MyCRA Specialist Credit Repair Lawyers

Tag: privacy commissioner

Credit reporting and the year ahead

Some significant changes will be appearing this year due to Australia’s credit reporting legislation overhaul in March. These changes could impact all Australians, and especially those involved in the credit industry…Find out the 5 significant changes we’ll be watching in 2014, and decide what action you need to take for your business or for your own finances.

By Graham Doessel, Non-Legal Director MyCRA Lawyers

Are you ready for the year ahead in credit reporting?

Below is my guest post in The Adviser this week ‘Credit reporting and the year ahead‘ .

In this post, I discuss the 5 big changes we’ll be watching closely in 2014.

Credit reporting and the year ahead (The Adviser)

13 January 2014 | Graham Doessel

2014 will bring some heavy changes to Australian credit reporting following the implementation of the Privacy Act 1988 (Cth) Amendments in March.

What are the 5 big changes that we’ll be watching closely this year which could impact all involved in the credit industry?

1. Repayment History Information (and specifically ‘late payment’ notations).

The introduction of repayment history information (RHI) to Australian credit reports means there is going to much more data available to lenders in which to make their serviceability calculations from.

One of the pieces of credit reporting data which could be a deal breaker for many prospective borrowers – is any late payment notations. Separate from defaults, a consumer’s RHI will show any late payments made on licenced credit – e.g. loans and credit cards and the date the payments were made.

That information has been collected from December 2012 – but largely consumers are unaware of this important change. From March this year, it will show up on consumer credit reports across the country – and it will be interesting to see how many people have these new notations against their names.

It remains to be seen how lenders will treat this information (as all serviceability calculations are so subjective), and precisely how the information will impact credit worthiness.

We don’t know yet how many days late will be too late, and we won’t know this information until a new Credit Reporting Code of Conduct is registered. It has been proposed a repayment more than 5 days late will see you with one of these notations against your name.

Another uncertainty is how many will be too many and mean the lender’s computer says ‘no’ or the lender’s computer says ‘yes’ but at a higher interest rate.

2. New obligations on credit reporting bureaus

With the registration of a new Credit Reporting Code of Conduct (CR Code), will be a new requirement on credit reporting bureaus such as Veda, Dun & Bradstreet, Tasmanian Collection Services and new entrant Experian, to audit the compliance of credit providers.

The new CR Code requires CRB’s to monitor credit providers, and to determine those that pose the greatest risk of non-compliance with their core obligations under the Privacy Act. The Code determines these “at risk” credit providers would be subject to audits.

We will be interested to see precisely how this obligation is metered out to credit reporting bureaus, and whether an independent overseer will be appointed to ensure objectivity. We hope this change will improve the accountability of credit providers. We also hope it will solidify the two entities as being ‘separate.’ We have found in the past during credit disputes, a client-type relationship tends to exist between agency and credit provider, at the exclusion of consumers.

Further to this, it was proposed in the draft Code of Conduct, that CRB’s should also publish on their website an annual report by 30 June each year outlining information relating to credit report correction. The information would relate to the number of correction requests received, the number of successful correction requests, and the number of complaints received.

This information has previously never been supplied to the Australian public from our credit reporting agencies (because there has never been a requirement to). If implemented as part of the new CR Code, this information will give Australia a much more accurate picture of the depth of credit reporting issues as they exist.

3. The ‘open’ credit score

Currently, Australia’s largest credit reporting agency, Veda is offering consumers the opportunity to purchase their ‘Veda score’ so they can see the number that lenders have been able to see when requesting credit information from Veda.

With the Privacy changes will bring an obligation on those agencies providing a credit score, to provide information on how it is calculated. Veda has made moves to do this already.

In addition to Veda, U.S. giant ‘FICO’ has said it would also like to offer open credit scoring to the Australian public.

FICO currently offers its data analytics services and credit scoring to lenders for internal use in Australia, and has been doing so for many years. It is reportedly used in 90% of consumer lending decisions in the U.S.

So if it does provide an alternative to Veda’s “VedaScore” it will be interesting to see the differences in the scores, and which one is more accurate reflection of lender serviceability calculations.

4. “Improved” ability to correct consumer credit reports

Creditors can and do make mistakes when placing listings on credit files, and the onus is on the consumer (or someone acting on their behalf) to identify and address those inconsistencies.

But up till now, it has very much been a case of David and Goliath – with some consumers finding they are lumbered with listings that just shouldn’t be there due to not having the extensive skills and knowledge required to address their complaints in the appropriate way.

The new laws around complaints correction have promised to streamline the correction and complaints process for credit reporting as well as force the credit provider to justify credit listings and actually substantiate the information it reports on credit files.

These are significant changes which we look forward to putting into practice on behalf of the many clients we act on behalf of in credit dispute cases.

5. New powers for the Privacy Commissioner

New Privacy Laws provide that civil penalties can be issued by the Privacy Commissioner for a breach of certain provisions of the Privacy Act, and including the Credit Reporting Code of Conduct. They can also be imposed for serious or repeated breaches. These can be up to $220,000 for an individual or $1.1 million for an organisation.

Finally there is some real incentive for credit providers to take due care with adding listings to credit files. The Privacy Commissioner has said he will not be taking a soft approach when it comes to breaches of the Privacy Act, and we will be watching with interest to see if this also applies with the same gusto to credit reporting breaches covered under this legislation.

All in all, this year could bring some really positive changes to Australia’s credit system, but with it will be some teething problems resulting in confusion for some consumers. If nothing else, there’s going to be some really interesting times in credit reporting, and in finance in the months ahead.

________________________________________________________________

Graham Doessel is the Non-Legal Director of MyCRA Lawyers.

MyCRA Lawyers advocates for individuals in matters of credit file dispute.

An early pioneer in credit repair, over recent years Graham has become a frequent consumer spokesperson for issues impacting credit reporting, and is the Secretary and Spokesperson of the Credit Repair Industry Association of Australasia (CRIAA).

Graham also founded and is the Non-Legal Director of Armstrong Doessel Stevenson Lawyers.

21/01/2014
Privacy Law reform – protecting your personal information and your credit file: Privacy Awareness Week 2013

Identity theft is an ever-growing threat to Australians and the commodity which is traded, sought after and misused for criminal or financial gain by fraudsters is your personal information. In amendments to the Privacy Act 1988 (Cth) which occurred late last year and which will be implemented in March 2014, there will be some improvements in Privacy Law to do with requirements on organisations to keep your personal information safe. As identity theft can also go so far as to impact on your credit file, there are also improvements suggested within the Draft Credit Reporting Code of Conduct, aimed at protecting you and your credit file against identity theft. We look at these changes and the impact they may have on you.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au

Personal Information in the Australian Privacy Principles

We look at the differences in the areas of requirements by organisations in regards to personal information collection and security of personal information, as provided by the OAIC, which are set out in new Australian Privacy Principles, set to replace the current National Privacy Principles.

Security of Personal Information

APP 11 requires an organisation to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure (as required by NPP 4.1).

APP 11.1 imposes the same obligation as [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][current] NPP 4 in relation to the protection of the personal information that an organisation holds. However, APP 11.1 now also requires organisations to protect personal information from interference.

APP 11.2 introduces new exceptions to the requirement that an organisation take reasonable steps to destroy or de-identify personal information, once it is no longer needed for any purpose for which it may be used or disclosed in accordance with the APPs: – if it is not contained in a Commonwealth record (APP 11.2(c))[6], and – if the organisation is not required by or under an Australian law, or a court/tribunal order, to retain the information (APP 11.2(d)).[7]

Sensitive information

Summary of [current] NPP 10 An organisation must not collect an individual’s sensitive information unless a listed exception applies (NPP 10.1). Sensitive information is defined in s 6.

NPP 10.2 and 10.3 set out specific exceptions regarding the collection of health information.

Relevant APPs

APP 3 – collection of solicited personal information

Key differences

APP 3 clarifies that an organisation must only collect sensitive information about an individual if the individual consents to the collection and the information is reasonably necessary for the organisation’s functions or activities, or an exception applies (APP 3.3).

