all that koolaid huh? in America anyone can go buy an el cheapo prepaid sim at a gas station with no ID, in cash, and it's not a "ghost sim" it's just a prepaid phone (or a burner if you're fearmongering). i hate terms like this that beg the question that the default state is the government knowing who you are and anything else is a "ghost" sim/gun/whatever and is "dangerous".
Due to Singtel gutting Optus's onshore support service Optus has been losing market share for years and has had to rely on heavy discounting. In 2021 they posted a $208m net loss.
This is probably the end for Singtel in retail telecommunications in Australia, and I don't know who would buy their network now that TPG and Vodafone have merged. They may just convert it to a much smaller wholesale only operation.
I dislike this intensely. All kinds of random places are keeping hi-res scans of documents that are perfect for identity theft and fraud. I've tried suggesting that looking at the passport should be sufficient to verify my identity -- they don't need to make a copy of it -- but I've had no luck.
Has anyone had success at pushing back on this? Are there laws in any country that say that you can't take photocopies or scans of customers' passports?