Hours After Aussie Gov’t Greenlights Online Age Verification Pilot, Breach Of Mandated Verification Database For Bars Is Revealed
It’s almost laughable that these two stories happened so close to one another. The Australian government has just announced a pilot program to test an online age verification system:
And then, just hours later, it was reported that law enforcement is investigating an apparent breach of club and bar patrons’ personal data, which the venues are required to collect by law for people entering such establishments.
When we talk about the privacy and data risks of age verification, this is exactly the kind of thing we’re talking about. When you’re collecting that much sensitive private data, you become a target.
As the article linked above notes:
It is a legal requirement in NSW for licensed clubs to collect personal information from patrons on entry, under the state’s registered clubs legislation.
The information is required to be stored securely under federal privacy laws.
Sounds kinda like the age verification requirements for websites. You have to collect the info and then pinky promise to keep it secure. And it works until this happens:
An unauthorised website claims personal information of more than 1 million customer records from at least 16 licensed NSW clubs have been released online in a potential data breach.
Cybercrime detectives are investigating the reported breach with the website claiming to have records and personal information of senior government figures, including Premier Chris Minns, Deputy Premier Prue Car and Police Minister Yasmin Catley.
IT provider Outabox said in a statement it had become aware of the potential data breach of a sign-in system used by its clients by an “unauthorised” third party.
Hilariously, government officials are trying to play this down because it was just a breach rather than a hack. As if that makes a difference?
Gaming Minister David Harris said the government and police first became aware of the potential breach on Tuesday.
“We know that this is an alleged data breach of a third-party vendor, so it wasn’t a hack,” he said.
But this is exactly the concern regarding online age verification. Someone has to collect that information and then whoever is collecting the sensitive info becomes an immediate target, no matter how the data is accessed.
Incredibly, you might recall that just a few months ago we were giving the Australian government kudos for recognizing that age verification was a privacy and security nightmare. So, they knew that just last summer.
And yet, here we are with the latest announcement:
Despite those concerns from late last year, the government is now pushing ahead with a pilot to try and test some of those ideas.
Look, maybe head down to the nearest club in NSW to see how it’s working out before moving forward “despite these concerns”?
Meanwhile, if you think this breach isn’t that serious, well, for the million or so folks who visited one of those bars and clubs, things don’t look great:
Creator of the data breach tracking website haveibeenpwned.com, Troy Hunt, said the creators of the website had not released all of the information they had collected.
“Inevitably they do have the entire thing.”
He said the Outabox technology used by clubs scans patrons’ faces and matches them with their licence details.
Mr Hunt said people whose data has appeared on the site may need to replace their drivers licences.
“There are physical addresses, there are date of birth, there are names. That’s not good,” he said.
That’s not good at all.
So maybe let’s not repeat the mistake online?