‘Rethink needed’ on rules around passport, ID retention: Telstra
Australian businesses need to rethink how they handle identity documents to help minimise the impact of another major data breach, the Telstra executive in charge of cyber security says.
Australian businesses need to rethink how they handle identity documents to help minimise the impact of another major data breach, the Telstra executive in charge of cyber security says.
Telstra has slashed the amount of time it holds customers’ identity scans, including passports, from two years to six months and Narella Devine, a former naval commander and Telstra’s chief information security officer, said other businesses should follow suit.
The recent high-profile Medibank and Optus breaches, which collectively have affected more than 10 million Australians, have sparked debate over the amount of personal data, including passport and identity documents, collected and retained by businesses.
Personal information is currently protected by the Privacy Act, which is being reviewed by the federal government.
“For us, it’s important from an anti-fraud perspective to make sure we know the person we’re talking to is really that person, but what we’re also doing is making sure that we’re holding the minimum (customer data) that we can,” Ms Devine said. “I think people walk in, and they’re used to handing over their identity documents without really thinking too much about where they go after that. And I think the last few months have really shown that the community needs to rethink that.”
The executive said new technologies may be able to replace some of the more traditional identity verification processes, including multi-factor authentication for identity, and a centralised digital trust platform.
Current laws mean telcos have to hold on to customer data for at least two years after an account is closed, and Ms Devine said that while Telstra would delete the scans, current laws required the company to retain the ID data associated with them for longer. “I think it’s time that we looked at the rules, and that we did have a change in pace,” she said.
In her first public comments since the Optus breach, Telstra chief executive Vicki Brady said a critical lesson from the incidents for all organisations was the need to assess what data needed to be stored and how and where it was.
Ms Brady replaced former Telstra chief executive Andy Penn in September. “We’ve kicked off a review of our systems to really challenge ourselves to minimise the government ID data we hold, and the time we hold it for, while continuing to meet our existing legal obligations,” Ms Brady said.
“We think there are better ways for these ID checks to be managed. Further improvements to the way we identify you and manage this data may become possible as centralised digital ID verification systems are put in place and through changes to the various laws we operate under.”
Medibank was hacked by Russian cybercriminals, according to the Australian Federal Police, and Ms Devine said the line between state-based and criminal hacking groups was becoming more blurred, which presented tougher challenges for high-profile targets such as Telstra.
“What we’ve seen more broadly across the cyber community is the merging of state-based and cybercriminal groups, and we’re seeing cybercriminal groups that are very sympathetic to state-based causes,” she said. “If it’s not a state-based actor … it might be a group that is supporting the motivations of a nation state.”
Is Helfie AI really Australia’s newest tech unicorn?
The firm says its AI technology can test for health issues including Covid and cancer via a phone app. It also says it’s worth more than $1bn. But questions about the valuation remain unanswered.
Office orders spark new war in the workplace
The work from home era is drawing to a close for many businesses, including Amazon and Tabcorp, but others are really just getting started, saying flexibility makes staff healthier.