The definition of sensitive information in s 6 has been extended to include: -biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.[14]

Sensitive information may also be collected about an individual: -if required or authorised by or under an Australian law or a court/tribunal order (APP 3.4(a))[15] when a permitted general situation or permitted health situation applies (APP 3.4(b)-(c), s 16A).

Permitted general situations include the collection of sensitive information where: -the entity reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety, and it is unreasonable or impracticable to obtain the individual’s consent to the collection (APP 3.4(b), permitted general situation 1 (s 16A item 1)).

This exception reflects the wording of NPP 10.1(c), but removes the requirement that the threat must be imminent. This exception also replaces the specific circumstances set out in NPP 10.1(c) in which an individual may be unable to consent, with the more general ‘unreasonable or impracticable’.

-the entity has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities has been, is being or may be engaged in, and the entity reasonably believes that the collection is necessary for the entity to take appropriate action in relation to the matter (APP 3.4(b), permitted general situation 2 (s 16A item 2)).

This is a new exception in relation to the collection of sensitive information.

the entity reasonably believes that the collection is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing (APP 3.4(b), permitted general situation 3 (s 16A item 3)).

This is a new provision in relation to the collection of sensitive information.

The permitted health situations replicate the wording of NPP 10.2 and NPP 10.3, in relation to the collection of health information for the provision of a health service and for research.

APP 3.4(e) relates to non-profit organisations and replaces NPP 10.1(d). APP 3.4(e) permits the collection of an individual’s sensitive information by non-profit organisations where the information:

relates to the activities of the organisation, and relates solely to the members of the organisation, or to individuals who have regular contact with the organisation in connection with its activities.

The definition of ‘non-profit organisation’ is now included in s 6.[16] It states that a ‘non-profit organisation’ means an organisation that is a non-profit organisation, and engages in activities for cultural, recreational, political, religious, philosophical, professional, trade or trade union purposes. This definition replaces the terms ‘racial’ and ‘ethnic’ in the NPP 10.5 definition with the term ‘cultural’. In addition, it also includes in the definition organisations with a ‘recreational’ purpose.

Identity theft and credit file protection

The proposed new Credit Reporting Code of Conduct – currently in draft stage, has some significant new protections for victims of fraud.

The draft code sets out the opportunity for individuals who believe they may be likely to be or have been a victim of fraud, to request a ban be placed on the use or disclosure of their credit reporting information without the individual’s consent. This is intended to combat identity theft which involves the stealing of credit through impersonating the victim and taking credit out in their name.

Where a Credit Reporting Bureau (CRB) receives a request from a Credit Provider (CP) for credit reporting information about an individual in relation to whose credit reporting information a ban period is in effect, the CRB must inform the CP of the ban period and its effect.

The Code also intends to give a CRB powers in these cases to seek information relevant to the individual’s fraud allegations from a CP who may have also been affected by the alleged fraud in order to both determine whether the individual has been a victim of fraud, and to decide the length of the ban period.

Enhanced powers for the Privacy Commissioner

Whilst we are yet to have mandatory data breach notification laws, which would require individuals to be notified by an entity which holds their information of a data breach (currently it is just encouraged that this occurs), there are some areas where the Privacy Commissioner’s powers will be strengthened.

The Privacy Commissioner will have enhanced powers, in the areas of:

• Ability to accept enforceable undertakings

• Ability to seek civil penalties in the case of serious or repeated breaches of privacy

• Ability to conduct assessments of privacy performance for both Australian government agencies and businesses.

On 28 December 2012, section 4AA of the Crimes Act 1914 was amended to increase the amount of a penalty unit from $110 to $170.

This means that, under the reforms to the Privacy Act due to commence on 12 March 2014, the maximum penalty amount for a serious or repeated interference with the privacy of an individual will be $340,000 for individuals and $1.7 million for entities.

Identity theft test.

As part of Privacy Awareness Week, you can take an online identity theft test, via the OAIC website to see how vulnerable you may be to identity theft. It examines 11 ways you could become a victim of identity theft and offers advice on ways to reduce your risk.

Image: Salvatore Vuono/ www.FreeDigitalPhotos.net[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

02/05/2013
Privacy Awareness Week 2013 Privacy Law Reform
29 April to 4 May 2013 is Privacy Awareness Week 2013 across Australia. MyCRA Credit Rating Repair are once again proud partners of PAW, and 2013’s theme “Privacy Law Reform” is especially relevant to us as credit repairers and consumer advocates for accurate credit reporting. We are taking this week to discuss the huge changes coming our way since Australia’s Privacy Act (1988) was amended in late November 2012. We look at how individuals and businesses will be impacted by new Privacy Laws, particularly in our area of focus – credit reporting and credit law, looking towards the implementation of those laws on March 12, 2014.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

What is Privacy Awareness Week?

Privacy Awareness Week (PAW) is an initiative of the Asia Pacific Privacy Authorities forum (APPA) held every year to promote awareness of privacy issues and the importance of the protection of personal information. Activities are held across the Asia Pacific region by APPA members.

Why is MyCRA involved?

Credit reporting is governed by the Privacy Act (1988) – so privacy issues are regulated and protected by this legislation. Credit repairers must be fluent in Privacy legislation in order to help consumers with their credit disputes.

2013’s theme – Privacy Law Reform is a pertinent one for consumers. MyCRA believes that every consumer should be educated on the changes coming in for them, and they affect every credit-active individual. We want to raise awareness of how an individual’s ability to obtain credit may be impacted (for better or worse) by these laws. We also want to demonstrate the changes that are coming in the way credit reporting information is handled, and how that will also impact the individual.

What will change?

The new laws will bring about changes in three main areas. (Courtesy of OAIC).

The introduction of a unified set of Australian Privacy Principles (APPs). These principles will be introduced to replace the current National Privacy Principles for those private sector organisations covered by the Privacy Act and the Information Privacy Principles for Australian government agencies. There are a number of important changes with the introduction of the APPs, including in the areas of direct marketing, overseas disclosure of personal information and the handling of unsolicited information.

The introduction of comprehensive credit reporting. These changes are designed to provide consumer credit providers with sufficient information to adequately assess credit risk while ensuring the protection of personal information, and to support responsible lending. The system will be underpinned by a new industry-agreed Credit Reporting Code of Conduct approved by the Commissioner.

Enhanced powers for the Commissioner. These powers include enhanced powers to resolve investigations and promote privacy compliance with access to new remedy powers including enforceable undertakings and civil penalties. Also, for the first time, the Commissioner will be able to conduct Performance Assessments of private sector organisations to determine whether they are handling personal information in accordance with the new APPs, credit reporting provisions and other rules and codes. The Commissioner will be able to conduct these assessments at any time — an added incentive for organisations to ensure they are handling personal information in accordance with the Privacy Act.

Credit reporting and Privacy

Some of the areas of credit reporting which will undergo significant change will be:
- New data on Australian credit reports – including repayment history information
- Quality, security, accuracy and integrity of credit reporting information as set out in APP’s.
- Improved ability to dispute credit listings
- Ability to secure a credit file against identity crime
- Penalties for breach of Privacy Act
- A new Credit Reporting Code of Conduct – currently at Draft stage.
Stay tuned every day this week to find out more about how Australia’s credit reporting law changes may affect you, your credit file and your ability to obtain credit.

Image: Salvatore Vuono/ www.FreeDigitalPhotos.net
29/04/2013
Buying a home? 5 things you need to know about Australia’s new credit reporting laws before you apply for finance.

Media Release

Buying a home? 5 things you need to know about Australia’s new credit reporting laws before you apply for finance.

Some major changes have occurred to Australia’s Privacy Laws, and home buyers need to know about them before they apply for finance. A consumer advocate for accurate credit reporting warns potential home buyers they need to get up to speed with some of the main changes to credit reporting which could see more people refused a home loan in the coming months and years ahead.

