Optus Continues to Save Customer Security Information

speedyjonzalas on 19/10/2022 - 13:06

Just been chatting with optus about upgrading to the half price s22 deal and they wanted to go through the usual ID checks. I explained that I had to lock my credit file and get a new licence due to their incompetence so didn't have the new licence on hand yet.

I then asked if they would store my licence after it was provided and they said they would which seems absurd considering what they have just done to their customers.

After I asked for more info the operator quickly disappeared and moves me onto the chatbot that talks about the breach….

I was on the fence about cancelling as I have three plans with them but this now seals the deal and I will be moving everything away from them.

Mobile

Related Stores

Optus
Optus

Comments

  • [Deactivated] on 19/10/2022 - 13:11
    +17

    i suspect they all store the information, optus were just the unlucky ones to get caught with their pants down. you are no safer with telstra, vodafone etc.

    • mskeggs on 19/10/2022 - 17:21
      +1

      This is true, but you can bet TPG/Telstra and the resellers will be looking closely at their own systems now.

  • Hybroid on 19/10/2022 - 13:13
    +13

    Of course they will continue to save the data. Some of it they probably have to legally.

    That wasn't in question, what was is how they secured that data.

    • AndyC1 on 19/10/2022 - 13:38
      +1

      You forgot that they also kept the data for longer than legally required.

    • Montyjpm on 19/10/2022 - 14:44
      +1

      Phone handsets do not need ID but the sim card does.

      • AndyC1 on 20/10/2022 - 09:54

        Only if you buy them outright and not on a payment plan/scheme or what ever Optus call it.

  • tonsta on 19/10/2022 - 13:15

    Whats the alternative? so all ID should be removed so you cannot be ID by optus if any issues arise? banks should do the same so you can walk in and say you are Malcolm Turnbull clear out the account?

    Not sure how moving your patronage due to a cyber attack is going to help your situation? Every company is in the same boat at the moment, just Optus got the wrong end of the stick for now.

    • speedyjonzalas on 19/10/2022 - 13:19
      -3

      I would say the alternative is not saving key information that can be used for credit applications. A simple system that all groups used whereby the ID check is a point in time check and the info then deleted.

      Considering that it takes about 1 minute to take a photo of ID to upload it, there really shouldnt be a problem with providing it every time you pay for a new contract.

      • iDroid on 19/10/2022 - 13:21
        +1

        That's not how it works.

      • tonsta on 19/10/2022 - 13:25
        +1

        How is that different to whats happening now? someone is still holding the data.

      • Quantumcat on 19/10/2022 - 14:57
        +2

        Not sure why people are negging, as long as the ID is valid at the time the contract is taken out there no reason to store it. If the ID stops being valid partway through the contract they aren't going to cancel your contract, so why keep it? If they really need to keep it to prove later that the check was valid, what they could do instead is only keep a hash of the license number, then the person wanting the proof can check the hash matches the license number, which shows it matches what was checked when the contract was started (and that they aren't just handing out contracts to anybody or to fake people). If a hacker gets the hash it can't be turned back into a valid license number and is useless to them for identity theft purposes.

        • Quantumcat on 19/10/2022 - 16:20
          +1

          Whoever negged, please state a reason (maybe I'll learn something)

      • bobbified on 19/10/2022 - 15:39

        ….whereby the ID check is a point in time check and the info then deleted.

        What if, say six months later, someone comes in to dispute that they even opened the account? That person could easily be you if someone else had used your information to open the account. If they don't store anything, how are they going to investigate?

        • Quantumcat on 19/10/2022 - 16:08
          +2

          You provide your license number, they check it against the hash. If it matches, that means you gave them the number.

          • bobbified on 19/10/2022 - 16:27

            @Quantumcat: The licence is just one form of ID.
            Someone could supply a falsified copy of say, a Birth or Marriage Certificate and bank statements as part of their 100 point check. The ID checks might come back clear at the time. The company probably wouldn't know they're falsified documents until someone comes to dispute it. But if those docs get deleted immediately after the ID process, the company will lose out and the person who the documents really belong to will have a hard time proving anything.

            • Quantumcat on 19/10/2022 - 16:43

              @bobbified: They could either not allow those documents to be used (they can be used to get a proof of age card, if you don't have a license and don't want a passport), or just store these documents. There's no need to store license numbers, proof of age card numbers, or passport numbers.

            • mskeggs on 19/10/2022 - 17:26
              +1

              @bobbified: If a valid ID was supplied and verified, it doesn’t need to be stored. Storing the ID doesn’t give Optus some additional ability to enforce contracts.
              If somebody is acting fraudulently, storing a JPG of their birth certificate doesn’t resolve it.

          • AndyC1 on 20/10/2022 - 09:54

            @Quantumcat: Optus would ASSume a hash is for smokin.

    • Montyjpm on 19/10/2022 - 14:47

      I don't think you can compare the way Optus protected its customers to the bank. Banking regulations and internal security must be up to a certain standard. They even use Web/Email and other endpoint on their computers to catch out insider crime.

    • kipps on 20/10/2022 - 19:05

      All ID should be encrypted with a public key of a particular department for which the private key isn’t accessible except by the telco’s fraud team. That would have stopped the ID data getting leaked and it’s difficult to see how that could be said to be too much effort for the telco by way of compliance. These problems have simple solutions, yet because it’s technical a lot of people just think it’s in the too hard basket.

  • iDroid on 19/10/2022 - 13:19
    +2

    Any changes to their data storage strategies is going to take time. You can't instantly delete all your data and continue business.

    You need to be realistic.

    • tonsta on 19/10/2022 - 13:27
      +2

      I can put $$ on it that OPTUS will have the most secure data handling systems going forward. They will learn from this.

      • garetz on 19/10/2022 - 14:26

        Never assume how incompetent Optus will be, cause they will always beat your expectations.

    • jv on 19/10/2022 - 14:58

      Any changes to their data storage strategies is going to take time

      It is a legal requirement at the moment.

  • jv on 19/10/2022 - 14:58
    +3

    they wanted to go through the usual ID checks.

    They are still required.

    My understanding is that the government now needs to change the law so that the information is not stored once the validation is done…

    • mskeggs on 19/10/2022 - 17:34
      +5

      Worth remembering the law didn’t require the data to be available on the Internet.
      Data archive obligations can be met very securely. Optus chose to make it simple to access the data from many systems, and did not manage the data after it was collected to store it securely when the initial processing was complete, instead storing it all as immediately available data exposed to the Internet.

      When they collected my driver’s licence and personal data they did not need to have it constantly available after my account was created, yet they architected their system to do so, so that any slip up like exposing an API meant all the data was available.

      An analogy would be keeping all your money, super, redraw, savings, piggy bank, investments in one account and writing the PIN number on a piece of paper in your wallet so you can quickly access it. All your security relies on not losing that one pice of paper.

  • Italkdigital on 19/10/2022 - 18:10
    +1

    Thanks OP interesting read 👍

Login or Join to leave a comment
Login Join