[yieldcrv]

> Information which may have been exposed includes customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers

Okay so this was half the country.

I cant honestly understand how anyone thinks KYC laws make sense if anyone can make a bank account as anyone else, and it all looks like legitimate money or the human is getting framed while the criminal just rotates IDs.

[sofixa]

You can't make an account with the number or a scan of an ID document (at least here in the EU, but i doubt it'd be much different down under). The real thing is required, or in the case of neobanks, multiple photos at specific angles + selfie from their app.

[tonteldoos]

All it takes to register a new number here, are your details including name, DoB, physical address (all the complete ones leaked), the type of ID used (passport, drivers license) and the number on that ID. You can do it in about 5 minutes online, and the number is then active (but not before).

Not even a copy of the document is required, and it doesn't have to be sighted by anyone. From memory, you don't even have to supply the expiry date on the document (and driver's license numbers remain static).

One of the first things I see happening, is criminals using this to obtain burner numbers not traceable to them.

[yieldcrv]

all it takes is a single institution that subverts that.

regarding angles and selfies, most of those just require you to go through the motions not for it to be accurate or withstand [human] scrutiny.

[lysp]

> driver's licence or passport numbers

They are required to verify that information.

They shouldn't have been storing that though.

Should only have existed for the period of the verification request on signup - a single form post.