Australian Age Verification System Suffers Data Breach. 1 Million Compromised

An Australian system for age verification for bars has suffered from a data breach. It puts into question the security of such systems.

There are times when it feels like the world is desperately trying to prove everything I say is accurate by shovelling evidence towards me like it’s going out of style. Throughout, at least, the Canadian age verification debate, one of the criticisms I’ve had for the longest time was the fact that such a system would inherently put people’s personal information at even greater risk.

This is simply inherent by the system being proposed. As I’ve said many times over, you are collecting an additional chunk of personal and highly sensitive information from users. Whether that is facial recognition, biometric information, government ID, or more, you are tying that information to people who consume content that is socially stigmatized. This, of course, opens the door for blackmail among other things.

Supporters of the age verification system often pushes back against these obvious concerns. They argue that asking “pretty please” secure that information in the law is good enough. What’s more, they regurgitate what amounts to snake oil advertising of “industry standard” level of security. What those supporters won’t tell you is that “industry standard” is precisely why the European Union had to implement the General Data Protection Regulation (GDPR) back in 2018. “Industry standard” is why you can go on to Google News, search “data breach”, and get greeted with a tsunami of news stories of different companies getting hacked. “Industry standard” is simply companies giving off fancy press releases laced with buzz words while, in the background, doing very little to nothing to actually protect people’s personal information. This while black hat hackers and data brokers are buying and selling whole silo’s of personal information, continuing to experience financial boom times.

Simply put, “industry standard” is nowhere near good enough. Yet, for certain politicians, sacrificing your personal safety is a sacrifice they are willing to make in their own pet project of misunderstanding how the internet works and passing laws that make everyone less safe in their long running quest to shove their nose into everyone’s business and dictate how people can live their lives. In their minds, it is their duty to dictate how you should be running your life.

Now, some might look at my comments about collecting personal information and putting it into one place and waving a red flag to hackers all over the world to “come on in” and say, “Oh, don’t worry, they’ll figure something out to make this system uniquely secure.” Yeah, we’ve heard the comments about how they can make personal information secure in a double secret way to make it super ultra secure and, simply put, we are not buying it. Of course, some out there will be wanting solid evidence that age verification systems are not as secure as some companies make it out to be. Well, thanks to Australia, we got handed that evidence today on a silver platter.

Yesterday, we noted that Australia was moving forward with their pilot project of their own age verification system. In the process, there was a note about how they are wanting to expand the censored content into other areas like video games (which is its own can of worms). Well, apparently, mere hours after launching their pilot project, a similar age verification system already in place suffered from a major data breach. From ABC:

A Sydney man has been arrested by police over an alleged data breach of personal information of members and patrons from at least 17 licensed clubs in New South Wales and the ACT.

An unauthorised website claimed to have published online the personal details of many customers, with a threat to publish those of more than 1 million customers in the reported leak.

The website claimed to have records and personal information of senior government figures, including Premier Chris Minns, Deputy Premier Prue Car and Police Minister Yasmin Catley.

Cybercrime detectives have launched an investigation into the reported leak in conjunction with state and federal agencies under Strike Force Division.

Strike force detectives arrested a 46-year-old man after executing a search warrant at a property in Fairfield West about 4:20pm on Thursday.

The man was taken to Fairfield Police Station and is expected to be charged with blackmail.

This is obviously quite serious, but the details get even better:

IT provider Outabox said in a statement it had become aware of the data breach of a sign-in system used by its clients by an “unauthorised” third party.

“We are working as a priority to establish the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” Outabox said in a statement.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation.”

It is a legal requirement in NSW for licensed clubs to collect personal information from patrons on entry, under the state’s registered clubs legislation.

The information is required to be stored securely under federal privacy laws.

This is an object lesson in “just because security is written into law doesn’t mean that it will actually be secure in practice”. A lawmaker can’t write a law and just expect a magic wand will be waved to make all the inherent problems magically go away. No amount of “nerd harder” is going to make the impossible a reality. While we are not totally familiar with the details of this particular law, we do know that the Canadian age verification bill being pushed has no penalties for information that gets compromised under that age verification system. Simply put, if this happened in Canada, no one is being held accountable under that bill for negligence in storing and using that personal information. In other words, all that comes from Bill S-210 in this scenario is lawmakers saying, “I am very disappointed.” That, quite frankly, is nowhere near good enough.

Techdirt picked up on this story and is sharing pretty much the exact same thoughts I have on the situation:

Hilariously, government officials are trying to play this down because it was just a breach rather than a hack. As if that makes a difference?

Gaming Minister David Harris said the government and police first became aware of the potential breach on Tuesday.

“We know that this is an alleged data breach of a third-party vendor, so it wasn’t a hack,” he said.

But this is exactly the concern regarding online age verification. Someone has to collect that information and then whoever is collecting the sensitive info becomes an immediate target, no matter how the data is accessed.

Incredibly, you might recall that just a few months ago we were giving the Australian government kudos for recognizing that age verification was a privacy and security nightmare. So, they knew that just last summer.

And yet, here we are with the latest announcement:

Despite those concerns from late last year, the government is now pushing ahead with a pilot to try and test some of those ideas.

Look, maybe head down to the nearest club in NSW to see how it’s working out before moving forward “despite these concerns”?

Meanwhile, if you think this breach isn’t that serious, well, for the million or so folks who visited one of those bars and clubs, things don’t look great:

Creator of the data breach tracking website, Troy Hunt, said the creators of the website had not released all of the information they had collected.

“Inevitably they do have the entire thing.”

He said the Outabox technology used by clubs scans patrons’ faces and matches them with their licence details.

Mr Hunt said people whose data has appeared on the site may need to replace their drivers licences.

“There are physical addresses, there are date of birth, there are names. That’s not good,” he said.

That’s not good at all.

So maybe let’s not repeat the mistake online?

Exactly. As things stand today, companies collect FAR too much information on people. There is WAY too much personal information floating around whether willingly given by users or hacked or leaked by these companies. If anything, laws should be passed to either reduce the need to divulge so much personal information or raise the standard for how that information is stored and used.

Age verification laws looks at this problem and concludes that we should be putting EVEN MORE personal information into the ether and praying that hackers won’t break into a website and steal that tantalizing juicy personal information on you and find ways of profiting off of it (be it blackmailing you directly or selling it off to other third parties). As lawmakers push forward with these age verification laws, though, they are pushing full speed ahead with repeating the same mistakes that have been made over and over again.

Drew Wilson on Mastodon, Twitter and Facebook.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top