Well, that was an action-packed month, wasn’t it! We started by catching up with pals at AusNOG, went on to launch our shiny new portal, and ended with a very real reminder about the importance of strong data security and privacy. The ongoing car crash that is the Optus data breach just keeps me glued to the coverage.
We may never find out the exact truth of what happened at Optus, but sadly it is entirely too credible that somebody, somewhere, allowed an unauthenticated API access to a very sweet honeypot from an unsecured network. I think we can all imagine the slippery slope of decision making that happened to enable this. It would have started with someone needing to build extensions on the database that holds the customer information, then someone needing to access it via an API, and then someone needing remote access to the API to change the colour scheme on something that used it, and hang it, this is just easier if I do this without credentials cos debugging is hard. Or some such. Which someone, somewhere, had authority (but not all the information) to allow… Err yeah. No. It really shouldn’t happen.
At the core of this is the question of why years old customer data still existed in this database, and why such important identifying information is even held at all. While people keep telling me the requirement sits in the credit management regulation and data retention legislation, it really does not seem justified, and nor does it seem reasonable that actual records such as passport, driver’s licence and medicare numbers are retained. The stern reminder for us as operators is that we need to examine the data we keep, why we keep it, and ensure our systems and processes for retaining it, managing it and removing it are sound: both at the technology and human levels. It also reminds us we need to have our data breach notification plans ready, and appropriate to the storm of excrement that will come down if it gets out. What should and would we do to make good to our customers if data were to leak?
On top of this sits how the government will react to the relatively low fines that sit within the Australian privacy legislation, especially when compared with the European GDPR. It has already flagged changes to the various cybersecurity obligations. It is certainly an area we will watch with some concern, both for over-regulation and to provide assistance to members in compliance when it inevitably appears (see our new paper on the Asset Register compliance, for an example).
As consumers, we also must push back on handing this data over in the first place, and sadly a lot of us will have to go through the hideous process of dealing with our own data that has, or simply may have, leaked in this breach. For some people, the ramifications of their home address leaking can be utterly serious indeed.
On that note, I will assure you all that we have looked very carefully at the data model we hold for our own portal, and the security model in place. I have also commissioned a separate security review to ensure best practice. We don’t retain any credit card information, and we certainly don’t want your medicare number.
In the coming month, we will have the WA-IX anniversary and our AGM, with some fantastic speakers and representatives coming from our early WAIA membership. The IAA team have also been working solidly towards producing this year’s annual report, and I am glad to see interest already in the event and in the board election. I hope to see you there.
All the best