CEO of MyCRA Credit Rating Repair, Graham Doessel says some simple mistakes made with repayments now, could see people blacklisted from credit even before the Privacy Amendments (Enhancing Privacy Protection) Bill 2012’s March 2014 deadline for implementation.

“Potential home buyers need to know that from this point on, they need to make every credit repayment on time to avoid having late payment information show up on their credit history and potentially ruin their chances of getting the home they want,” Mr Doessel says.

Mr Doessel explains more about this change, and other factors in Australian credit reporting which impact your credit rating:

1. Repayment History Information

From December 2012, whether or not a credit account was paid on time will be part of your credit history and will be used when a lender is assessing your suitability for a home loan.

The notation will remain as part of your credit history for 2 years.

The Government intends for these reforms to decrease levels of over-indebtedness in the market.[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][i]

But Mr Doessel is worried it could push more borrowers into higher interest rate loans due to being refused credit with mainstream lenders.

“Many people pay bills late, for a variety of reasons – this doesn’t necessarily mean they intend for the account to go into default. But these late payers could find they end up refused credit, or charged thousands more in interest due to these notations,” he explains.

2. Types of credit

The new laws will now allow information on the type of credit accounts you have, and when they were opened and closed to be shown on your credit history. This will give lenders more ability to determine the relevance of each listed credit account for your specific situation.

3. Credit limit of each account.

The credit limit on each credit account will be used to assess the potential volume of credit the potential borrower could have access to.

But there will be no way of telling what level of debt you actually have only what you could potentially redraw to.

“It may be worth reducing unnecessary credit limits on your accounts before you make your application,” Mr Doessel says.

4. Beware excess credit enquiries.

Whenever a person other than you makes an enquiry on your credit history – that enquiry is recorded on your credit file.

Mr Doessel says some lenders will decline a finance application due to too many credit enquiries, such as two enquiries within thirty days or six within the year.

“By all means ask questions, and do your research on the best home loan for you, but when it comes to giving over your details, and making applications, leave that until you have decided which lender suits you best, to avoid being disadvantaged,” he says.

5. It will still be up to you to ensure your credit file is accurate.

With all of the new information available to lenders about your credit history, it is more important than ever for that information to be accurate.

You can apply for your credit report for free every year by making a request to Australia’s credit reporting agencies – Veda Advantage, Dun & Bradstreet and Tasmanian Collection Services (if in Tasmania).

“It is up to you to ensure your credit file reads accurately,” Mr Doessel says, “and the saving grace for this legislation is the improvements set to be implemented in 2014 around access and correction of your credit file.”

From March 2014, Creditors will be forced to justify disputed credit listings. Notably, your Creditor will have to substantiate the information they report on your credit file if you dispute it.

“This change is crucial, considering the power the Creditor has to impact your ability to obtain credit for years to come. Up till now, there has been little obligation within the legislation for the Creditor to justify credit listings, nor remove incorrect data,” Mr Doessel says.

If the dispute escalates, you can complain directly to the Creditor’s Ombudsman, and in some instances may have a right to remedy under the direction of the Privacy Commissioner.

“Finally there is some real incentive for Creditors to take due care with adding listings to credit files and we as credit repairers ultimately have a better avenue to help our clients remedy their credit rating errors,” Mr Doessel says.

/ENDS.

Graham Doessel – PH 3124 7133

Lisa Brewster – Media Relations media@mycra.com.au

Ph 07 3124 7133 www.mycra.com.au www.mycra.com.au/blog

246 Stafford Rd, STAFFORD Qld. 4053
MyCRA Credit Rating Repair is Australia’s leader in credit rating repairs. We permanently remove defaults from credit files.

——————————————————————————–

[i] http://www.attorneygeneral.gov.au/Media-releases/Pages/2012/Fourth%20Quarter/29November-2012-FamiliestobenefitasprivacyreformspasstheParliament.aspx

Image: vichie81/ www.FreeDigitalPhotos.net[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

06/12/2012
ID scanners in nightclubs are boosting the risk of ID theft says Privacy Commissioner

Their purpose is to crack down on crimes of violence in pubs and clubs. But according to the Privacy Commissioner, an increasing number of complaints have been made to his office about the use of ID scanners in licensed venues. We look at what the issues are with ID scanners and whether your personal information is safe to hand over.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

It’s Friday night, you’re heading out to meet a group of friends in a nightclub. You head to the door, and are asked to hand over your ID to be scanned in to the venue’s ID scanner. Do you do it? Do you ask what’s happening with that information? Or do you merely let them whisk it through – knowing you’re not one of the troublemakers they’re looking for, and happily meet your friends in the club?

Most young people would just hand over their ID, and this technology is being used in plenty of venues around Australia – with the intention of finding those holding fake ID cards, or those patrons who have been ‘banned’ or ‘flagged’ as unwanted.

But many are calling for action over the use of identity scanners, because of the increase in risk of identity crime.

Privacy Commissioner Timothy Pilgrim says there are a number of issues and risks associated with using ID scanning for this purpose.

“If organisations are going to require to collect that information for reasons like that, it needs to be very clear at the point of entry that people will be asked for that information,” he told ABC’s World Today yesterday.

“And people need to be told what will happen to that information once they hand it over. How is it going to be kept? Is it going to be kept securely? Is it going to be kept for a limited period of time, and who else may get access to it?

“People have the right to know these things.”

Mr Pilgrim says the use of ID scanners at pubs and clubs is increasing the risk of identity crime.

“The more and more we’re being asked for information, the more and more it’s being stored in databases,” he said.

“It leads to almost a honey pot sort of situation, where people who have malicious intent-criminal groups, for example, can see value in breaking into those systems.”

The Privacy has been given new powers of penalty for businesses which breach privacy regulations, in the Privacy Amendments (Enhancing Privacy Protection) Bill 2012, which is currently before the Senate. This will include allowing him to penalise businesses which breach privacy regulations.

“I would hope that organisations take the responsible step of putting in place proper protections for people’s personal information,” he said.

“However, if there are serious and repeated breaches of the Act, I won’t hesitate to use the powers that I will have.”

However, Victoria’s acting privacy commissioner, Dr Anthony Bendall, estimated more than 90 per cent of Australian businesses were not covered by the regulations in the Privacy Act because they had an annual turnover of less than $3 million.

He says Privacy principles were unclear on businesses’ obligations if the information is compromised.

”If you do hold personal information and [fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][it is] breached in some way you’re not required to notify people that’s happened, and if it’s something like your licence there’s a good reason you should be telling them and to be taking steps to helping patrons protect themselves,” he told The Age on Sunday.

Here’s more from The Age story, ‘ID scans raise privacy fears’:

ID scanner company Scannet gives venues the rights to their own databases, and allows them to share the photos – but not the licence details – of banned patrons with other venues.

Scannet director Joel Sheehan said it had 45 systems operating in Australia since it began selling them last year.

Mr Sheehan said machines were password protected, with patrons generally more willing to scan their licences at clubs and pubs now.

”Now people that aren’t troublemakers that want to go out and enjoy themselves are all for it,” he said. ”At the end of the day the system’s voluntary, they don’t have to have their ID scanned as a condition of entry but at the same time if somebody’s not going out to cause trouble they shouldn’t have any problems having their ID scanned.”

He said ID scanners had had a deterrent effect in clubs and pubs, as venue owners could pass on records to police of violent customers. He credited the machines with improving the safety of nightlife in Newcastle, where the company launched…

While the Scannet website says the machines can help venues ”forecasting future business”, Mr Sheehan said that it was up to venues to comply with the Privacy Act and avoid abusing customers’ details.

Australian Privacy Foundation board member Dr Katina Michael, said ID scanners were not effective in detecting fake IDs or deterring violent behaviour but put the majority of people at risk of identity fraud.

”When you’re talking about private entry to pubs and clubs … they may turn personal information into ones and zeroes at the back end and these stored identities in the future can be stolen … How do you reclaim your identity?”

Some important points have been made here.

