Categories
Ace Daily News

AUSTRALIA OPTUS UPDATE REPORT: Questions on ‘ Private Data ‘ Held After Customers Were No Longer Subscribers

This is our daily post that is shared across Twitter & Telegram and published first on here with Kindness & Love XX on peace-truth.com/

#AceNewsRoom With ‘Kindness & Wisdom’ Oct.02: 2022 @acenewsservices

Ace News Room Cutting Floor 02/10/2022

Follow Our Breaking & Daily News Here As It Happens:

#AceNewsDesk – Past Optus customers have had their data exposed — why did the company still have it?

Optus logo is displayed on a smartphone screen.
Past customers caught up in the Optus data breach are questioning why the company was still holding their data. (Getty Images: Budrul Chukrut/SOPA Images/LightRocket)none

When Paul Weiss first heard about the Optus data breach, he wasn’t sure if his data was at risk.

The Melbourne man couldn’t recall if he had been a customer within the six-year window of potentially affected customers described by Optus chief executive Kelly Bayer Rosmarin.

But then he checked his records: he’d held an account with the telco for a few months back in 2018, and sure enough, he got an email last Saturday warning that his personal information had been exposed.

A week on, he still doesn’t understand why the company needed to hold onto his details for four years.

“If there’s a legal reason … then I can’t fight that,” he said.

“I think it’s got to make sense and have a good reason.”

Mr Weiss is one of many Australians questioning why Optus was still holding on to their information long after they stopped being a subscriber.

After the breach was disclosed, Ms Rosmarin said the company was legally required to keep customer data from at least 2017.

In response to repeated requests for additional information, the company said only that it was “mindful of, and complies with, its obligations in line with the Telecommunications, Privacy and Corporations Acts”.

Confusion about ‘six years of data storage

Telecommunication regulation and privacy experts have also tried to get to the bottom of how long data must legally be kept.

James North, head of technology, media and telecommunications at law firm Corrs Chambers Westgarth, told the ABC he didn’t recognise the six-year term referenced by the Optus boss.

However, there are data retention obligations telcos must comply with.

When a customer buys a prepaid mobile service, for example, companies are required to check ID and verify that person is who they say they are.

That’s to prevent prepaid mobile phones being used for criminal purposes, Mr North said, and enable law enforcement agencies to identify the owners of phones.

That identity check can use a range of documents, including drivers licences, passports and Medicare cards.

Then under the Telecommunication Interception and Access Act (TIA Act) — part of Australia’s metadata laws — the company is also required to retain subscriber information for a minimum period of the life of the account plus two years after closure.

That includes name and address information, but also “any other information for identification purposes” and “documents” related to that subscriber.Laws that allow agencies such as the Australian Federal Police to access phone metadata have come under scrutiny following the Optus data breach.(AAP)none

Mr North said these provisions could be interpreted as requiring companies to keep a record of the documents they used to verify the subscriber’s identity — like a passport number.

Telecommunication regulator ACMA declined an interview with the ABC about data storage rules for Australian telcos. 

A spokesperson said the Optus data breach was “an evolving situation”.

“The ACMA requires further information from Optus to determine whether this data breach raises questions about compliance with telco-specific obligations,” he said in a statement.

“The ACMA will make public its determinations once made.”

Storing data, and protecting it

While companies are required to keep some amount of data by law, they’re also instructed to keep it safe.

Rob Nicholls, an associate professor of regulation and governance at UNSW Business School, said that under metadata retention rules, companies must keep what they’re storing protected and encrypted.

But there does tend “to be a conservative approach to deletion of data” in some companies, Dr Nicholls said.

“Unless there is a good document retention program in place, there is a risk of keeping documents unnecessarily.”

Australia’s privacy rules also apply. Companies must “take reasonable steps to destroy or de-identify” personal information once it’s no longer needed or when there is no further legal obligation to hold it.

But whether this obligation is enforced by the privacy regulator is another question, Corr’s Mr North suggested.

“Companies deleting data when the lawful purpose of that data has been served is an area that deserves more focus,” he said.

“Based on my anecdotal views, that’s an area that companies don’t pay enough attention to.”

The privacy regulator, the Office of the Australian Information Commissioner, has not said whether it is considering an investigation of Optus’ data handling practices, stating that its focus remained on supporting affected customers.

Backlash to data retention rules

Following the Optus data breach, the government has been vocal about the lack of stiff penalties for companies found mishandling sensitive information about Australians.

Attorney-General Mark Dreyfus told media this week there didn’t seem to be “a valid reason” for companies that perform ID checks using passports and driver’s licences to hold onto that information long term.

