Optus data breach prompts pincer movement of twin regulatory probes
Data retention requirements to be considered alongside infosec failings
Australian carrier Optus's recent data breach will be investigated by two regulators, the double trouble likely an indicator of the nation's displeasure at the incident – which saw almost ten million locals' personal data exposed online.
One of the probes will be conducted by the Australian Communications and Media Authority (ACMA), which will ponder "obligations relating to the acquisition, authentication, retention, disposal and protection of personal information, and requirements to provide fraud mitigation protections." The Authority's chair, Nerida O'Loughlin, said "A key focus for the ACMA will be Optus's compliance with these obligations."
The other probe will be conducted by the Office of the Australian Information Commissioner (OAIC) and will focus squarely on Optus.
"The OAIC's investigation will focus on whether the Optus companies took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorized access, modification or disclosure, and whether the information collected and retained was necessary to carry out their business," states the Commissioner's announcement of the probe.
"The investigation will also consider whether the Optus companies took reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy principles (APPs), including enabling them to deal with related inquiries or complaints," the announcement states.
The two organizations also announced they will co-ordinate their work.
- Singtel confirms digital burglary at Dialog subsidiary
- Australian Federal Police arrest man suspected of exploiting Optus cyberattack
- Australia asks FBI to help find attacker who stole data from millions of users
- Significant customer data exposed in attack on Australian telco
Both announcements also hint at a wider probe because Australian carriers are required to collect plenty of personal data to assist with legal investigations. The data exposed in this breach appears to have been captured in line with obligations to verify the identity of telecommunications services customers – a measure aimed at preventing fraud and making it harder for criminals to acquire and use comms services anonymously.
Carriers have no obligation to dispose of information collected during that process. Many Australians are now wondering why carriers aren't obliged to do so, and why they need to collect so much personal information to verify users' identities.
Identity as a service is therefore now being discussed down under, with a third party repository of data suggested as a better alternative to individual businesses recording and storing details of personal documents.
ID as a service is already offered by nations such as India, where the Aadhaar scheme processes billions of transactions each month. Aadhaar, however, has also been contentious as the colossal data trove it tends has been the target of attacks and leaks on a scale orders of magnitude greater than the Optus incident.
Optus is yet to comment on the investigations. ®