Almost 10 million Australians, around 40 percent of the population, have had their identity credentials exposed in one of the worst data breaches in the country’s history. The Optus disclosure of 22 September 2022 lit a fire under a debate that had been smouldering for years. Centralised databases of identity data are not safe.
It is staggering that a breach of this scale is happening in 2022. It will not be the last unless we rewrite the rules of user identity.
The Optus Data Breach is now part of every Australian board agenda. It also belongs in every product manager’s slide deck, every CISO’s threat model, and every CEO’s quarterly review. Because the architecture that made Optus possible is the same architecture that thousands of organisations are still running today.
The public record so far
- Customers exposed: almost 10 million, around 40 percent of Australia’s population.
- Disclosure date: 22 September 2022.
- Data accessed: Medicare ID numbers, names, email addresses, phone numbers, dates of birth, passport numbers, driving licence numbers.
- Most at risk: 2.8 million people whose passport or licence numbers were compromised face a “quite significant” risk of identity theft per the federal government.
- Government emails compromised: 12 state and federal addresses, including four belonging to the Department of Defence and one from the Department of Prime Minister and Cabinet.
- Cause: an unprotected API endpoint. Australia’s Minister for Cybersecurity Clare O’Neil called it “not a sophisticated attack” and said Optus “effectively left the window open”.
What the public record shows.
The Optus disclosure on 22 September 2022 set off the most-reported cyber incident in Australian history. The PII accessed by the attacker included customers’ Medicare ID numbers, names, email addresses, phone numbers, dates of birth, passport numbers, and driving licence numbers.
Optus, a subsidiary of Singapore Telecommunications, has stated that credit card details and account passwords were not compromised. That is cold comfort. The data that was taken is enough to commit identity fraud against almost half the country.
Despite the fact that the purported hacker apologised and dropped a US$1m ransom demand, the federal government has said that the 2.8 million people whose passport or licence numbers were compromised now face a “quite significant” risk of identity theft and fraud. Scammers are already taking advantage of stressed and angry customers.
Then Telstra, Australia’s largest telecoms firm, was breached two weeks later. Two of the country’s biggest companies, holding identity data for most of the population, breached inside a month.
The thing most coverage is missing.
The Optus story is not really about Optus. It is about the model.
Centralised databases of customer identity data are honey pots. Every database owner becomes a single point of failure for the customers whose data sits inside. The bigger the database, the more attractive it becomes to attackers, the more catastrophic the breach when it happens.
This is not new. The 2016 Uber breach exposed 57 million customers. Uber’s chief security officer was later convicted of covering up the breach. In 2018, the Google+ API exposed the private data of over 500,000 users to the public, because of a bug Google chose not to disclose. A 2019 Proofpoint study found that 72 percent of enterprises using cloud-based software were the targets of security threats, with 40 percent reporting at least one compromised account.
Every one of these incidents is a variant of the same problem. We are building services where the cost of the breach falls on the customer, not on the company holding the data.
This is what privacy KYC fixes.
A privacy KYC architecture takes the honey pot off the table. The customer holds their own credentials, encrypted, on their own device. When a business needs to verify them, the customer signs and shares only the specific attributes the business actually needs. The business gets a cryptographically valid result. The business does not get, and does not store, the underlying identity documents.
When a customer saves a document in their ShareRing Me wallet, the document is encrypted and stays on their device. The verification of that document is anchored cryptographically to ShareLedger, which means a verifier can confirm authenticity in seconds without ever holding the document itself. Self-Sovereign Identity (SSI) plus Zero-Knowledge Proofs let a customer prove they are over 18 without revealing their date of birth, or prove they hold a valid driving licence without exposing the number.
The Optus model required Optus to store the entire stack of identity documents for almost every customer in the country. The Privacy KYC model requires Optus to store nothing.
What you do not hold, cannot be stolen, sold, or leaked. That is the entire point.
For the broader pattern of how centralised KYC providers create the same risk at industrial scale, see our piece on the Canvas breach, where one vendor’s compromise exposed 275 million student records across 8,809 schools.
Why this matters beyond Optus.
Three reasons.
One. Optus was not a sophisticated attack. It was an unprotected API endpoint. That tells you the bar for adversaries is low and the consequences are catastrophic. Every centralised identity database in the country is the next headline.
Two. The regulatory response is already escalating. The Australian federal government is pushing for a national digital identity system, and Australia has since legislated significantly higher penalties for data breaches. We covered the dollar implications in The $50 Million Question, and the looming AUSTRAC obligations in AUSTRAC Tranche 2. Both reshape the cost-of-breach calculus.
Three. Other jurisdictions are watching Australia. The breach has been studied by every privacy regulator in the OECD. The conclusion is the same. Centralised identity is a structural problem, not a vendor problem.
Frequently asked questions.
What is the Optus Data Breach?
A cyber incident disclosed by Optus on 22 September 2022 in which the personal identification information of almost 10 million Australian customers was accessed by an attacker. It is one of the largest data breaches in Australian history.
How was the Optus Data Breach caused?
Per the Australian Minister for Cybersecurity, Clare O’Neil, the attack was not sophisticated. Optus left an API endpoint unprotected, which allowed an attacker to access a customer identity database without authentication. The federal government described the cause publicly.
What information was compromised?
Names, dates of birth, email addresses, phone numbers, Medicare ID numbers, passport numbers, and driving licence numbers. Credit card details and account passwords were not compromised per Optus.
How does Privacy KYC stop this from happening?
Privacy KYC moves identity documents off central databases and onto the customer’s device, encrypted. The business asking to verify the customer receives a signed result, not a copy of the underlying documents. There is no central honey pot of identity data for an attacker to target.
Could decentralised identity have prevented the Optus Data Breach?
If Optus had used decentralised identity verification, the company would never have held the documents in the first place. The customer would have presented signed verifiable credentials at sign-up. The attacker would have found nothing to steal because nothing was stored. See our Seven Things That Make Self-Sovereign Identity Different for the architectural detail.
Where can I learn more about ShareRing’s approach?
Read the Three Verification Levels of ShareRing for how the Vault works, and the ShareRing Me product page for the consumer wallet.
Where we sit.
ShareRing has been building this technology since 2018. The encrypted Vault and self-sovereign ID model we put in the original whitepaper are the same architecture under everything we deploy today.
By 2022, when the Optus Data Breach landed, we already had a production wallet, a production blockchain anchor, and a verifier SDK in market. The conversation since has only moved one way. Every breach, every regulator response, every new privacy law brings the centralised honey-pot model closer to retirement.
When the customer is the data centre, the breach goes away.
Get the framework right, get the rest right.
The Optus Data Breach was preventable. Telstra was preventable. Canvas was preventable. The architecture that allowed each one to happen is still the default for most organisations holding identity data.
We chose to build a different architecture and we have spent the last eight years proving it works at scale.
If you are running customer identity verification today and the data lives on your servers, the question is not whether you will be breached. The question is whether you will be ready when it happens. The cheaper answer is to stop holding the data at all.
If you want to talk about migrating to a privacy KYC model, the door is open at sharering.network/contact.
By Tim Bos, CEO of ShareRing (2022). Tim is now Co-CEO of ShareRing.
#PrivacyKYC #DigitalIdentity #DataBreach #Optus #SelfSovereignIdentity #ReusableKYC #Private #Secure #Verified