1. When we are told identity crime is on the rise and is fast being used as part of the ‘repertoire’ of criminals around the world – why should people be parting with personal information unnecessarily? Especially when that information is a direct copy of an identifying document?

2. It’s not a matter of crime groups not having the capabilities to hack into these databases…but more that it is not worth it…yet.

3. If a data breach did occur, would those small businesses using the scanner even be required to be subjected to the big stick of the Privacy Commissioner?

So what could happen if someone misused your identity? Your name could be attached to criminal activities; fraudsters could request tax or Centrelink payments on your behalf, as well as taking out credit in your name.

If you have credit taken out in your name, you will often unknowingly incur debts with Creditors issuing defaults against your name on your credit file. People could be chasing you for credit you didn’t initiate, and if you apply for credit in your own right – you will be refused. This will continue for 5 years while you have bad credit. You will be locked out of mainstream loans, credit cards and even mobile phone plans. So it’s important to protect your good name and prevent bad credit through fraud.

My advice? Think twice before you scan your ID in next time you’re clubbing. If it was me, I would say no, or go somewhere else 🙂 Because you do have something to hide, and that’s your personal information.

For help recovering your good credit history following identity theft, contact MyCRA Credit Rating Repairs on 1300 667 218 or visit our main website www.mycra.com.au.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

02/10/2012
Telstra’s security slip-up was a breach of the Privacy Act

Back in December 2011 a customer discovered the identity details of 734,000 Telstra Australia customers had been exposed to possible identity theft and misuse by being easily accessible through a Google search. The Privacy Commissioner, Timothy Pilgrim immediately stepped in to investigate. After a 6 month-long investigation, Mr Pilgrim and the Australian Communications and Media Authority (ACMA) has found Telstra has breached both the Privacy Act, and the Telecommunications Consumer Protections Code. We look at how this occurred, and what the implications could be for Telstra, and for you and your credit file.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

In the New Year, we reported on this massive privacy issue, which affected more than 700,000 customers, including myself in our post Telstra’s at it again. And this time it may affect YOU. Here is an excerpt from the December 12 media release:

The Sydney Morning Herald reported on Friday a user of the Whirlpool forum stumbled upon the “Telstra bundles request search” page after doing a Google search for a Telstra customer support phone number they were told to contact.

SMH reported the information of any Telstra customer was searchable even by last name, bringing up the customer’s account number, what broadband plan they were on, what other Telstra services they were signed up to and notes associated with the customers’ accounts including in many cases their usernames and passwords.

There were also other details about technician visits, SMS messages sent to private mobile numbers and credit check details.
Telstra has reportedly reset approximately 60,000 customer passwords as a precaution (http://www.theaustralian.com.au/australian-it/telstra-customers-face-password-reset-after-privacy-breach/story-e6frgakx-1226219541766).

Telstra bundle customer, Graham Doessel is one of those potentially at risk.

He also happens to be the CEO of a company dealing in credit repair for people who have been unlawfully blacklisted from borrowing facilities. He says as much as 50% of his clientele who present with credit file errors and inconsistencies are Telco customers, and many of those are Telstra customers.

“This data breach is a crucial example of how errors occur so easily in the Telco industry. Unfortunately they have the potential to severely damage someone’s financial future.”

“Every day we deal with customers who can’t get a home loan, because their credit rating is damaged by improper execution of policies and procedures in the Telco industry,” Mr Doessel, of MyCRA Credit Repairs says.

Mr Doessel is concerned he is amongst those Telstra customers whose personally identifiable information may have been viewed, and copied for purposes of fraud during the time the information was readily available on the internet.

“The issue is about both our possible stolen passwords, and our possible stolen personal details – a huge commodity for fraudsters. What’s to say fraudsters haven’t jumped on the internet while this information has been available and copied it?”

“Personal details are the building blocks for constructing a fake identity. Once someone has fake ID documents, they can take out significant amounts of credit in the victim’s name. Often people don’t find out about it straight away and that can result in defaults from creditors and massive long term credit issues,” he says.

Outcome of the investigation

Mr Pilgrim found in his investigation that a number of internal errors occurred in the lead up to the incident in December 2011.

“I found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra’s reporting, monitoring and accountability systems”, Mr Pilgrim said in a statement to the media.

“Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken”.

“The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning”.

The Commissioner found Telstra to be in breach of two National Privacy Principles under the Privacy Act 1988:
•National Privacy Principle 2.1 (Use and disclosure)
•National Privacy Principle 4.1 (Data security)

Mr Pilgrim warned businesses of the importance of conducting a Privacy Impact Assessment (or PIA) when commencing new projects.

“Build your privacy in at the beginning, don’t bolt it on as an afterthought. All businesses should conduct a PIA to make sure that potential privacy risks are considered at the start of any project and that risk mitigation strategies are put in place”.

Implications for Telstra

Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future. The Commissioner closed the investigation after reviewing the remediation plans Telstra has in place.

In ceasing his investigation into the matter, the Commissioner asked Telstra to provide him with a report on the progress of the remediation project by October 2012. He also asked Telstra to provide to him with a report on the completion of the remediation project by April 2013.

No penalties enforced

Mr Pilgrim said The Privacy Act does not give him the power to impose any penalties or seek enforceable undertakings from organisations he has investigated on his own initiative. However, he did say the privacy law reforms that are currently before Parliament – the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 will provide him with additional powers and remedies when conducting such investigations in the future.

The Sydney Morning Herald reported in its article Telstra’s 734,000 account privacy blunder breached multiple laws: regulators that Telstra appears to have escaped financial or other penalties for now, which has angered consumer groups.

“We strongly believe the ACMA needs stronger enforcement powers for the Code to be effective,” said Elise Davidson of the Australian Communications Consumer Action Network.

“The ACMA is currently considering a new draft of the TCP Code but – regardless of what’s in it – without effective enforcement, telecommunication providers can continue to seriously breach their obligations without fear of any fines or sanctions from the regulator.”

And Yet Still More Data Exposed

Even before the deliverance of the Privacy Commissioner’s finding on the account scandal, Telstra has also been embroiled in another data scandal involving the tracking of its customer’s internet data useage. The ABC reports in its article Telstra accused of tracking Next G internet use:

Telstra has been accused of tracking the internet use of its Next G mobile phone users and sending their internet history to a company in the United States.

One of the telco’s customers discovered that when he visited a website using his Next G network in Australia, a server in the United States would visit the same address almost instantly.

Telstra says it is collecting the information for use in a new internet filter product, but internet users are outraged and are demanding the Australian Privacy Commissioner investigate.

For an update to how this particular breach occurred, and what has been discovered so far, check out the IT News article Telstra: Oh what a tangled web we weave written yesterday.

Perhaps not Telstra’s finest hour on Privacy Issues, nor Australia’s finest hour on Privacy Law.

How To Protect Your Credit File After a Data Breach

Whilst there have been no official reports of any identity theft cases from this particular security breach, we look at what you should if you find yourself in this situation in the future, with any company that holds your personal information.

1. Change passwords. Even if Telstra hasn’t advised you otherwise, go in and change your password. If you have that same password for unrelated accounts, change that as well.
2. Check your credit file. Obtain a free copy of your credit file and check there is nothing suspicious already present on your credit file.
If you see suspicious activity on your credit file, or your credit accounts….
3. Alert your Creditors you may be at risk of identity theft. This will allow them to ‘flag’ your accounts and halt any suspicious activity.
4. Alert credit reporting agencies. They can put an alert on your credit file which informs you of any changes to contact details, or suspicious credit enquiries you may not have initiated.
5. Consider making a complaint to the Privacy Commissioner. If you firmly believe you have been a victim of identity theft through a company data breach or breach of personal information, you should visit the Privacy Commissioner’s website to determine if you have a valid complaint to make, and how to go about making it. http://www.privacy.gov.au/complaints.
6. If your credit file has been damaged, get help to repair it. If you have been exposed to identity theft, and you have credit listings which should not be there, contact a professional credit repairer, who can talk to you about clearing your bad credit and recovering your good name.

