Government plan allowing Optus to share hacked user data with banks labelled a “red herring” by privacy advocates

data

Communications Minister Michelle Rowland. Source: Mick Tsikas / AAP Image

Telcos which lose sensitive customer information in data hacks could soon share relevant drivers licence, Medicare and passport numbers with the big banks, a move which some privacy advocates describe as an unhelpful response to growing cybersecurity threats.

In a joint statement, Treasurer Jim Chalmers and Communications Minister Michelle Rowland on Thursday said the federal government will recommend the Governor-General rubber stamp changes to telecommunications regulation enabling further data-sharing between phone and internet providers and financial institutions.

Backdropped by the recent Optus data breach, which exposed 2.1 million government ID numbers, Chalmers and Rowland said changes to the Telecommunications Regulations 2021 would allow impacted telcos to temporarily hand over those details to the banks.

The proposed changes will allow financial entities under APRA regulation to “implement enhanced monitoring and safeguards for customers affected by the data breach”, they said.

The amendment would only exclude foreign banks from accessing Australian government ID data, and participating financial institutions would only be allowed to use those details for “preventing or responding to cyber security incidents, fraud, scam activity or identify theft”.

Any entity requesting temporary data access must comply by the Privacy Act, prove they have sufficient data security systems themselves, and destroy those numbers when no longer required, the statement added.

“This will enable Optus, the financial services sector and relevant agencies to work together more effectively, to implement enhanced monitoring and safeguards to protect customers affected by the breach,” Rowland said.

The Optus hack has grown into one of Australia’s most significant data breaches, exposing the government ID numbers, along with names, addresses, and birthdays of millions of individuals and small businesses owners.

In light of the breach, major banks have urged Optus users to remain vigilant and report any suspicious activity. Optus has also offered free subscriptions to identity protection services from Equifax. 

While the federal government says the amendments will make it easier and faster for telcos and financial institutions to crack down on identity fraud, some privacy advocates fear data-sharing amendments will not enhance consumer protections.

In a Thursday blog post, Anna Johnston, founder of Salinger Privacy and former deputy privacy commissioner for NSW, said: “While ideas like a right to erasure or ‘tell the banks about victims’ might sound great in theory, they won’t deliver actual improvements.”

While the government’s proposed tweaks centre on telecommunications regulation, Johnston said legislative reforms, including those impacting the Privacy Act, “allowing — or even compelling — more data sharing won’t help”.

Any system requiring Optus and the banks to cross-reference users would be too time consuming to be effective, she said.

“By the time that is sorted out such that the banks (and all the rest) know who were the Optus customers they need to ‘protect’, the organised criminals will have already had a field day.”

The caveat that banks must delete Optus customer data after using it for anti-fraud purposes masks a bigger problem with data retention in Australia, Johnston added.

“What we need is a tougher standard in relation to data retention, which sets a retention period with reference to the original purpose of collection, and then compels proactive data deletion for all customers, instead of a reactive ‘right’ for the very few who have the energy to exercise it,” she said.

And the federal government’s push for banks to affirm they will follow confidentiality guidelines provides little comfort to privacy advocates.

“How do written commitments to comply with a law (that they already have to comply with, as did Optus) add any value?” Johnston asked in response to the joint announcement.

“If one of these institutions then fails to secure the data, or keeps it too long, or misuses it, then what?”

Samantha Floreani, program lead at online privacy advocacy group Digital Rights Watch, had a more succinct response.

“This is a red herring,” she said.

With broader privacy reforms on the cards, including Minister for Cyber Security Minister Clare O’Neil’s push for a significant overhaul, advocates say lawmakers should instead impose stricter limits on data collection, usage, and storage, with greater fines for those who breach the rules.

Small businesses must not be left behind in any broad scale reforms either, Johnston said, reflecting on concerns that new rules requiring businesses with less than $3 million in turnover to report breaches to the privacy commissioner could place an onerous burden on SMEs without significant IT resources at their disposal.

“Bring small businesses into the fold,” Johnston said.

“Turnover is not an indicator of the level of privacy risk posed by a business. But small businesses will need a helping hand from the regulator in order to get up to speed.”

COMMENTS