Why are data breaches such a big deal?

The Optus data breach highlights the potentially devastating consequences of cyber security incidents to both business and customers.  This is a timely reminder about the importance of focusing on what data you collect and why, as well as properly protecting it. Read on to find out more.

What happened at Optus?

On 22 September 2022 Optus announced that it was subject to a major cyber-attack. The personal information of approximately 9.8 million current and previous Optus customers was compromised. Optus customers impacted by the breach are still in the dark about who has access to their personal information and how it may be used.

The large number of individuals impacted by the breach and the way it has been handled by Optus has served to distract from the sensitive nature of the personal information that was compromised.

While an individual’s first and last name is likely to already be in the public domain either on social media or due to work-related information, most people choose to keep certain information about themselves private for example, government identifiers such as passports, drivers’ licences, and Medicare numbers.

The type of personal information exposed by the Optus breach includes government identifiers.

Government identifiers are highly valuable when it comes to identity theft and have the potential to cause even greater harm if made public.

What is special about government identifiers?

Government identifiers are subject to specific protection under the Privacy Act 1998 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) within the Act give guidance on how organisations are to comply. APP 9 restricts how organisations collect and use government identifiers.  Under the Privacy Act you may only collect, use, or disclose a government identifier where reasonably necessary to verify the identity of an individual.

It will not be considered reasonably necessary to collect a government identifier if:

  • you can carry on your business without needing to verify someone’s identity; or
  • there are other practical verification steps you can take without using government identifiers.

For example, you can verify someone’s identity using their phone number or email address instead of using a government identifier which is a more sensitive type of information, to ensure the information they have given you is correct.

Even if it is reasonable for you to use government identifiers for verification purposes, you must only keep the information for as long as you need to verify the person’s identity, unless you are required by law to retain the information for longer.

APP 11 requires you to destroy personal information when you no longer need it for the purposes you collected it.

If you only require government identifiers to verify someone’s identity, then you should not hold on to that information after you have verified their identity. The longer you hold onto information, the more risk there is of it being compromised in a data breach.

Government Identifiers in the wrong hands

Some businesses are required by law to obtain 100 points of identification to satisfy themselves that a person’s identity has been properly verified for example to open a bank account or apply for credit. The 100-point system is designed to prevent fraud because it assumes that only the person applying has the requisite documents to verify their own identity.

Unfortunately, when someone else has access to the same information, it does not prevent a fraudster from getting past the verification stage to open an account.

Risk to customers – Identity Theft

In the wrong hands, personal information can be used to commit identity theft and fraud. Personal information can be used with serious consequences to impersonate an individual online by:

  • changing access to online accounts;
  • creating different online accounts;
  • opening bank accounts; or
  • applying for credit.

Identity theft can lead to financial loss, reputational damage as well as emotional and psychological harm caused by the stress of having one’s identity stolen.

Damage to business

The recent Optus experience also acts as a warning about the financial loss business may suffer following a data breach.

Experts estimate the data breach will cost Optus millions of dollars in penalties, payouts, and management costs. Optus has agreed to pay for the replacement of licences and passports for those affected. Optus has incurred significant costs in its attempt to mitigate the damage to customers, such as providing affected individuals with credit monitoring services to help protect against fraud.

Reports already indicate that Optus is losing customers to its competitors following the breach, with some consumers looking to get out of current contracts with Optus as they no longer trust the company to keep their personal information safe. Shares in Optus’ parent company Singtel have been trading lower since the Optus data breach.

This damage reflects the risks all businesses face if the data they hold is exposed in a data breach.

Takeaways for your business

When it comes to data protection, prevention is key.  Here are just some of the steps you can take to protect your business and your reputation:

  • implement a Cyber Resilience Framework to make it more alert to and resilient in the face of breaches;
  • see our Step by Step Guide to Managing Notifiable Data Breaches to put a plan in place to minimise harm and comply with any reporting obligations if things do go wrong;
  • do a formal Privacy Impact Assessment – use this to critically assess the data you collect and hold and whether you need to keep it;
  • look at whether you hold onto sensitive data such as government identifiers as these put your business and your customers at a greater risk of harm; and
  • consider alternative and innovative approaches to verify identity. Collecting government identifiers is not the only way you can verify someone’s identity –you may be able to verify an individual’s identity by a legitimate third party.

At Sainty Law we can help you to assess your organisation and build foundations for good privacy governance to minimise the risk of data breaches. We can run a Privacy Impact Assessment to help you understand your data collection practices and support you in managing any data breaches.

Please get in touch via the contact page to find out more.