Image: Stuart Miles / www.FreeDigitalPhotos.net

02/07/2012
A wait and see approach to logistics of new credit laws

Most people are very positive about changes to Australia’s Privacy Laws which are coming through Parliament, effectively bringing Australia out of the 1980’s and closer to other countries in our treatment of Privacy and personal information. But others are a little unsure they go far enough in many areas. We look at one opinion of how the new credit laws apply to credit reporting .

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

An interesting post came through from ‘The Conversation’ yesterday written by Bruce Arnold, Lecturer of Law at University of Canberra. The post Two cheers for privacy law reform? Let’s wait and see looks at the potential benefits of these new Privacy Laws, and where perhaps the laws may be lacking:

“For many people the bleeding edge of privacy law has been their credit records. The Bill rationalises the current credit reporting regime, which has featured strong disagreement between competing industry bodies and examples of bad practice by particular enterprises. That rationalisation is to be strongly welcomed by consumers and business as providing greater transparency and certainty. Its success however will be dependent on action by the national Privacy Commissioner, an entity within the national Office of the Information Commissioner. Under the proposed law, credit providers will have access to additional personal information with the expectation that more data will facilitate “a more robust assessment” of credit risk and “responsible lending” that may also “result in reductions to the cost of credit for individuals”. As with much finance, we will trust that lenders will pass on their savings to consumers.

The Bill aims to give the Commissioner greater powers, for example scope for “own motion” investigations rather than in response to complaints by individuals who claim that there privacy has been disrespected. It is unclear whether the Commissioner will make effective use of those powers, given difficulties with resourcing and perceptions – fair or otherwise – that the office lacks both the will and expertise to take on particular interests. Historically it has endorsed industry practice that although commonplace, is below overseas benchmarks and is less than desired by many Australians.

The Commissioner will be able to recognise external dispute resolution mechanisms, something that is consistent with the trend to outsourcing and administration and presumably welcomed by business.

The Bill does not provide for a tort of serious invasion of privacy – that is, scope for an individual to seek compensation over an invasion of their privacy by an individual or an organisation. That tort has been recommended by the ALRC and by the law reform commissions of New South Wales and Victoria. It is thus hardly a radical or alarming notion, although it has been strongly opposed by the major media groups and some legal practitioners. The Government’s willingness to proceed with suggestions for establishment of the tort as we head towards an election is unclear.

Enactment of the Australian Privacy Principles is a step forward, deserving of two cheers even if we ask why has it taken so long and wonder how the APP will be interpreted by the Privacy Commissioner. Rationalisation of credit reporting law, in conjunction with the National Consumer Credit Protection Act 2009 (NCCPA) is also meritorious, although in one of the most messy areas of privacy practice we will need to see how business implements the revised arrangements and whether there is meaningful enforcement by the Privacy Commissioner,” Mr Arnold says.

It will be interesting to see how the actual application of dispute resolution pans out in the credit reporting landscape including how the changes will alter the Credit Reporting Code of Conduct. We will certainly adopt the ‘wait and see’ approach as to whether the changes will indeed make it ‘easier’ to dispute credit listings and fix unnecessary bad credit as claimed by Attorney-General Nicola Roxon.

Image: Stuart Miles/ Free Digital Photos.net

31/05/2012
Privacy Protection set to be heightened under Australian Law

Big changes are coming for Australian privacy rights and laws governing the use of personal information. The Australian Government has announced it will make the first set of changes to the Privacy Act 1988 in the Winter sitting of Parliament. The announcement came yesterday from Attorney-General Nicola Roxon, who intentionally announced the changes to coincide with Australia’s Privacy Awareness Week.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

The Attorney-General said in her statement that Australia’s privacy laws will be reformed to better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.

The Attorney explained that key changes to benefit consumers are:

• clearer and tighter regulation of the use of personal information for direct marketing
• extending privacy protections to unsolicited information
• making it easier for consumers to access and correct information held about them
• tightening the rules on sending personal information outside Australia
• enhancing the powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance

These changes are part of a long consultation process coming out of recommendations made within the Australian Law Reform Commission’s report For your information: Australian Privacy Law and Practice.

The changes will include new powers for the Privacy Commissioner to enforce privacy laws. Commissioner Timothy Pilgrim said in a statement to the media these changes were a significant step forward and will allow him to better resolve privacy investigations more effectively.

“The strengthening of these powers also sends a strong message to government agencies and businesses covered by the Act that there can be significant consequences when personal information is not given an appropriate level of protection.”

“These changes give me more options when undertaking an investigation on my initiative. At the moment I can only make a determination when I am investigating a complaint made by an individual,” Mr Pilgrim said.

The powers of the Privacy Commissioner to investigate Privacy complaints has previously come under criticism, particularly following the well-publicised global Sony Data Breach in April 2011 which seemed to showcase the gaping hole in Australian Privacy Law at the time. The data breach left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.

Criticism was sparked by the Commissioner’s lack of powers to make determinations following any investigation, and also Australia’s absence of mandatory data breach notification law. It was well publicised that Sony took over a week to notify it’s customers of the data breach, in the process potentially exposing customers to identity theft and credit file fraud.

A recent survey conducted by the University of Canberra and eBay Australia found that Australian internet users were highly concerned about identity theft and wanted government to order businesses to notify users of online data breaches.

The survey, reported in CIO Magazine Call for mandatory data breach notification grows: Survey found 85 per cent of 700 Australian participants want data breach notifications to become mandatory. Here is an excerpt from that story:

In addition, 86 per cent of respondents cited identity theft as their greatest privacy concern, while 83 per cent mentioned financial data loss as their biggest concern.

The survey also found that the financial sector was the most trusted when it came to privacy (42 per cent).

Social media was the least trusted industry on privacy with only 1 per cent of respondents saying they trusted websites such as Facebook. Sixty-one per cent of Australians surveyed nominated the social media industry as having the worst privacy practices.

Privacy Commissioner, Timothy Pilgrim, said that the high level of support for mandatory data breach notifications is not surprising given significant data breaches over the past year such as the Sony PlayStation Network compromise.

“Incidents are on the rise as weaknesses become apparent in business systems at the same time as hackers become more sophisticated,” he said in a statement.

“I encourage businesses to look at our guide which not only outlines how to respond to a breach, but also how to avoid a breach in the first place by focusing on the security of their systems,” Pilgrim said.

Other privacy law reform changes will include the introduction of a set of Australian Privacy Principles, and importantly, changes to credit reporting law.

Some changes Attorney-General Nicola Roxon chose to highlight in her statement yesterday include:

• making a clear obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings
• making it easier for individuals to access and correct their credit reporting information
• prohibiting the collection of credit reporting information about children
• simplifying the complaints process by removing requirement to complain to the organisation first, complaints can be made directly to the Privacy Commissioner, and by introducing alternative dispute resolution to more efficiently deal with complaints.

We will be watching with intense interest at how the whole barrage of changes around credit reporting could possibly impact consumers and their credit files. The above four recommendations would be a great improvement as currently consumers can experience difficulty when disputing entries on their credit reports.

MyCRA is proud to be a Partner for Privacy Awareness Week 2012.

03/05/2012
Privacy Commissioner reports data breaches on the rise

As part of Privacy Awareness Week 2012, over 180 business leaders met in Sydney this week to discuss the topic of data breaches. Data breaches can occur through lost or stolen laptops, portable storage devices and paper records, or through databases being ‘hacked’ into or organisations mistakenly providing information to the wrong person. The effects of data breaches can be theft of identity and potentially credit fraud leading to bad credit history for the victim. The Privacy Commissioner claims there is in effect one data breach a week in Australia – an increase of 27 per cent from last year.

This is an excerpt from Privacy Commissioner Timothy Pilgrims statement to the media on Monday on data breaches in Australia:

“The Office of the Australian Information Commissioner (OAIC) was notified of 56 data breaches in the last financial year, equivalent to a data breach a week. This is up from 44 in the previous year, an increase of 27 per cent,” Mr Pilgrim said.

