A government register introduced following one of Australia’s worst data breaches on record has blocked more than 300,000 fraudulent attempts to use stolen identity credentials legitimately in 18 months.
The figures reveal for the first time the scale of attempts by fraudsters to use compromised passports, Medicare and driver’s licence data in the wake of the 2022 Optus data breach that kicked off a privacy push.
As many as 9.8 million current and former Optus customers had at least some personal information compromised in the breach, while at least 2.1 million customers had identity documents stolen, prompting a rush for replacement credentials.
In response, the Department of Home Affairs established the Credential Protection Register to place a block on known compromised credentials to prevent verification through the Document Verification Service (DVS) while new credentials are issued.
Government agencies and businesses use the DVS to check that the personal details on identity documents correspond with original records to prevent the use of fake credentials in banking, for example.
Credential issuing agencies, such as the Australian Passport Office and Services Australia, assess the need to add credentials to the Credential Protection Register on a case-by-case basis after being informed by companies impacted by a data breach.
On Wednesday, Attorney-General Mark Dreyfus on Wednesday said that there had been 300,000 fraudulent attempts to use stolen identity credentials since the registers was introduced in October 2022.
“The register protects those whose personal details have been stolen from suffering further harm by preventing their compromised credentials being used as forms of identity,” he said in a statement.
While credentials listed on the register will not work with the DVS, they can still be used in-person, allowing legitimate owners to continue using their passports for international travel, Mr Dreyfus said.
The government provided $3.3 million in the Mid-Year Economic and Fiscal Outlook to enhance the register as part of a $145.5 million digital identity funding package, which will also be used to expand the Australian Government Digital ID System (AGDIS).
Mr Dreyfus said that when the upgrades to the Credential Protection Register are complete “document issuers and other trusted organisations will be able to directly update the register in near real time”.
“This rapid response will also help prevent black market sales of stolen identity crenentials and disrupt other illegal activities that rely on those stolen credentials, such as scams, money laundering and fraud,” he said.
Since the Optus data breach, the government has passed several bills aimed at improving privacy protections while it continues to consult on the reforms proposed in the landmark review of the Privacy Act.
In November 2022, the government significantly lifted penalties for serious or repeated privacy breaches. Companies are now subject to fines of $50 million, three times the value of any benefit obtained through the misuse of data, or 30 per cent of the company’s turnover.
A year later, identity matching services, including the DVS and Face Verification Service (FVS), passed federal Parliament. Both the DVS and FVS are used by the AGDIS that will expand beyond the federal government later this year.
Long-awaited legislation to enshrine the privacy safeguards and governance structures behind the AGDIS passed the Senate late last month and will now return to the lower house for sign off.
Do you know more? Contact James Riley via Email.