What does the Optus breach mean for user trust?

Welcome to FILED Newsletter, our monthly round-up of relevant news, opinion, guidance, and other useful links in the world of data, records and information management. This month:

• What will be the long-term effects of the Optus data breach?
• The Portuguese military is hacked, with NATO documents found on the dark web.
• What does New York's Letitia James think about personal privacy?

‍

If you only read one thing

What does the Optus data breach mean for user trust?

No prizes for guessing the top story this month.

Since it came to light in September, the data breach of the Australian telecommunications company has dominated the news agenda in Australia and among privacy professionals across the world. According to the company, 9.8 million people had their data accessed during the breach. Of those, 2.1 million personal identification details, including 150,000 passport and 50,000 Medicare numbers, were accessed.  

The case will have ramifications for Optus, for other telecommunications companies, and for any organization that holds personally identifiable information, plus the wider industry when new regulation is passed.

The public’s trust in the company has been severely harmed. It took time to provide clear details on who was affected, what data was accessed, and what the next steps will be. For 2.1 million people, one of those next steps could be to replace one or more important identity documents. There is an external review by Deloitte under way.

Organizations like Optus and the Australian Government need to consider they hold data for us all on trust. The public needs to be able to trust they have done the right thing with our data, because they are able to prove it when required. Organizations need to move to provable security and provable privacy.

Optus customers are now in limbo waiting on replacement documents, unsure whether their credit rating is in tatters. Some are already facing potentially life-changing consequences, like finding themselves unable to buy a home.

Our vision is to help businesses avoid being in the situation Optus is in, and to help them make sure their customers aren’t impacted in such a way. That had been our vision before this event, and working with our customers we want to help expand that vision.

Trust takes years to build, and seconds to destroy.

Our hope is that the next time a business asks for an identity document to open an account or access a service, they can answer customers’ questions:  

• What data are you keeping, and for what purpose?  
• For how long will my data be retained?  
• When do you get rid of it?

The better the answers businesses have, the more successful they will be.  

🤫 Privacy & governance

US president Joe Biden signed an executive order to implement a European Union-United States data transfer framework, announced in March. The framework adopts new American intelligence gathering privacy safeguards.

An interview with New York attorney general Letitia James, focused on protecting the privacy of individuals.

A recent decision by the U.S. Court of Appeals in Philadelphia offers a template for finding standing in data breach cases. Historically, standing can be a high bar for plaintiffs to clear, as the mere loss of data has not been enough to establish injury.

Google is rolling out a feature that helps streamline the removal of search results that contain your personally identifiable information. You can’t remove the info using the tool, but it’ll make it easier to track down who to ask.

In case you needed more on the influence of GDPR on privacy legislation across the world, here is a piece on how the regulation “changed the game for enterprises”.

🔐 Security

Organizations are largely unprepared for attacks on their SaaS data, a new global survey says, adding only half of organizations impacted by an attack on SaaS data could fully recover.  

Further evidence of a lack of preparedness: in a survey conducted a few weeks before the Optus breach, only half of Australian board directors believed their organization may fall victim to a cyberattack within a year. Would be interesting to run this survey again now.

A cyberattack disrupted at least 20 Japanese government websites across four ministries, with pro-Russia group Killnet claiming responsibility.

The Portuguese military were the victim of a data breach, with NATO documents found for sale on the dark web. The breach was only discovered when the US armed forces came across the documents for sale.

Toyota says about 296000 pieces of customer information may have been leaked in a breach of its T-Connect service.

Meanwhile, in New Zealand: patient files and high-level data have been stolen in a cyberattack on a Pinnacle Health, a major primary health provider. The data was posted to the dark web by a ransomware group with Russian links.

A new report suggests the DevSecOps industry is overwhelmed by vulnerability backlogs, with half of respondents reporting backups of 100,000 to 1.1 million vulnerabilities.  

‍

📣 The latest from RecordPoint  

Are AI and ML just fancy ways of saying "algorithms", which is just a fancy way of saying "math"? Learn the history of machine learning, and how it powers solutions like RecordPoint’s classification engine.

Data privacy needs good data management. If for some reason you skipped today’s intro, here is a slightly different lens on the issue.

That is everything we have for you this month. Welcome to everyone who may be receiving this for this time, you picked quite a month to join!