Another day, another massive data breach caused by sloppy business practices that are sanctioned by the government.
When will this end? And what can anyone reasonably do in this situation?
IMO until the government enacts harsh penalties and prison time for executives where these things happen due to them breaking the law in terms of handling PII, nothing will change.
It's not, it's held by randoms overseas apparently.
held in a Government database
It is ..you just didn't specify which countries government :)
Touché.
Laws should restrict organisations from asking for too much data.
There needs to be stronger “data retention” laws that restrict what they can collect and how long they can keep it for…
I recently quit a job over a police check they wanted done through a 3rd party provider (ie: not the police force, ironically) and I needed to send them about 300 points of ID, they all needed to be scanned and I needed to have a selfie sent in on me holding these pieces of ID next to my face.
Added to this, they said they have the right to hold this data indefinitely… and added to that, they said that they also have the right to sell this data to “national and international marking companies…” Oh. Hell. No.
This data breach is the exact reason why these clubs should not EVER be allowed to store this much information and store it for eternity.
name and shame
a job that wants to sell it's employees data for marketing lol
The company that wanted all my data in exchange for a police check was “Experian”, yep, that credit check company… The employer that required the check and used such a company was, ironically, the NSW government…
Good on you for quitting that job for that reason. I would have done exactly the same thing.
Please explain "sanctioned by the government." and no contacting an ambulance chasing lawyer.
Businesses keep getting away with slaps on the wrist because the laws are so lax in Aus with this stuff. Therefore it's essentially sanctioned by the gov because they (a) know it's happening and (b) do nothing about it.
But hey, ClubNSW are in the pockets of the politicians anyway so nothing will happen.
So nothing to do with "sanctioned by the government.", more like "government does not care"
There is a website that shows what data they say they have.
Got a message from one of the clubs that they only have the details that was part of their data which was before they amalgated with another club group.
This "historic data" was Name Address Lic Number and signature. That part maybe true as it has an old address of mine 3-4 years ago.
However the data the on the haveibeenoutaboxed.com website also gives my DOB year, which isnt what the club is telling me that they "lost"
So theres obviously a lot more here to be worried about.
However the data the on the haveibeenoutaboxed.com website also gives my DOB year, which isnt what the club is telling me that they "lost"
So theres obviously a lot more here to be worried about.
you're going to trust what the club tells you after this has happened? lol
Why isn't there some sort of law to say personal data like drivers licences etc can't be held by overseas companies?
Because laws are reactive and written by politicians, lawyers, and committees who have no real care (or simply NFI) about security, and only get passed if supported by lobbyists who work for commercial and political purposes, not the people. And only if it all looks good to voters from both sides. At the end of the day, almost any fix that might actually help would be far too complex to meet these criteria and be appreciated by individuals with this kind of expertise.
But regardless, few, if any, laws just do not work on the Internet, because there are often conflicting laws in other countries, not to mention conflicting norms, ethics,, social mores, morals- and criminal gangs, organised crime, state gangsters, extremely poor children (as well as highly skilled adults) doing anything they can to earn money however they fathom it possible… vandals, petty criminals vying to become organised crime syndicates. There are also vastly different perceptions and realities (such as endemic corruption), and for sure there is worse shit I haven't thought of.
The gov can ban, censor and filter the Internet but only partially, and all that shit will remain out there and still attack 24x7. You just won't be able to see it without breaking laws they create to administrate the blanket restrictions and surveillance they will need to do (a fraction of) half a job.
The problem is trust, and this is why you the government cannot establish the fix. Even if we could trust the governments we elect, let alone some, they will not set it up in any way that allows us to hold them accountable for failures, or even manage such controls transparently.
And they sure as shit won't be able to set it up to effective methods, systems, or even processes, or maintain them well enough to be effective/even touch the sides. All they will do is restrict and worse, blame/attack citizens instead of the real culprits. And in the process of doing that, the worse danger is they will keep sweep all evidence of the attacks and carnage that continues, under every rug from here to Uranus, to keep the justification that they are 'keeping you safe' from getting undermined.
Nice one, couldn't have said it any better myself.
Just corrupt gubmint no matter what colour of politicians are elected, not to mention not giving two sh1ts about their constituents. They're just there to make as much tax free money for themselves and their big business mates and yes, just like you said "they will not set it up in any way that allows us to hold them accountable for failures, or even manage such controls transparently."
