There was an interesting point that credit card details weren’t leaked - some speculation that this was due to the banks enforcing a pretty tight compliance framework with the penalty that you’d be cut off from the banking system.
If true that would align with an indifference to customer data - if it was treated the same as financial data would it have been so easily accessed? thank you Simon On 27 Sep 2022 at 12:30 PM +0930, Andrew M. Mathieson-Blakely <[email protected]>, wrote: > What I don’t understand (and I am not a programmer) is why there isn’t a > broker setup. In the Mainframe world normally, you would have your database > on a private network that will only server a request server and serve the > data that it requests to see. I really get nervous these days when databases > are not behind private networks with no public access to whatsoever. > > That’s my food for thought be interested to see what goes on in the real > world today but I just see this as not the most secure way to be handling any > information that is stored in a database. > > Regards > > > Andrew > > From: AusNOG <[email protected]> on behalf of Michael Kahl > <[email protected]> > Date: Tuesday, 27 September 2022 at 12:40 pm > To: Nathan Brookfield <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: [AusNOG] Optus Hack > Resent from: <[email protected]> > > Is there any legal obligation to store sensitive ID information in its > original form? Storing a hashed version only would be sufficient to prove the > details had been collected and verify any future ID verification requirements > without actually retaining the sensitive data. > > Separately, should the government provide an opt in two factor ID > verification service for critical services such as telco, utilities, banking, > etc? There are privacy concerns, however if implemented correctly they > wouldn't be collecting any further information than what they legally have > access to now. > > On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield > <[email protected]> wrote: > > quote_type > > They’re legally obligated to retain it but why it’s on the API and why it’s > > not encrypted. > > > > Looking at the data some fields are hashed and then repeated in the bloody > > clear :( > > > > On 27 Sep 2022, at 11:02, [email protected] wrote: > > > > My understanding was that the data included the 100 points of ID info. Why > > are they retaining this? Surely after confirming the 100 points there only > > needs to be a record "100 points provided"=true and not retain the actual > > details. This goes back to only keeping the private data you need. > > > > regards, > > Glenn > > > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > > Personally, I find putting Authentication on my API endpoints to be a > > > FANTASTIC first step towards API security. And then not even using > > > public IP addresses in test environments is a pretty good second > > > step.. </onlyhalfsarcasticherewhydoesthiskeephappening> > > > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected]> > > > wrote: > > >> Hi everyone, > > >> Obviously a big week in telco and cybersecurity. As part of my work > > >> I am on the Australian Cyber Security Industry Advisory Committee as > > >> an industry representative. > > >> I am keen to look at opening up a dialogue with more and more telco, > > >> DC and Cloud CISO’s on what they are doing around this issue and > > >> looking to take a proactive step towards best practice on customer > > >> data and system security. > > >> There will be some pretty serious consequences of this hack on the > > >> industry and importantly we need to make sure we are as best placed > > >> to help each other continually increase in security posture through > > >> best practice, but also working with each other as an industry. > > >> Are people keen on having a online/VC session sometime in the next > > >> few weeks where like-minded industry participants get together and > > >> discuss security, retention, encryption, threat detection etc.? If > > >> so, just ping me directly and if there is enough interest I will > > >> send out an invitation to the list for a call. > > >> Cheers > > >> [b] > > >> _______________________________________________ > > >> AusNOG mailing list > > >> [email protected] > > >> https://lists.ausnog.net/mailman/listinfo/ausnog > > > -- > > > Damien Gardner Jnr > > > VK2TDG. Dip EE. GradIEAust > > > [email protected] - http://www.rendrag.net/ > > > -- > > > We rode on the winds of the rising storm, > > > We ran to the sounds of thunder. > > > We danced among the lightning bolts, > > > and tore the world asunder > > > _______________________________________________ > > > AusNOG mailing list > > > [email protected] > > > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > > AusNOG mailing list > > [email protected] > > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > > AusNOG mailing list > > [email protected] > > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
