In a mere six months, spanning the end of 2022 and beginning of 2023, almost every Australian would have known someone who had their personal identification documents stolen in a cyber attack. First, the Optus breach compromised nearly 10 million Australians. Next, the Medibank incident exposed 9.7 million citizens. But the unsettling wave didn’t stop there; a staggering 14 million Australians found their data at risk in the Latitude Financial data breach.

Image: iaremenko (Adobe Stock)

In a mere six months, spanning the end of 2022 and beginning of 2023, almost every Australian would have known someone who had their personal identification documents stolen in a cyber attack. First, the Optus breach compromised nearly 10 million Australians. Next, the Medibank incident exposed 9.7 million citizens. But the unsettling wave didn’t stop there; a staggering 14 million Australians found their data at risk in the Latitude Financial data breach.

Data breaches are so frequent that the website "Have I Been Pwned?", created by Australian Troy Hunt, lets users check if their email addresses have been compromised. Today, many companies and government bodies store Australians' personal data. With so many entities holding their information, often without their knowledge, Australians face real challenges in securing their personal data.

There are many breaches that don’t get this national attention. Real estate agency Harcourts and Toyota both had the data of their customers stolen. Unless Australians are willing to go through life without insurance, a telephone, a car, or renting, there's little they can do to prevent their identity documents being retained by companies and possibly stolen by criminals.  

Australians are increasingly frustrated with the frequent need to replace identity documents and the constant threat of identity theft. The current financial consequences for organizations suffering data breaches don't appear to motivate sufficient investment in cyber security. Business analyst Andrew Adams from Barrenjoy noted that even after Medibank's breach, he didn't anticipate a significant drop in policyholders. This perspective aligns with market responses; Medibank's share price rebounded to its pre-breach value within just six months.

Something must change. There should be a way that Australians can verify their identity without having their identity documents insecurely stored by multiple organisations.

Individuals don’t have the expertise or resources to protect their data from advanced cyber criminals. Digital Rights Activist, Samantha Floreani commented that “placing all the responsibility onto individuals to protect their own privacy in this landscape is totally unreasonable”.

Recent changes to the Privacy Act that increase the financial penalties for business that repeatedly experience data breaches are a good start. But there should be both a carrot and stick in response to this challenge. Not only should government punish businesses that mishandle or fail to secure customer data, but the government should also empower organisations to achieve identity verification outcomes without needing to store identity documents.

The federal government already has an identity verification system that it uses, MyGovID. MyGovID allows someone to validate their identity and then use their MyGovID login to access government services without having to provide identity documents to each one. A user’s MyGovID ‘strength’ is based on the quality of identity documents used to prove a user’s identity. Stronger MyGovIDs can be used to access more services.

The federal government should consider expanding the use of MyGovID across government services and allowing companies to register to use MyGovID as a form of identity verification.

Finance Minister Katy Gallagher recently announced that a government-backed digital identity-verification system is planned for rollout next year. The government should ensure that this platform is not only usable for government systems but can also be used by private-sector organisations.

The current Government has indicated support for such a principle. Federal Attorney-General Mark Dreyfus indicated that the government “will be having a look at whether or not companies should be permitted to go on keeping data when the purpose of collecting it in the first place might have been no more than establishing someone's identity”. Expanding the use of MyGovID and opening it up to use by businesses could achieve this outcome.

Charging businesses a fee to use the system would allow the government to recoup the increased cost of expanding and securing the MyGovID system. This could be a budget-neutral policy.

Recent breaches highlight that many large businesses aren't adequately investing in the security of customer data. The federal government might be better suited to oversee an identity-verification platform, given its lack of financial motivation to curb investment on security, unlike some pressures in the private sector.

The government bears partial responsibility for this dilemma, having established the regulatory requirements that lead to excessive storage of identity documents. Given their role in creating these regulations, they should also play a part in mitigating their consequences.

Australians are sick and tired of having their identity documents stolen by cyber criminals. Recent changes to the Privacy Act are a good start; but the government's approach should not just penalise wrongdoings, but also promote best practices. Therefore, the federal government should consider expanding the use of MyGovID across government services and should consider allowing companies to register to use MyGovID logins as a form of identity verification.

Lachlan McGrath

Advisor

Author Profile