Optus collected personal data from people, and, it appears, kept it long after the need for the data passed. Worse, if reports are accurate, Optus kinda left the data on the kitchen table with the back door open and the light on.
This is data requested initially from customers to check identity. I’d like to know the government regulations / legislation requiring this identity check data to be stored.
The whole mess feels to me like a big business problem: overreach on data collection, no housekeeping to identify and securely delete data no longer required, poor data structure on data storage making theft of a useable batch easy, and inadequate protection of data required to be kept on-hand.
In my experience of decades working in software development, in government (CSIRO), big business (banks and mining) and in small business (Tower Systems), it’s the big business systems where problems like we have been reading about from Optus thrive.
In big business there are big IT teams, lots of stakeholders, lots of committees, lots of fingers. These are all very removed from the people personally responsible. In fact, who is personally responsible in a business the size of Optus: the CEO?, senior management?, the Board?, the Shareholders? … who knows.
In small business, if I ask a customer for an ID check for some reason, they show me their licence or passport and then return it to their bag or wallet. I don’t copy it. I don’t enter their details in my computer system. I don’t keep it longer than I need.
If I screw up and leave personal details of a customer out for anyone else to see or take, I am responsible. I know it. My customers know it.
Okay, it’s maybe not the best example. But, actually, it is. In small business we tend to be lean, and efficient, taking action necessary to get the job done. We, well I know in my own small business situations, I and those work work with me tend to not hoard things, we tend to not hoard data, and we respect value, and security. We use our safe for that, and we do not leave the door open or pass out the combination.
Small business owners are closer to their customers in a practical sense and in everyday life. We understand them and respect them because our customers are us, or at least like us.
In big business, customers are numbers, pieces of data, and, too often in big business, data, especially old data or data not part of today’s push to drive the share price up is not as mission critical and may therefore be left on the kitchen table with the back door open – because no one was watching, wondering, or worrying about and for those who provided the data.
So, yeah, I read the Optus situation as a big business problem. Until there are share price impacting consequences for what has happened we should expect more events like we have seen in the last week.
Yes. I agree completely.
I seem to recall a problem with one of the big 4 banks being called out for insufficient customer ID checks. Accountants and financial planners are also required to perform the same checks . In the case of accountants they are subject to compliance checks with the same through their professional bodies and the Tax Practitioner Board. Financial planners likewise through their license holder internal audits and ASIC. Seems to me the compliance checking has led to this disaster and that the legislators and government agencies also have a case to answer with the crims getting greater access to financial accounts that the ID checks are designed to protect.
Steve, there does need to be a whole of government and business root and branch re-work around privacy and data.
Companies like Optus should do better at managing data and securing data, and deleting data no longer required.
Privacy data could be stored in a way to thwart easy access.
If the reports are accurate, Optus left the door open, the lights on and valuable data on the table, for the taking.