THE HON MARK DREYFUS KC MP
MEMBER FOR ISAACS
ABC MELBOURNE MORNINGS
TUESDAY, 15 AUGUST 2023
SUBJECTS: Identity Theft; Voice to Parliament.
VIRGINIA TRIOLI: We've been covering this story for, well, more than a week now and it's a story that's galvanised attention right across this station and really across the city. The story of John and Julie, who were victims of identity theft, who had almost $400,000 drained from many different accounts, who had tried over days to alert their banks to what was going on, who had tried over days just to even get in contact with many of their banks and just getting through the front door via the phone has proved to be incredibly difficult. Just to remind you of that conversation, and of the issues that we've been spooling through ever since about Australia being blessed with a number of agencies that are charged with the task of dealing with this, but the opacity around which agencies are genuinely responsible. The Attorney-General is about to join you in just a moment, but to remind you in our conversation we originally asked John and Julie what their experiences have been like dealing with the banks.
JOHN: Totally frustrating in the sense that you would ring their only number and you'd be waiting there for a quite a lengthy time. The record is with the ANZ, three hours and 22 minutes. And it's not only that, then they would toss between Fraud Division and Scams.
TRIOLI: Now, this is where we became surprised. We didn't know there was such a distinction between fraud and scams. I can't even tell you what the division is and therefore the agencies that step in and have responsibility for it. Mark Dreyfus is the Attorney-General and the Federal Member for Isaacs and I'm delighted to say that he's with you in the studio this morning. Attorney-General really great to have your company.
ATTORNEY-GENERAL MARK DREYFUS: Thank you. Very good to be with you, Virginia.
TRIOLI: So, we've contacted Victoria Police, the Australian Cyber Security Center, the ACCC and the AFP and we haven't really been given a clear answer on who oversees online identity theft if it doesn't relate to a scam. So, we'll define scam in just a moment and the key distinction there. But can you tell us who has responsibility there when it comes to your identity being stolen and as a result of that your telephone number being ported away from you? Someone getting hold of your phone account and therefore getting access to your accounts?
ATTORNEY-GENERAL: There's a shared responsibility, Virginia. And that's of course, one of the reasons why, as a Federal Government, we've got right onto this since coming to government. There's a need for coordination. I've got a number of Cabinet colleagues - my colleague Katy Gallagher, the Minister for Finance, my colleague Stephen Jones, the Assistant Treasurer, and my colleague Clare O'Neil, the Minister for Cyber Security, and me as Attorney-General. All of us have responsibilities and there are a number of agencies. Now I don't mean to make that sound complicated but there is a need for coordination. So sometimes it's going to be the Victoria Police that's got direct responsibility. Sometimes it's going to be the Australian Federal Police. The Office of the Information Commissioner and the Privacy Commissioner, she has responsibilities, which are important ones to make sure that finance companies, banks, any other organisation that collects personal data, doesn't store it for longer than they need to, and doesn't collect more information. So that's a coordination task. And we have been very, very busy since the election in grappling with this,
TRIOLI: You say grappling with this, that makes it sound like, and I've got to say, John and Julie's experience makes it sound like, you've not yet wrestled this to ground. That you have these agencies but no one is really clear who steps up first, and immediately, in a situation like John and Julie's?
ATTORNEY-GENERAL: I think we're getting better at it.
TRIOLI: Not in this case.
ATTORNEY-GENERAL: John and Julie's experience was a shocking one. I've heard some of what you've been saying, and I heard a little bit of that interview that you just played with John and Julie. All Australians, I think, have become aware of this because of really significant breaches, cyber breaches that have occurred, Optus, Medibank, Latitude that have occurred in the last 12 months. The Australian Federal Police have told me that something like half of all Australians have had a potential compromise of their personal data, just in the last year, because of those three huge breaches. So, as a result, we've got now, the Australian Federal Police has organised a Joint Policing Cybercrime Coordination Centre that's going to be working with other police forces and industry. The Australian Federal Police and the Australian Signals Directorate have got an offensive operation now underway that is targeting and disrupting cyber-criminal activity throughout the world. We've got, courtesy of the excellent work that my colleague Stephen Jones has done from the first of July, we've got a National Anti-Scam Centre that's set up and in June we launched the National Strategy for Identity Resilience. And perhaps, most significantly, but this hasn't happened yet, and it won't happen until next year when we legislate, we are setting up an expanded digital ID system, which the private sector are welcoming, which will make it easier for Australians to identify themselves. It will be a national system. It will mean that companies won't have to ask for so much personal information and won't have to store so much personal information. We think that it will make us all safer.