Crooks, all of them.
Given that a 46 year old from Fairfield has been arrested, either he is a very bad hacker, or it's an inside job.
Turns out it may be an inside job. The company responsible for the system, Outabox stiffed their workers in Vietnam and Phillipines out of their invoices.
Apparently the access was “authorised” access and they were backing up data to unsecured cloud servers… So, when the workers didn’t get paid, they just leaked the data. There doesn’t appear to have been any read “hacking” done.
I have a feeling it will come out that the owners of the company were told “pay your invoices that you owe, or else” and they played their “(fropanity) around” card and are currently in the “finding out” phase.
There doesn’t appear to have been any read “hacking” done.
My leaked data being online doesn't care if it comes from a hack or a leak, it's out there. people keep going on about this distinction but it's a distraction at best.
‘slot machine usage’
Well why were they keeping that
Looks like they arrested the individual who set up the outaboxed site. If so, the media and the police are accusing him of publishing the personal information of patrons, when the site was only making a small subset of the data available by name search, enough for people to see if their data was leaked.
If that data was treated in the way he (or the site) claimed, it is certainly already out there, and has been accessible for some years by numerous third parties in jurisdictions that effectively remove any practical controls over distribution of such private, confidential, or commercial data.
If the individual is a whistleblower, as the site might indicate, the state may owe him a debt of gratitude. There is little other way to expose the kinds of practices that result from PII abuse and neglect- abuse that continues to be allowed when the state makes no practical effort to protect what citizens' should be able to expect as expect under a right to privacy.
In reality, Oz allows systematic, and wholesale (ab)use of PII- for nearly any practical or commercial purpose under law. Worsening, ongoing impacts, are the natural result. Given that every government department is busy abusing it/us too, there is likely noone, and nothing that can stop it unless people could magically impress on their representatives that it is an issue of critical importance.
For decades, we've avoided making any party liable for collecting PII data they don't need. Let alone storing it for longer than is needed. And in the case of Telcos, Banks and NSW pubs, many of our elected representatives have been mandating insecure collection and retention of PII and government identifiers (something which is against the government's own 'privacy principles'). I reckon if you asked people about forcing IDs to be handed over in exchange for cold beer,they;d tell you it should be illegal!
Whelp, I’m on at least 3 of those clubs lists… guess I gotta wait now for the scams and spam to start rolling in…
The spam is the least of your worries dude.
If they have both numbers on your licence then that can be used for identity theft because it will pass verification checks.
Penalties are a start, but the penalty of potential business closure is already a bit of a sting. That’s not to say I think that’s enough, and yes I’d like to some criminal charges too. However, I’m just not really sure it makes much difference. Do executives take that much interest, or have that much technical know how to enact change? I don’t think so.
What I’d like to see more of are solutions. Government to design and provide identity APIs so that organisations can verify without seeing/recording your data. Provide tools and software to help identify data insecurity. Provide tools to patch up, protect, clear or erase data. Create guidelines for identifying customers without keeping unnecessary records.
On that note; address and whittle down mandatory retention laws.
I think an assistive approach will yield better results than a simple fine.
I think an assistive approach will yield better results than a simple fine.
I agree, but the fines for not adhering to the laws and rules need to be so severe as to not even be in the realm of possibility that a business will think about cutting corners.
. Do executives take that much interest, or have that much technical know how to enact change
This is the biggest cop out I see about executives. Why do CEOs get paid SO MUCH when they seemingly have no responsibility, not accountability and can do nothing but get paid so much?
They need to have an interest because if they don't, they don't just lose their job. That's the only way it'll change.
https://www.theage.com.au/politics/victoria/family-violence-…
This is even worse. Dontcha love outsourcing services! FFS.
The government would be happy with this so they can push their new "safe and effective" digital identity bill.
Then next time the data breach will affect all australians instead of 1 million ClubNSW members!
I still trust the government rather than thousands of businesses that decide better profits mean they don't need adequate security. Put money into securing one database rather than thousands.
I still trust the government
You can trust the Government or you can understand history.
But you can't do both.
And you are going to provide me with examples any day now aren’t you? In the meantime we can look at case after case where private industry has had Data breaches.
The information should be held in a Government database and the company goes back to the Government to authorise a new user. There is no reason sensitive identity information should be held by the company.