However, the Privacy Commissioner also noted that he opened a further 59 investigations into other breaches where he wasn’t notified of the incident.

“Serious harm can befall people when the security of their personal information is compromised”, Mr Pilgrim said. “It is our view that whenever there is a real risk of serious harm, affected individuals should be notified.”

…Data breach notification is not a mandatory obligation applying generally to government and business in Australia. However, there is increased pressure on the Government to introduce laws to make it a general legal requirement as it is elsewhere — data breach notification is already a mandatory requirement in Europe, the UK and the United States….

The Privacy Commissioner warned that in some circumstances, it may be a breach of the Privacy Act not to notify as organisations covered by the Privacy Act must take reasonable steps to protect the information they hold.

For businesses who would like a reference for guidelines on handling personal information security breaches, the OAIC has released this document:

Data breach notification: A guide to handling personal information security breaches. It outlines four steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.

Personal information has become a valuable commodity used to commit identity fraud and potentially ruin the victim’s financial future.

We can’t take lightly the possibility that any company that keeps data on its customers could be exposed to data breaches. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters.

Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.

Data breaches are difficult for individuals to have any control over, and the only way people can ensure their details are safe are to demand that the companies they deal with have strong IT systems before disclosing that information.

The Australian Crime Commission’s Identity Crime report advises consumers on ways they can protect their personal information. They advise all individuals to obtain a copy of their credit report annually in order to keep abreast with any changes to their credit file which may point to identity theft.

This could detect suspicious entries such as new credit enquiries or changes in contact details which would point to an identity theft attempt, allowing steps to be taken before the fraud affects the person’s good credit rating.

If a person may be vulnerable to identity theft through a data breach, they should check their credit file immediately, and also contact Police who will advise them on the best course of action to take to restore their accounts and potentially their good name. This could include applying for a Victims of Commonwealth Identity Crime Certificate – which covers particular Commonwealth Identity Crime and can aid in recovery.

If people need help to prepare a case to creditors for default removal following identity theft, it may help to contact a reputable credit repair company.

Image above: David Castillo Dominici/ FreeDigitalPhotos.net

MyCRA Credit Rating Repairs is proud to be a partner for Privacy Awareness Week 2012.

02/05/2012
MyCRA Partners Privacy Awareness Week 2012

MyCRA Credit Rating Repairs is proud to be a Privacy Awareness Week (PAW) Partner for 2012 which runs 29 April to 5 May. The team at MyCRA hope we can help educate more people on Privacy Issues this week and in doing so reduce the numbers of identity theft cases in Australia. Privacy of your personal information is crucial to prevent identity theft and subsequent credit fraud. This week, through information provided by the Office of the Australian Information Commissioner (OAIC) and also through our own information, we want to help clarify how Privacy (or lack of it) can affect your credit file and promote safety of your valuable personal information.

This post features a newsletter titled “Privacy It’s All About You” provided by the OAIC which will clarify the origins of PAW and the importance of Privacy in your business, your life and for maintaining your good credit history. Please find full newsletter below:

Privacy: it’s all about you

Privacy Awareness Week (29 April – 5 May) is an annual event during which the Asia Pacific Privacy Authorities join forces to remind everyone to take steps to protect their own privacy and safeguard personal information about others that they might hold.

“Privacy is recognised in many countries, including Australia, as a human right,” says Privacy Commissioner Timothy Pilgrim. “Serious consequences can arise when someone’s privacy is breached and we all have responsibilities to look after the personal information we handle.”

Organisations and government agencies covered by the Privacy Act must meet responsibilities when collecting, using and disclosing personal information. This includes giving sufficient notice about why personal information is being collected and how it will be used and disclosed.

Businesses covered by the Privacy Act are subject to ten National Privacy Principles or NPPs while most Australian, ACT and Norfolk Island government agencies must comply with eleven Information Privacy Principles or IPPs.

Quick privacy tips for business and government agencies:

• Don’t collect personal information that is unnecessary for your business
• If you do need to collect people’s personal information, tell them why you are doing this, what the information will be used for and how long it will be kept
• Make it clear who will have access to that personal information, including any third parties
• Take steps to destroy or de-identify personal information that is no longer required, subject to other record keeping requirements.

What about you?

When it comes to protecting your own information, Mr Pilgrim is urging all Australians to be increasingly more vigilant about protecting their information.

“You really need to pay attention to what information you are sharing and how it may be used, particularly online and when using smartphones, where personal information is routinely collected and stored by any number of entities.”

Mr Pilgrim says people tend not to think about what information they are giving away or what will happen to it, especially as they make quick transactions online.

Know what’s going on

When your online search history is aggregated with other information you may have shared online, a detailed picture emerges that could compromise your privacy.

Most search engines today track and store details about your browsing habits to help guide you to the information you are seeking. But Mr Pilgrim says that many of us remain unaware of how this happens or where our information may end up.

“Find out how your information is being used by checking the privacy policy of the search engines you use. If you want more control, look for options that allow you to prevent aggregation and keep information you post across various accounts separate.”

Different search engines operate in different ways. So if you are unhappy with the way your information is being used by one provider, consider using another.

“I’d encourage people to always use the provider that offers them most control about how their personal information is used,” Mr Pilgrim added.

Similar issues apply to apps: when you download them, you usually agree to your personal information being collected in some way.

“Next time you decide to download an app, take a moment to look at the terms and conditions that set out what you are signing up for, what type of information the app developer is collecting and how it will be used.”

While these kinds of details can be buried in the fine print, Mr Pilgrim says it’s worth making the effort to know and understand what you are agreeing to so your information is not used in unexpected ways.

“Just as in the real world, if you want to safeguard your privacy, you need to pay attention to what information you are handing over and ask companies what they are doing with it.”

Find out more at www.privacyawarenessweek.org/oaic

Stay tuned for more information on Privacy, your personal information and your credit file.

If you think you may be a victim of identity theft, firstly contact Police who will assist you.

If identity theft has affected your credit file (credit fraud) and you need help with removing negative listings such as defaults and clearouts which should not be there, it might be helpful to contact a credit rating repairer to go through your options for credit rating repair.

Graham Doessel, Founder and CEO of My CRA Credit Rating Repairs and www.fixmybadcredit.com.au.

Image: suphakit73 / FreeDigitalPhotos.net

30/04/2012
Telstra’s at it again. And this time it may affect YOU.

Your credit file could be affected by errors in the telecommunications industry…here is a media release we sent out last month about a significant data breach which occured with Telstra’s customer files. We are eager to see what the Privacy Commissioner’s findings will be on this incident.

Media Release

12 December 2011

A massive data breach of Telstra’s customer database has potentially put around 800,000 of its customers at grave risk of having their passwords stolen and their personal information pilfered by identity thieves.

The data breach which occurred last Friday, saw detailed personal information which was supposed to be available to Telstra customer service agents only, exposed and openly accessible on the internet.

The Sydney Morning Herald reported on Friday a user of the Whirlpool forum stumbled upon the “Telstra bundles request search” page after doing a Google search for a Telstra customer support phone number they were told to contact.[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][i]

SMH reported the information of any Telstra customer was searchable even by last name, bringing up the customer’s account number, what broadband plan they were on, what other Telstra services they were signed up to and notes associated with the customers’ accounts including in many cases their usernames and passwords.

There were also other details about technician visits, SMS messages sent to private mobile numbers and credit check details.

Telstra has reportedly reset approximately 60,000 customer passwords as a precaution.[ii]

Telstra bundle customer, Graham Doessel is one of those potentially at risk.

He also happens to be the CEO of a company dealing in credit repair for people who have been unlawfully blacklisted from borrowing facilities. He says as much as 50% of his clientele who present with credit file errors and inconsistencies are Telco customers, and many of those are Telstra customers.

“This data breach is a crucial example of how errors occur so easily in the Telco industry. Unfortunately they have the potential to severely damage someone’s financial future.”

