[AusNOG] Optus Hack

Wed Sep 28 09:27:07 AEST 2022

HI,
There's more than just the telco and privacy laws though and what you think
your company is required to adhere to can be non-trivial to determine and
may not be consistent.

eg. https://www.legislation.gov.au/Details/C2022C00179

If a telco is providing devices on hire-purchase or lease (see 6.(2) 10 and
12 for instance) as often people do with mobile carriers for phones then
the requirement to maintain that information is 7 years as per part 10.

MMC

On Tue, Sep 27, 2022 at 11:00 PM James Murphy <jamesmurphyau at me.com> wrote:

> Looking over the Privacy Act and oaic.gov.au, I still can't see any laws
> about a telco (or any business other than a credit reporting body) storing
> this level of information - specifically a drivers license number or date
> of birth (passport number isn't mentioned)
>
> "identification information" is the term that includes a drivers license
> number and date of birth
> "Credit information" is the term that includes "identification
> information" about an individual (therefor includes drivers license number
> and date of birth)
>
> There are only laws about how long a credit reporting body stores this
> information. A credit provider (ie Optus) doesn't need to store it, but
> does need to provide it to the credit reporting body - so they need to
> collect it and share it but they don't need to store it.
>
> For the data a telco does need to store - which looks to be added in the
> "Telecommunications (Interception and Access) Act 1979", they all talk
> about "personal information" (which doesn't specifically include date of
> birth or drivers license number, so you would be complying with that law if
> you didn't store those pieces of data - provided you can reasonably
> identify a person with the data you do store)
>
> From the Privacy Act:
>
> *personal information* means information or an opinion about an
> identified individual, or an individual who is reasonably identifiable:
> (a) whether the information or opinion is true or not; and
> (b) whether the information or opinion is recorded in a material form or
> not.
> Note: Section 187LA of the Telecommunications (Interception and Access)
> Act 1979 extends the meaning of personal information to cover information
> kept under Part 5-1A of that Act.
>
>
> So the argument that they need to store this by law - to me (a software
> developer/techy who sometimes can spend hours reading shit like this trying
> to pick holes in it - so: not a lawyer) - doesn't seem valid.
>
> If this is required by law, I would love to understand how (ie which
> laws/acts cover it)
>
>
>
> On 27 Sep 2022, at 16:46, Serge Burjak <sburjak at systech.com.au> wrote:
>
> https://www.oaic.gov.au/privacy/the-privacy-act
>
> Covers it pretty well.
>
> On Tue, 27 Sept 2022 at 16:36, James Murphy <jamesmurphyau at me.com> wrote:
>
>
> Does anyone know which laws cover the data they were keeping?
>
> Did a search for anything with "telecommunication" in the name (link),
> found 71 results and downloaded 73 PDF files (C2022C00170
> Telecommunications Act 1997 had 3 files, all others had 1 file), and can't
> find anything that mentions keeping this level of data.
>
> The closest thing I found was in the following:
>
> C2022C00151 - Telecommunications (Interception and Access) Act 1979
> C2015A00039 - Telecommunications (Interception and Access) Amendment (Data
> Retention) Act 2015
> C2021A00078 - Telecommunications Legislation Amendment (International
> Production Orders) Act 2021
>
> which contained the following two sections that seem to cover
> identification information - there doesn't seem to be anything that says
> they need to collect or store to the level that Optus seems to have done..
> Almost reads like you could store name and address (without DOB?) and that
> would be adequate enough (but I'm not a lawyer so who knows).. Am I looking
> in the wrong place/at the wrong laws?
>
> 13 Identification of a particular person
> For the purposes of this Schedule, a particular person may be identified:
> (a) by the person’s full name; or
> (b) by a name by which the person is commonly known; or
> (c) as the person to whom a particular individual transmission service is
> supplied; or
> (d) as the person to whom a particular individual message/call application
> service is provided; or
> (e) as the person who has a particular account with a prescribed
> communications provider; or
> (f) as the person who has a particular telephone number; or
> (g) as the person who has a particular email address; or
> (h) as the person who has a particular internet protocol address; or
> (i) as the person who has a device that has a particular unique identifier
> (for example, an electronic serial number or a Media Access Control
> address); or
> (j) by any other unique identifying factor that is applicable to the
> person.
>
>
> and
>
> 187AA Information to be kept
> (1) The following table sets out the kinds of information that a service
> provider must keep, or cause to be kept, under subsection 187A(1):
> Item
>
> 1
>
> Topic
>
> The subscriber of, and accounts, services, telecommunications devices and
> other relevant services relating to, the relevant service
>
> Description of information
>
> The following:
>
> (a) any information that is one or both of the following:
>
> (i) any name or address information;
>
> (ii) any other information for identification purposes;
>
> relating to the relevant service, being information used by the service
> provider for the purposes of identifying the subscriber of the relevant
> service;
>
> (b) any information relating to any contract, agreement or arrangement
> relating to the relevant service, or to any related account, service or
> device;
>
> (c) any information that is one or both of the following:
>
> (i) billing or payment information;
>
> (ii) contact information;
>
> relating to the relevant service, being information used by the service
> provider in relation to the relevant service;
>
> (d) any identifiers relating to the relevant service or any related
> account, service or device, being information used by the service provider
> in relation to the relevant service or any related account, service or
> device;
>
> (e) he status of the relevant service, or any related account, service or
> device.
>
>
>
> On 27 Sep 2022, at 11:12, Nathan Brookfield <
> Nathan.Brookfield at iperium.com.au> wrote:
>
> They’re legally obligated to retain it but why it’s on the API and why
> it’s not encrypted.
>
> Looking at the data some fields are hashed and then repeated in the bloody
> clear :(
>
> On 27 Sep 2022, at 11:02, glenn.satchell at uniq.com.au wrote:
>
> My understanding was that the data included the 100 points of ID info.
> Why are they retaining this? Surely after confirming the 100 points there
> only needs to be a record "100 points provided"=true and not retain the
> actual details. This goes back to only keeping the private data you need.
>
> regards,
> Glenn
>
> On 2022-09-27 10:49, Damien Gardner Jnr wrote:
>
> Personally, I find putting Authentication on my API endpoints to be a
> FANTASTIC first step towards API security.  And then not even using
> public IP addresses in test environments is a pretty good second
> step..  </onlyhalfsarcasticherewhydoesthiskeephappening>
> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <bevan at slattery.net.au>
> wrote:
>
> Hi everyone,
> Obviously a big week in telco and cybersecurity.  As part of my work
> I am on the Australian Cyber Security Industry Advisory Committee as
> an industry representative.
> I am keen to look at opening up a dialogue with more and more telco,
> DC and Cloud CISO’s on what they are doing around this issue and
> looking to take a proactive step towards best practice on customer
> data and system security.
> There will be some pretty serious consequences of this hack on the
> industry and importantly we need to make sure we are as best placed
> to help each other continually increase in security posture through
> best practice, but also working with each other as an industry.
> Are people keen on having a online/VC session sometime in the next
> few weeks where like-minded industry participants get together and
> discuss security, retention, encryption, threat detection etc.?  If
> so, just ping me directly and if there is enough interest I will
> send out an invitation to the list for a call.
> Cheers
> [b]
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
> --
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net -  http://www.rendrag.net/
> --
> We rode on the winds of the rising storm,
> We ran to the sounds of thunder.
> We danced among the lightning bolts,
> and tore the world asunder
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20220928/c9c3b050/attachment.htm>