The Massive Optus Data Breach Shows Why Web3 Must Rewrite The Rules of User Identity
Following one of Australia’s largest-ever data breaches, ShareRing CEO Tim Bos examines what organizations should learn from Optus’ mistakes, and reveals how decentralized identity solutions will protect customers’ personal information
Australia is reeling from revelations that almost 10 million customers – 40% of the population – have had their identity credentials exposed.
The Optus data security breach – first disclosed by the telecoms giant on September 22 – has been called the worst data breach in Australian history.
The news has angered customers, understandably. It’s staggering that such a breach can take place in 2022. Now, this unprecedented incident is fuelling a critical debate about the risks and security vulnerabilities of centralized databases on Web2, and how countries manage data and privacy.
Personally Identifiable Information (PII) accessed by the alleged Optus hacker includes customers’ Medicare ID numbers, names, email addresses, phone numbers, birthdates, and passport and driving license numbers.
The stolen data is said to include over a dozen state and federal government email addresses, including four belonging to the defense department and one from the Department of Prime Minister and Cabinet.
Optus – a subsidiary of Singapore Telecommunications – has stated that credit card details and account passwords were not compromised in the security breach, but that’s cold comfort for customers.
Despite the fact that the purported hacker has since apologized and dropped a US$1m ransom demand, the government has said that the 2.8 million people whose passport or license numbers were compromised now face a “quite significant” risk of identity theft and fraud. Scammers are already taking advantage of stressed and angry customers.
What caused the Optus data breach?
While Optus insists the breach was caused by a high-level ‘cyberattack,’ Australian Minister for Cybersecurity Clare O’Neil says this was “not a sophisticated attack” and Optus “effectively left the window open” for the data to be stolen via an unprotected API endpoint.
The Optus data security breach highlights a persistent issue with the structure of all apps and services that utilize centralised databases. By signing up for the convenience of these databases, owned and hosted by third parties, we’re giving up our data, privacy, and security.
Indeed, the massive Optus scandal is the latest in a long list of security breaches to make headlines. An infamous 2016 Uber data breach impacted 57 million customers – with the firm’s chief security officer recently convicted of covering up the breach. In 2018, the Google+ API exposed the private data of over 500,000 users to the public because of a bug the firm had chosen to keep quiet about. Incredibly, there was even a breach at Australia’s largest telecoms firm Telstra in October, two weeks after the Optus attack.
This litany of errors makes it clear that we must rewrite the rules of user identity by putting individuals back in control of their personal data.
What is data security? Threats, risks, and solutions
Data security means preventing data loss through unauthorized access. Currently, Web2 is dominated by businesses that provide services in exchange for customer information. Its centralized tech stacks make it attractive to hackers, who seek valuable consumer information such as payment details.
Indeed, a 2019 study revealed that 72% of enterprises using cloud-based software were the targets of security threats, while 40% of respondents had at least one compromised account in their environment.
In the new era of a decentralized Web3, blockchain-based digital identity ecosystems such as ShareRing empower users by offering control over their personal data and minimizing the information they share with third parties.
When users save their documents in ShareRing Vault, they are encrypted into unreadable data and securely stored on their device -- never in a centralized database. Documents in the Vault are also “hashed” onto the ShareLedger blockchain using an unreadable code, which offers tight protection against identity fraud and theft.
By using such decentralized identity platforms as default, users only need to provide a limited amount of information to reveal who they are, thanks to Self-Sovereign Identity and Zero-Knowledge Proof technology.
In other words, the company can trust a customer is exactly who they say they are without needing access to all the detailed information they once did. It’s comparable to a store asking to see your driving licence to establish your age, but giving you the option to conceal all information aside from birth year.
In addition, decentralized identity platforms like ShareRing eliminate friction during onboarding by reducing the need to manage and maintain separate login credentials for every app. Instead, users connect to their SSI identity for seamless integration across Web3-powered services.
The next few years will be an incredibly influential time in developing digital identities, as the uptake of digital ID and associated services gathers pace.
The Australian Financial Review reports that the Australian government is pushing for a national digital identity system following the Optus fallout. NSW Customer Service Minister Victor Dominello is calling for a move to decentralized identity and SSI at the state level and the end of paper-based ID.
Every time there is a widespread data breach, we hear CEOs assuring customers that they take security seriously. As Optus promises to pay to replace compromised identity documents, these lines are wearing thin.
To avoid more fiascos, it’s time to embrace a new model for user identity, which gives control back to the user without sacrificing convenience.
As Dominello puts it: “If this Optus saga is not a burning platform for change, I don’t know what it is.”
For more information on how the ShareRing app can upgrade your business and customer experience more effectively, visit www.sharering.network
About Tim Bos
Tim Bos is the CEO of Sharering. He is an experienced blockchain engineer and entrepreneur who has founded several successful sharing economy and IoT-related companies, including the global car-sharing platform Keaz, which has offices in Australia, Hong Kong, Vietnam and the USA.