Banks to get Optus customers’ identification data after cyberattack

Optus will be allowed to send customer identification data to banks and government agencies so they can put in place more checks to protect the almost 10 million people whose data was stolen in the major hack late last month.

The federal government announced the new exceptions to privacy rules in Australia's metadata laws on Thursday after Optus told officials it was not legally allowed to share information like Medicare, passport and driver's licence numbers despite the massive data breach.

Treasurer Jim Chalmers has announced changes to the telecommunications act following the recent Optus data breach.Credit:Alex Ellinghausen

Communications Minister Michelle Rowland said the regulations, which were expected from the government almost two weeks ago before the complexity of changing the law became clear, had strong privacy protections inbuilt including time limits.

"Banks who receive the data need to review the need to continue holding the data for every 12 months," Rowland said. "If it is no longer required, it needs to be destroyed. There's that threshold."

The regulations, which are not yet in force or public, will also be reviewed after a year and only Australian-regulated banks, excluding foreign bank branches here, will be allowed to receive information from telecommunications firms.

The information will only be allowed to be used to respond to cyberattacks and prevent fraud while banks will have to formally tell regulators that they are only seeking genuinely necessary information and that their security is sufficient.

Names, addresses or other personal information will not be allowed to be shared. Treasurer Jim Chalmers said that for "data security reasons", Australians will not be told which banks receive the data.

Questioned by reporters in Canberra about whether it was sensible to allow data to be shared more widely when experts have warned that the Optus hack showed companies were keeping too much information, Rowland said that the Attorney-General was separately working on reforms to the Privacy Act.

"I think consumers who have been affected by the data breach, their primary concern here is a privacy one – who has my personal information, who has my government identifiers?" Rowland said. "So in taking this very measured approach to these regulations that we are announcing today, we have very carefully balanced their privacy concerns with those guardrails, with the need to ensure that financial institutions have what they need to keep Australians safe."

Many Australian banks have announced they have already stepped up their safeguards to protect customers in the wake of the Optus hack.

She said the regulations were being introduced after Optus raised with government a view that it could not share identification information that it had obtained under metadata laws, which were introduced several years ago and allow authorities to track much of what Australians do online.

Optus' public affairs boss Andrew Sheridan welcomed the announcement, which he said would help other organisations protect customers.

"Optus is also pleased the Federal Government has taken the initiative to form a joint working group with Optus to enhance the coordinated response to the cyberattack," Sheridan said in a written statement. "We look forward to continuing to collaborate closely with the working group and all governments."

More to come.

Cut through the noise of federal politics with news, views and expert analysis from Jacqueline Maley. Subscribers can sign up to our weekly Inside Politics newsletter here.

Most Viewed in Technology

From our partners

Source: Read Full Article