“Obviously the more data that’s kept, the bigger the problem there is about keeping it safe,” he said.  Attorney-General Mark Dreyfus has questioned whether Australian companies need to be storing extensive ID data about Australians.(AAP: Mick Tsikas)none

Some critics have also pushed for the government to revisit laws that require extensive data storage — such as Australia’s metadata laws — which were introduced in the name of national security.

Greens Senator David Shoebridge said the push to store more data without checks and balances to protect it was “a disaster waiting to happen”.

“It’s tragically ironic that laws that were pushed through parliament allegedly to keep us safer have created these deep pools of data that are such a risk to our privacy and online integrity.

“What’s happened with Optus is our worst fears come true.”How to protect yourself in the wake of the Optus leak.

optus store front
According to the federal government, Optus has failed to hand over that data it requested.

Federal government calls on Optus to ‘step up’ handling of cyber-attack, says telco has yet to provide critical information

The cyber attack occurred almost a fortnight ago, with the names, birthdates, phone numbers, healthcare and passport details of up to 9.8 million Australians potentially compromised.

The federal government has called on Optus to “step up” it’s handling of the major data breach, saying it still has not provided government agencies with critical information about customers who had their Medicare or Centrelink details exposed.

Government Services Minister Bill Shorten said Services Australia wrote to Optus on September 27, asking for the full details of all affected customers whose Medicare and Centrelink details were leaked.

But he said in the five days since that request, Optus has failed to hand over that data to the government.

“The drawbridge needs to come down,” he said.

“We know that Optus is trying to do what they can, but having said that, it’s not enough.

“It’s been 11 days since the breach — it is peculiar that we still can’t identify who for example used their Medicare information — their number — to be able to get identification.”

The government said Services Australia would use the information to place additional security measures on the records of affected customers.

“We need this not tomorrow or the next day, we really needed it days ago,” Mr Shorten said.

“We want to protect Australians’ information that’s held by government, we want to prevent further fraud and we seek Optus to step up its communication and transparency with government.”

Cyber Security Minister Clare O’Neil also criticised Optus for only contacting the 10,200 people whose data was leaked online by email.

“It is crucial everyone who has been affected by this breach is properly notified of that,” she said.

“An email is simply not sufficient under these circumstances,” she said.

In a statement, Optus said the company was working “very closely” with federal, state and territory agencies to “determine which customers are required to take any action”.

“We continue to seek further advice on the status of customers whose details have since expired,” Optus said.

“Once we receive that information, we can notify those customers.

“We continue to work constructively with governments and their various authorities to reduce the impact on our customers.”

Coalition’s critical infrastructure laws ‘useless’

Ms O’Neil, who is also home affairs minister, also criticised the former Coalition government’s 2018 laws designed to protect critical infrastructure.

“The instructions on the label told me that these laws were going to provide me with all of the powers that I would need in a cyber security emergency incident, to make sure we can repair the damage,” she said.

“I can tell you those laws were absolutely useless to me when the Optus matter came on foot.

“We do not have the right laws in this country to manage cyber security emergency incidents, and this is something we are going to need to look at.”

Shadow Cyber Security Minister James Paterson said the Coalition was open to discussing changes to both those laws and telecommunications security legislation.

“If the government believes that new evidence has come forward during the Optus attack and that changes to either of those acts is necessary to make them even stronger, well the opposition will be very constructive and bipartisan about that of course,” he told Sky News.

“We’ll support any sensible changes that the government brings forward.”

Earlier, Attorney-General Mark Dreyfus told the ABC’s Insiders he would review Australia’s privacy laws to stop companies retaining a large amount of personal data for a long time.

“Companies throughout Australia should stop regarding all of this personal data of Australians as an asset for them, they actually should think of it as a liability,” he said.

“This is a wakeup call.”

Senator Paterson said while he believed Optus would be up for millions of dollars of fines under the Privacy Act, the Opposition would also be open to increased fines for breaches.

“We do want to make sure that major companies in Australia are taking this very seriously because they do have a very important responsibility to their customers” he told Sky News.

#AceNewsDesk report ………..Published: Oct.02: 2022:

Editor says …Sterling Publishing & Media Service Agency is not responsible for the content of the external site or for any reports, posts, or links, and can also be found here on Telegram: https://t.me/acenewsdaily and all WordPress and live posts and links here: https://acenewsroom.wordpress.com/ and thanks for following as always appreciate every like, reblog or retweet and free help and guidance tips on your PC software or need help & guidance from our experts AcePCHelp.WordPress.Com

By ace101

Ace Worldwide News Group working with Kindness & Wisdom in perfect harmony to provide help and guidance through news & views and the truth to people in need Amen