Australia to amend telecoms regulations following Optus breach

The Australian government is planning to amend its telecommunications regulations in the light of the recent data breach that compromised the personal data of some 10 million customers at Optus, the country’s number two telco. The data included passport, driver licence and Medicare numbers, opening the door for identity fraud.

The proposed changes will permit temporary sharing of government identifier information involved in data breaches between telcos and financial institutions, so the latter can scrutinise possibly fraudulent transactions and to take special care when accounts are opened using breached identity document numbers. Names, addresses and other personal information will not be shared, said federal treasurer Jim Chalmers.

Banks will only be allowed to use the information for this specific purpose. They will be required to review the need to keep it every 12 months, and then destroy the information when it is no longer required, said federal communications minister Michelle Rowland. That will presumably be when the relevant documents have either expired or been replaced.

Information will only be shared with financial institutions regulated by the Australian Prudential Regulatory Authority. The institutions will also be required to show that they can receive and hold the data securely.

Other changes to the regulations will enable telcos to provide government agencies such as Services Australia with information to help prevent fraud.

The changes will only apply for 12 months, said Rowland, after which they will be reviewed. Changing the regulations can be done by the government, without bringing the matter to Parliament.

The federal government is also believed to be considering changes to laws regarding the types of data that companies are required to keep, how long they must keep it, and whether they are required to delete it at the end of that period.

For example, telcos are currently required to keep certain information about their customers for two years after an account is closed, but they may choose to retain it beyond that time.

The previous government initiated a review of the Privacy Act at the end of 2019. The review is at the stage of considering responses to its October 2021 discussion paper along with feedback from a series of discussions with stakeholders. There have been calls to limit the data that can be retained by companies, and for how long.

Organisations that have already implemented strong data retention regimes would be well-placed to cope with such changes at a technical level, but they would likely need to alter their business practices.

Those with a piecemeal approach to the issue would be more challenged, so there could be an increase in demand for systems that automate the retention and subsequent destruction of records.

The recent growth in the use of immutable storage to defend against ransomware might complicate compliance with such changes. The whole point of immutable storage is that the resulting copies cannot be changed. Fortunately, systems such as Amazon S3 Object Lock have been designed to allow different retention periods for different objects.

In related news, a Sydney teenager has been arrested for an alleged scam using data released by the person or group responsible for the Optus data breach.

According to the Australian Federal Police, he demanded A$2,000 each from 93 people, but was believed to be working through the publicly revealed list of 10,200 Optus customers. He was believed to have been identified via the bank account mentioned in blackmail SMSes.