Ming Ding | Information Security and
Privacy Group | Data61, CSIROA close look at the recent Optus data breach
case
•In September 2022, Optus announced a cyber attack had exposed the data of almost 10 million
Australians
•The leaked database includes details of 1.2 million credit and debit cards
•Names, credit card numbers, expiration dates, CVV numbers, addresses , etc., were leaked on a
cybercrime forum
https://7news.com.au/news/cyber -security/credit -card-details -of-more -than-a-million -people -dumped -online -as-part-of-a-scandalous -bidencash -promotion -c-8522209
•Although it was mostly a security issue, we should learn the following lessons from a privacy perspective:
➢Is it necessary to save everything in a single database, where attributes like credit card numbers and CVV numbers
are useless for any data analytics?
oThe principle of “ data minimisation ” in GDPR: This principle refers to the practice of limiting the collection (and
storage) of personal information to that which is directly relevant and necessary to accomplish the understood
purpose.
➢Is it necessary to save credit card information in plain text? (e.g., Google does not directly save our passwords)
oAustralian Privacy Principle : If an APP entity holds personal information, the entity must take such steps as are
reasonable in the circumstances to protect the information from misuse, interference and loss; and from
unauthorised access, modification or disclosure