Key Points
- The attorney-general said companies should not need to keep customers' 100 points of ID on file after checking them.
- He said he would look at reforms to the privacy act and increasing penalties following the Optus data breach.
Attorney-General Mark Dreyfus says he believes companies should not need to keep customers' identification on file after checking it, and has indicated he is seeking to implement reforms to the Privacy Act.
The comments were made following an Optus data breach that resulted in hackers accessing millions of customers' personal information dating back to 2017.
"We will be having a look at whether or not companies should be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone's identity," Mr Dreyfus told reporters on Thursday morning.
"We are all familiar with this 100-point identity check; if a company says 'we need to see your driver's licence' or 'we need to see your passport number' that is for the purpose of establishing that you are who you say you are but that should be the end - one might think - of the company keeping all that data."
In the wake of the data breach, states and territories around Australia are allowing victims of the breach to replace their driver's licences, while discussions are continuing around compromised passports and Medicare numbers.
What is the 100-point identification check?
The 100-point check was brought in by the Australian government, to combat fraud, and came into effect in 1988.
It means anyone opening bank accounts has to provide documents proving their identity - with points allocated to types of documentation.
Passports, birth certificates and citizenship certificates are worth 70 points, a driver's licence is among the identification types worth 40 points, and other forms are worth 35 and 25 points.
Attorney-General Mark Dreyfus says he's looking into whether reforms to the Privacy Act could be made in the year's remaining parliamentary sitting weeks. Source: AAP / Mick Tsikas
"They don't seem to me to have a valid reason for saying: 'We need to keep that for the next decade'," he said.
"Obviously, the more data that's kept, the bigger the problem there is about keeping it safe, the bigger the problem there is about the potential damage that's going to be done by a huge hack that's occurred here."
Mr Dreyfus said Australians need to be assured that when their data is asked for by a private company or by the government, it will only be used for the purpose for which it has been collected.
"We need to get in place something that [encourages] companies to dispose of data safely, to not keep data when they no longer have a purpose for it," he said.
"For too long we have had companies solely looking at data as an asset they can use commercially ... we need to have them appreciate very, very firmly that Australians' personal information belongs to Australians, it's not to be misused, it absolutely has to be protected and if the Privacy Act is not getting us those outcomes then we need to look at reforms to the Privacy Act."
Mr Dreyfus said he was looking into whether reforms to the Privacy Act could be made in the year's remaining parliamentary sitting weeks.
GOMO and Virgin Mobile customers impacted by breach
In addition to current and former Optus customers, the range of people impacted by the breach has grown to include customers of Optus subsidiaries.
Some customers of GOMO, a budget mobile service operated by Optus, have received emails informing them some of their personal information has been disclosed.
"It is important to know that Optus' network and GOMO services aren’t affected, and no passwords were compromised, so our services remain safe to use and operate as per normal," GOMO wrote in an email to a customer.
"Upon discovering the cyberattack, we immediately took action to shut it down to protect your information. Our priority is our customers – so while our investigation is not yet complete, we wanted you to be aware of what has happened so that you can be extra vigilant at this time."
Former customers of Virgin Mobile, another low-cost subsidiary previously operated by Optus which closed in 2020, have reportedly received similar messages.
What can hackers do with your Medicare number?
On Wednesday night, Optus confirmed almost 15,000 active Medicare details had been accessed in the data breach.
Services Australia is reassuring affected customers their Medicare details cannot be accessed by using just the Medicare card number.
Those concerned or affected can replace their Medicare card online through myGov, which will create a new card with the same number apart from the final digit.
"We’ll send you a new Medicare card, and your old card will no longer be valid," Services Australia said on their website.
"This will prevent people from being able to use the old card details for fraud."
If your Medicare or Centrelink account has been compromised, you can call Services Australia's Scams and Identity Theft Help Desk on 1800 941 126.
There is no cost for replacing your Medicare card.
Government and banks working to minimise risk
Financial Services Minister Stephen Jones says the government is continuing to work with financial institutions to mitigate the potential impacts of the data breach.
He addressed the media following a meeting of consumers, banks, key regulators and the Australian Consumer and Competition Commission.
"It really is hard to overestimate the impact and the extent to which this is affecting Australians and Australian households, over 40 per cent of Australians are impacted by the Optus breach, either directly or indirectly," he said.
"I was talking to one of the consumer ID repair organisations today, they've received 11,500 calls from Optus customers over the last three days, to put that into context, that's about a month's worth of complaints in a three-day period."
Mr Jones said scammers were already taking advantage of vulnerable customers following the data breach, and were attempting to impersonate Optus, licence providers and government agencies.
He urged Australians to remain vigilant, and reminded affected customers to contact their banks and not click on any suspicious links.
Mr Jones said the government was exploring a range of options to facilitate communications between Optus and banks but reiterated that the telco had "stuffed up".
"Overwhelmingly, this is Optus' mistake, this is Optus' stuff-up and it's up to Optus to rectify the customers and ... ensure any cost arising out of this is compensated by Optus and not the government," he said.
"There's a lot of things that Optus should have done better, starting with keeping the data secure in the first place."
"Our number one focus is dealing with the problems we have in front of us. There will be plenty of time once we've got through the emergency to look back and say: 'What has Optus done wrong, what could other agencies have done better, and how do we ensure not to have this kind of event in the future?'"
Do you need to change your electoral details?
The Australian Electoral Commission says customers affected by the Optus data breach who have changed their licence or passport details don't need to update their electoral enrolment.
The customers will still be enrolled for state, territory, and council elections, according to the AEC.
Fears of long impact from Optus breach
Australia's privacy commissioner has fired a warning shot over the bow of organisations holding personal data, as the federal government warned the fallout from the Optus cyberattack will be felt for a long time.
The Office of the Australian Information Commissioner is probing Optus' compliance with data breach requirements after unknown hackers stole the information of about 10 million people, exposing them to the risk of identity theft and fraud.
"All organisations need to assess the risk a data breach poses to compromising their own customers' data and ensure additional safeguards are in place," Commissioner Angelene Falk said on Thursday.
The commissioner also raised concerns companies are holding on to personal data - like driver's licence, passport and Medicare details - they don't need to.
"They must take reasonable steps to destroy or de-identify the personal information they hold," she said.
"Collecting and storing unnecessary information breaches privacy and creates risk."