Optus says it needed to keep identity data for six years. But did it really?

30 Sep 2022

Dr Brendan Walker-Munro writes for The Conversation

Among the many questions raised by the Optus data leak – cybersecurity experts are confident it wasn’t a hack, but that may have to be decided by a court – is why the company was storing so much personal information for so long.

Optus had a legitimate need to collect that data – to verify customers were real people and potentially to recover any debts later. This is known as a “know your customer” (or “KYC”) requirement.

But the reason about 4 million former customers along with 5.8 million current customers are now worrying about their driver’s licences, passport numbers and Medicare numbers ending up in the hands of criminals is due to Optus hanging on to it for six years.

Optus has said it is legally required to do so.