“Every day we deal with customers who can’t get a home loan, because their credit rating is damaged by improper execution of policies and procedures in the Telco industry,” Mr Doessel, of MyCRA Credit Repairs says.

Mr Doessel is concerned he is amongst those Telstra customers whose personally identifiable information may have been viewed, and copied for purposes of fraud during the time the information was readily available on the internet.

“The issue is about both our possible stolen passwords, and our possible stolen personal details – a huge commodity for fraudsters. What’s to say fraudsters haven’t jumped on the internet while this information has been available and copied it?”

“Personal details are the building blocks for constructing a fake identity. Once someone has fake ID documents, they can take out significant amounts of credit in the victim’s name. Often people don’t find out about it straight away and that can result in defaults from creditors and massive long term credit issues,” he says.

Mr Doessel recommends anyone who feels they may be at risk by this data breach take a few precautionary steps to ensure their credit file is protected:

1. Change passwords. Even if Telstra hasn’t advised you otherwise, go in and change your password. If you have that same password for unrelated accounts, change that as well.

2. Contact creditors and advise them you may be at risk of identity theft. This will allow them to ‘flag’ your accounts and halt any suspicious activity.

3. Check your credit file. Obtain a free copy of your credit file and check there is nothing suspicious already present on your credit file.

4. Alert credit reporting agencies. They can put an alert on your credit file which informs you of any changes to contact details, or suspicious credit enquiries you may not have initiated.

The Privacy Commissioner, Timothy Pilgrim made a statement yesterday:

“I have opened a formal investigation into the Telstra data breach. At a briefing today Telstra has assured our office that the immediate problem has been rectified and that personal data is no longer accessible.

I have asked that Telstra also provide me with a detailed written report on the incident, including how it occurred, what information, if any, was compromised and what steps they have taken to prevent a reoccurrence. I will consider all the information provided by Telstra and hope to be in a position to issue an investigation report in late January 2012,” Mr Pilgrim says.

It is uncertain exactly what and or how much the Privacy Commissioner could determine Telstra would be liable for.

A recent decision handed down by the Privacy Commissioner only last week, saw one individual complainant awarded $7500 in compensation after a Leagues Club was found to have breached their privacy.[iii]

This is not the first time a major data breach has occurred with Telstra. In October 2010, a mailing error saw around 60,000 letters containing personal customer information sent to other customers.

The Privacy Commissioner found the privacy of Telstra customers was only breached in 2010 due to human error, and did not occur due to any systemic failure of Telstra’s processes or procedures, therefore they were not required to pay damages in this instance.[iv]

/ENDS.

Please contact:

Lisa Brewster – Media Relations media@mycra.com.au

Graham Doessel – Director info@mycra.com.au

http://www.mycra.com.au/ 246 Stafford Road, STAFFORD QLD. Ph: 07 3124 7133 www.fixmybadcredit.com.au

MyCRA Credit Repairs is Australia’s leader in credit rating repairs. We permanently remove defaults from credit files.

[i] http://www.smh.com.au/it-pro/security-it/telstra-customer-database-exposed-20111209-1on60.html

[ii] http://www.theaustralian.com.au/australian-it/telstra-customers-face-password-reset-after-privacy-breach/story-e6frgakx-1226219541766

[iii] http://www.oaic.gov.au/publications/decisions/2011_aicmr9.html#_Toc311195397

[iv] http://www.oaic.gov.au/publications/reports/own_motion_telstra_May_2011.html

Image: David Castillo Dominici/ FreeDigitalPhotos.net

[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

17/01/2012
Privacy Commissioner casts final verdict on Sony data breach

It seems that there will be no reprisal according to Australian law for the victims of the Sony PlayStation/Qriocity saga which left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.

Australian Privacy Commissioner Timothy Pilgrim released his official report last Thursday on his investigation into Sony Australia’s possible breach of the Privacy Act.

His investigation found that Sony did not breach Australia’s Privacy Act when it fell victim to a cyber-attack.

The investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Principles require organisations to take reasonable steps to protect personal information, and limit the circumstances in which organisations can use and disclose personal information.

“I found no evidence that Sony intentionally disclosed any personal information to a third party. Rather, its Network Platform was hacked into. I also found that Sony took reasonable steps to protect its customers’ personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place,” Mr Pilgrim said.

Mr Pilgrim was concerned about the time that elapsed between Sony becoming aware of the incident and notifying its Australian customers and the OAIC. There was a gap of a week between the data breach and the notification. However, the Privacy Act does not contain a deadline for data breach notification – so this failure to notify does not classify as a breach of privacy.

“I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised,” Mr Pilgrim said.

“However, I am pleased that in response to this incident, Sony has now implemented extra security measures to strengthen protections around the Network Platform.”

During the investigation, the Privacy Commissioner examined information pertaining to relationships between the various Sony entities involved in this matter.

“The international nature of these relationships raises challenges for regulators monitoring personal information flows in these kinds of situations where large global companies are collecting personal information while operating in a number of different jurisdictions.”

In recognition of this, the Privacy Commissioner will provide a copy of his investigation report to privacy regulators in APEC member economies for their consideration.

The Privacy Commissioner can only investigate what is in the bounds of the Australia’s Privacy Act to investigate – and here we get to the real problem.

Unfortunately our Privacy Laws don’t extend to mandatory data breach notification. So the Privacy Commissioner was unable to investigate what many agree was the real issue – why Sony took a week to notify its millions of customers their personal information – including credit card details had been compromised.

The entire saga and this subsequent investigation has served to highlight a massive hole in Australia’s privacy laws which are leaving people open to this kind of breach of security with no retribution via our Government policy.

As we advised at the time of the data breach, it is important for anyone who has had their personal details compromised in this way to be on the lookout for possible misuse of their credit file.

Often people don’t know they have been victims of identity theft until they attempt to obtain credit and are refused, due to defaults on their credit report they are unaware of.

It is recommended that everyone check their credit file for free every year from Australia’s credit reporting agencies. For people who have been the victim of a data breach and other people vulnerable to identity theft, it might pay to include a separate credit file monitoring service. For instance Veda Advantage will (for a fee) monitor people’s credit files and alert the credit file holder to any changes or entries on their credit file – including credit enquiries.

If people need help with credit rating repair following identity theft, they can contact MyCRA Credit Repairs toll free within Australia on 1300 667 218.

Image: Arvind Balaraman / FreeDigitalPhotos.net

03/10/2011
Facebook users should be wary of new Timeline feature

Security of people’s personal information on Facebook is again under the spotlight since the announcement of Facebook’s new ‘Timeline’ feature which tracks the digital history of its users, charting their online activity.

And in a shock revelation today Australian technologist, Nik Cubrilovic has revealed this tracking actually continues even after the user has logged out. Cubrilovic says tests he has conducted show that:

“when users log out of Facebook, rather than deleting its tracking cookies, the site merely modifies them, maintaining account information and other unique tokens that can be used to identify users,” his blog says.

An article in The Australian last week titled Every click you make, Facebook tracker will be watching you featured Australian Privacy Commissioner Timothy Pilgrim. He issued a warning to consumers on about the introduction of this new feature, and its privacy implications.

“I would strongly encourage people using social networking sites to make sure they know what information may be made publicly available on that site and to think carefully about the information they are sharing and who might have access to it,” Mr Pilgrim said.

With the new information that has come to light today, it would seem even more important for Facebook users to exercise caution around this new system.

The discovery is featured in The Sydney Morning Herald’s story Facebook tracks you even after logging out. The article quotes David Vaile, executive director of UNSW’s Cyberspace Law and Policy Centre. He says Facebook’s changes were a ”breathtaking and audacious grab for whole life data”. In an email interview he accused the social networking site of attempting to ”normalise gross and unsafe overexposure”.

”While initially opt-in, the default then seems to be expose everything, and Facebook have form in the past for lowering protection after people get used to a certain level of initial protection – bait and switch,” he said.

