Years ago hotels and currency exchanges when traveling abroad would simply look at your passport, and maybe write down some info by hand. Then they started photocopying the passport. And now they scan it. Full color high-resolution scan.<p>I dislike this intensely. All kinds of random places are keeping hi-res scans of documents that are perfect for identity theft and fraud. I've tried suggesting that <i>looking</i> at the passport should be sufficient to verify my identity -- they don't need to make a copy of it -- but I've had no luck.<p>Has anyone had success at pushing back on this? Are there laws in any country that say that you can't take photocopies or scans of customers' passports?
Interesting twist here is that after being criticised for storing all this sensitive data even years after customers left, Optus has pointed out that they are required to do so by data retention laws the government itself created.<p>If you accept perfect security is impossible (everyone should) then anybody creating data retention laws (ie: the government) really has to also assume some level of responsibility for the risk that the data is going to leak.
I'm furious about this data breach. I think our laws need to be updated to make sloppy security an existential threat to businesses. Optus should be fined by the australian government within an inch of their life. Its not ok to profit from sloppy security work then leave regular people to pick up the tab when it goes wrong.<p>And we need to put other companies with terrible security on notice. I think the only way big companies will move is by making their executive team sweat money.<p>Thats how it works everywhere else in the economy - if your negligence causes harm, you're liable. Serve bad food in a restaurant? Sued. Sell sporting equipment which causes injury? Sued. Misrepresent yourself? Sued, and potential criminal charges. Medical malpractice? Sued. But somehow, if your sloppy software causes harm thats ok? What rubbish. Security malpractice should bear the same punishment as everything else.<p>Maybe the price of paid software will go up. Thats fine. Maybe there aren't enough qualified security engineers. Also, fine.<p>If you don't have the expertise to manufacture a safe car, we've decided you can't enter the car business at all. Likewise, if you don't have the technical skill to keep my data secure, you have no business storing my data at all.
Affected Optus customer here (received email indicated I was impacted). They never had my passport details (there have been some links going around when logged in to see the payload of your PI involved in the breach) but they certainly have my name, address, phone number and drivers license number in the data.<p>Fortunately we're able (in South Australia) to get our drivers licenses changed over free of change if impacted, which I'll do but now that's something else I need to get around to doing... I wonder how many of these costs will be forwarded on to Optus on behalf of the goverment
With luck, this may be the precedent the world needs to shake up lax privacy everywhere.<p>If the Australian Government actually goes through with its threat to make Optus pay millions to cover the cost of the damage its lax security has caused then the idea may catch on elsewhere.<p>It seems to me that at the risk of going bankrupt over a breach of its customers' privacy a company would want to divest itself of as much information about its customers as was possible.<p>Wouldn't it be great if that were to happen.
I find amusing that in some countries those numbers are treated as secret. In mine all that information is public, you can even look for somebody by name or ID in a government website.
For anyone interested in Data Erasure requests.
I've been using the service Mine lately. It scans your mailbox to identify and prioritise businesses that you've dealt with who likely hold financial and other personally identifiable information on you.<p>You can then select the businesses you would like to forget about you and Mine will send pre-written emails on your behalf and monitor for replies.<p>The experience has been enlightening. This is what I've found after sending 50ish requests:<p>- A small number of businesses already have a process in place to deal with such requests and action immediately without further correspondence<p>- Others ask that you fill in a form (pdf or web) to start the process<p>- A large number won't get back to you for around a week or two and eventual responses appear to be written by a person<p>- A small number tell you the can delete some data but not all. e.g. Compare the Market. In the past I've used compare the market to purchase insurance products, that sale is linked to my personal details and so they can not delete. I'm not sure why this is the case. Maybe there are compliance reasons but it is a little worrying that these middle-men companies that live on commission either can't or won't erase my data.<p>The big one that's been mentioned in other HN threads on this is Car Rental companies. I made it a priority to deal with them first. They have all manner of sensitive information and their size, tenure and CX don't instill me with confidence.<p>[1] <a href="https://www.saymine.com/" rel="nofollow">https://www.saymine.com/</a>
Let us all be reminded of Optus' security hubris:<p><pre><code> "Optus is not aware of any security events which would warrant revisiting the security obligations imposed on regulated entities,” the telco’s submission stated."
Despite concerns that data retention could create a ‘honey pot’ for hackers, telcos already had in place security measures to protect customer data they already retained for commercial purposes, the department argued.
“Given this, it did not follow that the proposed data retention scheme presented an unmanageable level of risk to customer privacy,” its submission stated. “The evidence to date supports that the existing data security arrangement have been effective.”
</code></pre>
<a href="https://www.computerworld.com/article/3458462/data-retention-government-gave-optus-exemption-from-encrypting-metadata.html" rel="nofollow">https://www.computerworld.com/article/3458462/data-retention...</a>
I wish governments would heavily penalise companies that doesn’t take data security seriously. The threat of heavy fines is the <i>only</i> thing that will make large corporations do the right thing.
> Foreign Affairs Minister Penny Wong has asked Optus to cover passport application fees for anyone caught up in last week's massive data breach, which affected millions of Australians.<p>I wonder if this is actually intended to be an "ask", or if this is polite language for "we will legally compel them to".<p>>Passport numbers are among the personal details accessed in what the federal government has described as a "basic hack".<p>>Optus says the data breach was due to a "sophisticated" operation.<p>It would be good to know more details of the hack itself.
Since when are passport numbers secret? If that's real that's totally new to me.<p>In Israel you use your ID number, if a citizen, or passport number if not, in <i>tons</i> of transactions (as a citizen it somehow flows to your yearly taxes, not sure exactly), even stuff as mundane as getting gas needs an ID number.<p>If passport numbers are meant to be secret I suspect a lot of people are in for a rude surprise.
The government, who makes laws all the time to cover every single tiny aspect of everyone's lives, is asking Optus nicely.<p>What more could they possibly do?
Actual liability for data breaches? Color me impressed.<p>When the data companies want on you becomes a liability in case of data breaches, one of 2 things will happen:<p>1. They'll drastically improve their security<p>2. They'll stop asking for a lot of data just because they think they might use it later or because they want to sell it to others.