James Cridland

Who’s really to blame for the Optus data loss

You may, or may not, have seen the news: probably the largest data leak in Australian history, as mobile phone company Optus managed to lose data from more than 10,000,000 current and former customers.

As you can see above, I fall into the “former customer” list: having moved to them in December 2019 because they had a good deal for overseas roaming, only for, well, 2020 to happen. I joined Vodafone in March 2022.

ID, therefore I am

Australian law requires an ID check before you can get a mobile phone. The law is formed from the Telecommunications (Service Provider — Identity Checks for Prepaid Mobile Carriage Services) Determination 2017 which asks for “one category A or two category B identification documents”: one such document is a passport, or a drivers licence.

I gave Optus my drivers licence. A drivers licence is one of those “category A” documents, which is enough to take out credit or open bank accounts. So, in theory, this is something that is quite critical personal data.

Normally, if you have personal data like this, the best approach is to keep it for as short a time as you can get away with, and then destroy it.

But, it’s not quite as easy as that.

Retention is the intention

Another Australian law requires retention of my details if I’ve got a mobile phone.

The Telecommunications (Interception and Access) Act 1979 also says that a telecoms company must keep information, including identification information (187AA) for two years (187C) after the account is closed.

That is why, even though I left Optus more than six months ago, my details are still on their system: and will continue to be on their system until the first half of 2024.

That isn’t Optus’s fault; it’s the fault of the law.

What’s to be done?

Optus shouldn’t keep this data in their systems. They probably don’t want it, to be fair.

If an ID check is required (which is a whole different conversation), then I’d suggest the right way of doing so is to use the Australian Government’s mygovID, or similar, to prove my identity to Optus.

Instead of storing my drivers licence number (or passport details), Optus should simply store the authorisation code from the mygovID service. That’s useless to a hacker, but would allow Optus to give something that could be used by an authority with access to the mygovID system.

Were Optus to simply store this authorisation code, a hacker could walk away with my personal details, but wouldn’t have access to my passport or drivers licence without also having access into the mygovID system.

Optus needn’t even see my personal identification details. Which is probably as it should be.

Who’s to blame?

The government, to a degree. They have forced Optus to retain this information, after all. Without the law, Optus would have no requirement to either collect my information, or to retain it.

But, it’s easier just to blame Optus, innit?