New approaches needed to prevent another Optus-level data breach
29 Sep 2022| and

Last week’s Optus data breach exposed the personally identifiable information of up to 9.8 million customers and former customers in Australia, including sensitive identity document details, with records going as far back as 2017.

Although details of the extent of the hack are still emerging, there are already important lessons we can draw—beyond the usual cliches such as ‘Data breaches are a matter of when, not if’, and the generic advice to change passwords and patch systems that get recycled after every major cyber incident.

Although Optus has been clear that no financial details or passwords were stolen, the biggest concern is the leaking of customers’ names and dates of birth, matched with details like driver’s licence or passport numbers—the sort of information needed to pass a standard 100-point ID check, and hence the perfect ingredients for fraud, scams and manipulation.

In the short term, the onus is on Optus to inform the affected individuals, who then need to monitor their accounts and credit activity. In the bigger picture, Home Affairs Minister Clare O’Neil is expected to announce reforms requiring banks and other institutions to be notified more quickly about breaches so they can safeguard customers’ accounts. We will never stop 100% of cyberattacks 100% of the time, so this could be a good step forward to improve the ability of our economy and society to recover from such incidents.

But what more could be done to reduce the risk of such breaches occurring in the first place and to limit the immediate impact when they do occur?

Best practice is for organisations to store only the data they actually need and delete it as soon as it’s no longer needed. Angry Optus customers have questioned why the company kept such sensitive person information for so long. However, telecommunications companies operating in Australia are required to verify the identities of those they provide services to, as part of regulations to prevent many other types of crimes. That obligation means they also need to keep records of such checks for audit purposes, typically for seven years.

If such data needs to be held, how can it be made more secure? The standard response of armchair commentators is to recommend encrypting the data, which Optus claims to have done. That didn’t seem to help. This is unsurprising if, as it has been suggested, the attacker got authorised access to a standard application programming interface to the data, known as an API. In order to be useful, the API would probably have been set up to automatically decrypt the requested data before sending it out to the requestor.

Encryption does secure data if it’s set up correctly, but the data must be decrypted for practical use. Encrypting data on your laptop is useful if you physically lose it, but in normal use it conveniently automatically decrypts everything for you as and when you need it. Similarly, encrypting data on a server in a data centre may provide protection against someone physically accessing the equipment and directly stealing the data, but not necessarily against an attacker who gains authorised or unsecured access through an online service.

Another approach could be to mandate that particularly sensitive information be kept in separate systems that require additional layers of authorisation to access. Thanks to the regulations for online payments (known as PCI-DSS), that already happens with credit card numbers, which probably explains why Optus is confident the attacker didn’t get access to customers’ payment details. Arguably, similar protections should apply when driver’s licence and passport numbers are being stored.

An even better answer could be introducing innovative approaches that allow companies to verify customers’ identities without collecting or storing their personal information. One such solution that already exists is the Australian Digital Identity system, to which the government committed more than $250 million in funding in the 2020–21 budget. Customers sign up with an accredited identity service provider, such as myGovID, which verifies their identities against official government sources. They then use this verified digital identity to prove who they are to ‘relying parties’.

One example already in operation is obtaining a tax file number online, where the Australian Taxation Office (the relying party) communicates with myGovID, which in turn uses a phone app to verify the physical presence of the individual. The customer chooses which data gets passed to the relying party, which then has the assurance of a verified customer identity without needing to directly obtain any personal details.

There are still many barriers to achieving broad uptake of the systems. In particular, security and privacy safeguards and responsibilities need to be clarified, since identity service providers would become high-value targets. More work is also needed on a proper legislative framework, acceptable governance arrangements and a charging framework.

The previous government published draft digital identity system legislation in late 2021 that would help stimulate the necessary debate needed on this subject, but the incoming government hasn’t progressed it yet. Perhaps this incident will provide the encouragement needed to take on this thorny subject and find a way forward that could genuinely stop a repeat.