Cubrilovic says he has been sitting on this information for over a year, despite notifying Facebook of his discovery at the time. He says the recent introduction and media coverage of the Timeline feature has prompted him to reveal his findings.

Although there has been no ‘official’ response to media to date in response to the issue, a couple of engineers who work for Facebook have denied allegations they track cookies.

“I am a Facebook engineer that works on these systems and I wanted to say that the logged out cookies are used for safety and protection including: identifying spammers and phishers, detecting when somebody unauthorized is trying to access your account, helping you get back into your account if you get hacked, disabling registration for a under-age users who try to re-register with a different birthdate, powering account security features such as 2nd factor login approvals and notification, and identifying shared computers to discourage the use of “keep me logged in.”

Also please know that also when you’re logged in (or out) we don’t use our cookies to track you on social plugins to target ads or sell your information to third parties. I’ve heard from so many that what we do is to share or sell your data, and that is just not true. We use your logged in cookies to personalize (show you what your friends liked), to help maintain and improve what we do, or for safety and protection,” the engineer writes to Emil Protalinski for ZD Net.

Identity theft can be devastating for the victim, and many times they face an uphill battle with their credit rating following it. If the crime is sophisticated – the virtual stealing of someone’s good name can go undetected for a significant time. Often it is not until the victim applies for credit somewhere and is refused that they realise their personal information has been stolen and identity fraud has been committed against them. People may have credit applications as a minimum and possibly defaults, mortgages and mobile phones attributed to them incorrectly.

Once any account remains unpaid past 60 days, the debt may be listed by the creditor as a default on a person’s credit file. Under current Australian legislation, defaults remain listed on the victim’s credit file for a 5 year period.

What is not widely known is how difficult recovery from identity theft can be. Unfortunately there is no guarantee defaults can be removed from a person’s credit file. The onus is on the identity theft victim to prove to creditors they didn’t initiate the debts in order to succeed with the credit repair. But for the victim who is virtually robbed of their financial freedom, it is a point worth fighting for.

Signs which may alert people to possible identity theft:

– Money missing from bank account/s
– Suspicious entries on credit card statements or bank statements.
– Statements for strange accounts.
– Missing mail such as bank statements or Centrelink statements.
– Credit refused somewhere.
– Mail about new credit applications.

For more information on identity theft, or for help with credit repair following identity theft, visit the MyCRA Credit Repairs website.

Image: jscreationzs/ FreeDigitalPhotos.net

26/09/2011
Australian PlayStation users given free identity theft protection for a year

Finally Sony has recognised the possible threat that was made to the personal information of its 1.5 million Australian PlayStation users. After one of the world’s biggest data breaches occurred on the PlayStation Network in April, Sony has come to the party with an offer of free identity protection for the year.

The Sydney Morning Herald reports about this in its story ‘Sony offers free ID theft protection to Aussies.’

The package includes “CyberAgent Internet Surveillance”, whereby CS Identity’s technology scours the internet for unauthorised use of your identity. The firm conducts 24/7 monitoring of criminal web pages, chat rooms, bulletin boards and file sharing sites to identify trading or selling of customers’ personal information.

Identity restoration is also included, which involves the firm helping customers restore their identity after becoming the victim of identity theft.
The data stolen during the breach includes names, gender, addresses, email addresses, birthdays and login passwords for Sony’s PlayStation Network and its Qriocity music streaming service.

All up 1,560,791 Australian accounts were affected – 280,000 of which had credit card details. This is a fraction of the 77 million total accounts exposed worldwide.

Security experts have warned that even without credit card details, hackers could use the other stolen details to construct highly targeted and believable attacks designed to steal more personal information and/or infect computers.

The SMH says the Australian Privacy Commissioner, Timothy Pilgrim, has been investigating the breach, and they say it is still ongoing. In May we blogged about Australia’s Privacy Laws, as they relate to data breaches.

The Government is set to introduce tougher Privacy Laws following this data breach. One of which will be mandatory notification laws, helping to protect Australians from identity theft following any future data breaches, and another which will allow victims of identity theft following a data breach to be able to obtain some kind of compensation for any loss they may receive.

The Sydney Morning Herald recently reported one in 10 Australians who use the internet have lost money to online identity fraud over the past year, according to VeriSign Authentification Services. We recently blogged that these fraud figures have doubled since 2007. The cost of this is estimated to be $1.286 billion during the past year.

But the real cost of identity theft comes when a person’s credit file is impaired. When identity theft affects people’s credit files there is no reimbursement for losing the money they could borrow. But victims often lose their dream home, can’t borrow for their business and can’t get the new car they wanted.

Often victims don’t know about the fraud until they apply for credit and are refused because they have a bad credit rating.

Image: Arvin Balaraman / FreeDigitalPhotos.net

25/08/2011
Privacy Commissioner releases findings on Telstra mailout error

Whenever the public are in danger of having their credit file tarnished due to data breaches which can result in identity theft, it is important to warn them.

Recent news from the OAIC (Office of the Australian Information Commissioner on a botched Telstra mailout has come forth.

The OAIC today released the findings of its investigation into the Telstra
mailing error which resulted in around 60,000 Telstra customers’ personal information being sent to other customers.

Australian Privacy Commissioner, Timothy Pilgrim opened an investigation after Telstra notified him of the incident in October 2010.

Mr Pilgrim found that while Telstra did breach the Privacy Act in terms of disclosing personal information of its customers to a third party, it was not due to any failings of the security of its system, but simple human error.

The investigation revealed that Telstra had a range of security measures in place to protect customer personal information involved in mail campaigns. These measures include privacy obligations in agreements with mailing houses, privacy impact assessments at the outset of mail out initiatives, and procedures to ensure staff handle personal information appropriately during mail campaigns.

“In this instance, taking into account the range of measures Telstra has in place for mail campaigns, I consider that the one-off human error that occurred does not mean that Telstra failed to comply with its obligation to take reasonable steps to protect the personal information of its customers. Therefore, I consider that Telstra has not breached this particular aspect of the Privacy Act,” the Privacy Commissioner said.

The Commissioner also noted Telstra’s fast notification of the data breach.

Mr Pilgrim did say, however, that if an individual complaint came to them following this matter, the complaint would be considered on its own merits.

“Incidents such as this one highlight how important it is for all organisations to take steps to protect their customers’ privacy. If such an incident does occur, it is best practice to notify the OAIC as soon as possible and take action immediately to prevent further breaches,” he said.

This incident brings to light a section of Australian privacy law that needs to improve. Luckily, in this incident, Telstra did the right thing and notified its customers and the Privacy Commissioner of the data breach immediately.

But when the Sony PlayStation data breach occurred in May, Sony did not notify its customers of the data breach immediately, they took about a week. In that time its customers were vulnerable to identity theft, and there was nothing our Government could do as recourse. Our data breach notification laws currently do not require companies to notify its customers immediately following a data breach.

The Australian Law Reform Commission has made a recommendation for amendments of this law to occur, and the Government is currently considering it.

The dangers of data breaches

If the wrong person gets hold of someone’s personal details, they can potentially build a profile of identity documentation that can give them the opportunity to commit fraud.

Fraudsters who have access to small pieces of specific information on someone can then build on that profile, eventually requesting ‘replacement’ copies of drivers licences and can then access bank accounts, get credit cards, apply for loans, phone accounts, and in some cases, buy property in someone else’s name. There are some identity theft cases where fraudsters have even mortgaged or sold the family home of their identity theft victims.

Once someone’s identity has been stolen, their credit file is generally tarnished. This credit file blemish will unfortunately haunt the victim for 5 years while the listing/s remain on their credit file. Credit file blemishes generally deny someone access to most credit for the term of the default.

It is important for everyone to know they can order a free copy of their credit file report every year from one or more of the credit reporting agencies in Australia, Veda Advantage, Dun and Bradstreet and Tasmanian Collection Services.

Contact MyCRA Credit Repairs for help with repairing credit files following identity theft.

Image: Luigi Diamanti/ FreeDigitalPhotos.net

08/07/2011