What does Equifax data breach mean for digital identity?

16 Sep 2017

  • Social security numbers and other personal information of nearly half the US population stolen

  • Equifax data breach dubbed ‘worst of all time’, stolen data perpetually valuable to identity fraudsters

  • Is this a catalyst for change to identity frameworks?

Source: The Economist

 

Point of View

 

On 7 September 2017, Equifax disclosed it had been hacked. Cyber thieves took names, social security numbers, birthdates and driver licence numbers: everything needed to steal someone’s identity. It is particularly concerning that those affected by the breach now face a lifelong threat of identity theft, because these data cannot just be ‘cancelled’, unlike a credit card.

 

Moreover, it is not just individuals who are affected. The US Social Security System as a whole has been compromised, with trust the first casualty. The full impact on society has yet to unfold, but one thing is certain, it will be expensive.

 

Implications

 

The Equifax breach is the latest in a series of large data breaches. With data becoming more valuable, the frequency, sophistication and cost of cyberattacks are likely to increase. The estimated cost of identity crime in Australia was at least $2.2 billion in 2016. It is one of the most common types of crime in Australia; each year an estimated 5 per cent of the population experiences identity crime resulting in financial losses.

 

Given the type of data stolen and with nearly half its citizens affected, will the US Government step in to assuage the identity fraud risk? Indeed, Senator Mark Warner called for Congress to create a uniform data breach notification standard and to consider developing data protection policies, in a statement on the Equifax data breach.

 

However, even if Senator Warner’s proposals come to fruition, being preventative measures the Americans already affected will continue to face identity theft risk. Will this be impetus enough for the US Government to review the Social Security System that is used ‘off label’ as a national identity framework?

 

Australian Government involved 

In Australia, we already have a data breach notification scheme, introduced in February 2017 in the Privacy Amendment (Notifiable Data Breaches) Act (2017). But will it be enough to protect Australians from identity theft? One further protection could be a secure digital identity framework.

In one model of digital identity, user credentials are saved with a trusted ‘identity provider’, which might be a bank or a government agency, for example. When a user accesses services from a third party, that service provider obtains user identity credentials from the identity provider – with user consent – rather than from the user themselves.

 

The Digital Transformation Agency (DTA) is working towards developing such a digital identity framework in Australia, as part of its responsibility to lead the ‘digital transformation’ of government services. Its current project involves delivery of GovPass, a technical platform for users to create a digital identity that can be used for accessing government services. It is currently in beta testing and due to be rolled out in 2018. In parallel, the DTA has been developing its Trusted Digital Identity Framework with the private sector and other government agencies. Public consultation on the Framework is now underway; submissions are due by 8 December.  

 

Reserve Bank backs digital identity

The Reserve Bank is strongly in favour of a national digital identity framework. Head of Payments Policy, Dr Tony Richards, emphasised to government the importance of private sector involvement in developing a digital identity solution, in a recent parliamentary hearing. In particular, he noted that Australians trust banks to look after their funds and so “… we suspect that it will be very important for the financial sector to be involved in any digital identity solution.” Furthermore, Dr Richards commented that a digital identity system “…could be very important in reducing online fraud, so we think it is an important thing.”

 

Industry engagement

The payments industry is already engaging with digital identity, which is in harmony with Dr Richards comment that the Reserve Bank is “…urging industry to work together to make progress on digital identity.” Over 2017, the Australian Payments Council Digital Identity Taskforce [link to 2017 APC Annual Review once it is available] completed foundational work on a framework for digital identity, in line with initiatives it published in the Australian Payments Plan, in 2015. And later this year, the Council will facilitate a cross-industry workshop to identity a common path forward to developing a framework.

 

 

The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members.

 

 

 

Please reload

Consumer
Centric
Technology and Innovation
Policy and 
Regulation
ARCHIVES
Please reload

Disclaimer

The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members. This publication is also subject to the AusPayNet Terms of Use and Privacy Policy available on the AusPayNet website.

 

Copyright © 2017 AusPayNet. All rights reserved.  

Read full Terms of Use

Privacy Statement