[robertwt7]

> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers. Payment detail and account passwords have not been compromised.

Geez, ID document numbers is such a big thing. Now hackers can basically call most institution and impersonate victims. this is quite huge

[YPPH]

It shows why we need to rapidly embrace the idea that knowledge of an ID document number and its associated personal details is insufficient proof of identity.

[chii]

this brings up a very important question - how does one verify one's identity with a business? Esp. online, without having to meet in person at some sort of branch/store?

[jackvalentine]

Some kind of identity provider, like https://www.mygovid.gov.au/ or https://www.digitalid.com/personal

Yes it’s pushing the problem somewhere else, but at least I’m not giving copies of my ID to every little shit of a business.

[Andys]

Why the hell were they storing it? just delete it after marking the account as verified.

[viraptor]

Even if it needs to be verified afterwards, the numbers could be bcrypted with high enough iteration count to make them impossible to brute force but easy to verify every few years if necessary... Say 10sec per id?

[haser_au]

Yup. It's massive.