Optus

• To address such costs, the federal government is proposing a national digital identity scheme that will let people prove their identity without having to share documents such as their passport, drivers licence or Medicare card.
• Finance Minister Katy Gallagher opened consultations for the draft bill last week, with plans to introduce the legislation to parliament by the end of the year.

What would change?

• The draft bill package includes strong updates to security requirements for how organisations store people’s IDs, as well as the reporting of data breaches and suspected identity fraud.
• In her speech to the Australian Information Industry Association, Gallagher outlined a four-phase rollout.

How would it work?

• To prove your identity to a participating organisation, you would log into the organisation’s website and select MyGovID as your verification method.
• You would then log into your MyGovID app and give consent for your identity to be verified with that organisation.

The upside of the proposal

• The Medibank, Optus and Latitude data breaches of 2022-23 have demonstrated the lack of regulation and enforcement of identity protection legislation in Australia.
• The bill also outlines minimum cybersecurity standards, and requires regular review of organisations dealing with identity data.

Unresolved MyGovID security flaws

• In releasing the draft bill, the government has highlighted a voluntary national digital identity – the MyGovID – which is already being used by more than 6 million Australians and 1.3 million businesses.
• In 2020, security researchers warned the public against using MyGovID due to security flaws in its design.
• According to Webber Insurance, 14 of the 44 recorded data breaches between January to June this year were reported by government authorities.
• More worryingly, the privacy act has a loophole which allows state and government authorities to remain exempt from compulsory data breach reporting.

A honey trap for hackers

• Also, streamlining distributed identification systems in this way will create an irresistible target for hackers.
• In cybersecurity this is called a honeypot, or honey trap.
• Just as honey is irresistible to bears, these data lures are irresistible to hackers.

What can you do?

• However, you don’t have much time to have your say: public submissions are being sought until October 10.
• This extremely short consultation period doesn’t provide much confidence a fit-for-purpose solution will be created.

• By that it meant that the world’s biggest and most profitable companies no longer worked with oil, as they had throughout the 20th century, but with data.
• By 2022, three of the world’s five most profitable companies specialised in data – Apple, Microsoft and Alphabet.
• But before that, our cities were shaped by plumbing, making it more accurate to say that data is the new water.

Like water, data flows through pipes

• We see Australia’s little-known new Consumer Data Right in the same way, as a foundation on which the future will be built.
• A landmark Productivity Commission report in 2017 made Australia a global leader in planning to regulate data.
• The resulting 2019 Consumer Data Right mimics plumbing in the way it facilitates flows and removes effluent.

What does the Consumer Data Right do?

• Concern for the quality and integrity of the transported data is built into the system’s architecture: data holders and accredited data recipients have to ensure the data they transfer is “accurate, up to date and complete”.
• Data holders have to ask consumers to authorise disclosures of their data and keep records and explanations of such authorisations.

Making data breaches less likely

• Importantly, when an accredited data recipient no longer needs consumer data (and is not required to retain it for another reason) the recipient has to either destroy or de-identify it.
• Had Optus been accredited under the consumer data right before exposing the data of as many as 10 million current and former customers last year, in what has been labelled “the worst data breach in Australia’s history”, it would most likely have been found to be in breach of its obligations by holding on to data it no longer needed.
• Running parallel to the consumer data right for firms that haven’t applied for accreditation are the old practices.

Old pipes are unsafe

• Read more:
  Why the class action against Optus could be Australia's biggest

  The sooner these old practices are replaced with practices governed by the consumer data right, the stronger Australia’s data economy will become.

• What we find strange about the changes taking part in Australia is that overseas they are regarded as pioneering.
• It is time for Australian businesses to embrace what’s coming and start developing uses for the consumer data right that will appeal to customers.

• In addition, the module has obtained RCM certification for both Australia and New Zealand, further solidifying its commitment to providing reliable and compliant connectivity solutions across the region.
• View the full release here: https://www.businesswire.com/news/home/20230816320021/en/
  Quectel BC660K-GL module achieves certification for leading Australian and New Zealand networks (Photo: Business Wire)
  The BC660K-GL is a high-performance LTE Cat NB2 narrowband IoT (NB-IoT) module which offers extremely low-power consumption and supports multiple frequency bands for NB-IoT connectivity.
• "We are excited to bring the BC660K-GL module to the Australian and New Zealand markets with the assurance of certifications from leading networks," said Michael Wallon, Senior Vice President, Sales, APAC, Quectel Wireless Solutions.
• The BC660K-GL module's certification for prominent networks and its RCM certification mark yet another milestone in Quectel's journey to empower businesses with state-of-the-art connectivity solutions.

• Most of the payments were for small amounts (less than A$5,000) and were not flagged by the ATO’s own monitoring systems.
• The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.

How these scams work

• Setting up a myGov account or a myGov ID requires proof of identity in the form of “100 points of ID”.
• It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement.
• Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.

How government can improve

• This ensures salaries, tax and superannuation contributions are all paid at once.
• Most people who have received a tax refund will have provided bank account details where that payment can be made.
• Indeed, many people use precisely those bank account details to identify themselves to myGov.
• If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented.

Protecting yourself

• As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.
• It also helps to protect your Tax File Number.
• There are only four groups that ever need this number.
• Most importantly, know your bank will not send you emails containing links, nor will the ATO.