TRIOLI: That sounds like a very good idea. just dealing with the situation that we're confronted by right now. And John and Julie's situation, given your understanding of the shared responsibility of these agencies, if this was happening right now to John and Julie what's the first thing they do? Which is the first agency they call where they're going to get the fastest response, given that, it's clear that we wait on the line now for hours and hours to get hold of our banks?
ATTORNEY-GENERAL: And that's not good enough. The very first thing to do is to report the fraud.
TRIOLI: To the bank?
ATTORNEY-GENERAL: To the bank.
TRIOLI: But if you're waiting on the line for three hours what the hell do you about it?
ATTORNEY-GENERAL: I couldn't agree more with you.
TRIOLI: Well, go on, but then I want to put to you something that Anna Bligh said to us yesterday, and you see if it's acceptable, but finish what you're saying.
ATTORNEY-GENERAL: Well, I'd refer all of your listeners to the Office of the Australian Information Commissioner's website. She's got a very useful page there that talks about the steps that you should go through under the heading "OAIC Identity Fraud". But the first thing to do is report the fraud and you should be able to get through to your bank, you should be able to get through to the finance company, you should be able to get through to your phone provider if you have been defrauded, and it should be quick.
TRIOLI: And if you can't, do we deduce from that, from banks that, for example, the Commonwealth Bank, which last week recorded a profit of $10.16 billion but doesn't have enough staff staffing its phones so that if I'm calling through to the line that's called the fraud line I'm waiting there for more than three hours. Are they spending enough money on hiring enough people to serve those phones?
ATTORNEY-GENERAL: Clearly not. We need to have much more responsive action from the banks, from finance companies, from telecommunications providers, because they have the primary control of the data, they have the primary control of the systems and they need to be able to respond. Government will come along later. The Government's got a coordination role. Government can regulate, government can provide resources and training and assist private corporations but it's the private corporations that have got the primary responsibility.
TRIOLI: There is a government role, and I want to come back to that in just a moment, but this is what Anna Bligh, the head of the Banking Association said to us on this program yesterday, between our four major banks and the three regional banks, they invest more in financial fraud than the entire budget for the AFP, which by my reading for the year 23/24 just slightly tips over $2 billion. So, they're saying $2 billion. You're saying that's not enough if it takes three hours for us to get through on the phone?
ATTORNEY-GENERAL: Clearly not. And I'd say it's a false comparison. We've got here new digital technology which has enabled the banks to shut down branches, to have a much smaller workforce than they once had. Huge financial advantage has come to corporations because of new digital technology and rather than simply saying we're going to make ever increasing profits, and accepting what Anna Bligh says that the profits end up with shareholders, they've got to be doing more. They've got to recognise that we're in a changed, technologically changed, digital landscape that requires different behaviour from before and part of that behaviour is making sure that the actual customers can get help straight away.
TRIOLI: Are the banks being greedy? Are the banks being irresponsible?
ATTORNEY-GENERAL: I'm not going to go to greedy or irresponsible, I'm saying they need to do more and I think that Anna Bligh pretty much accepted that from you, yesterday, Virginia, when you asked her these questions.
TRIOLI: Except when it came to the staffing issue, except when it came to spending some of that money to employ more people, so there's enough people to pick up the damn phone.
ATTORNEY-GENERAL: Well, either to pick up the phone or respond online, if that's the way you're choosing to complain.
TRIOLI: But let's get back to the federal responsibility because Julie and John were told to file a report with ReportCyber. Now that's the country's cybercrime reporting service and they were told this would go to the relevant state authorities, Victoria Police, that there's a coordination as you're suggesting, they link in there. But when they had to get proof of a police report to get a new license number because that was taken from them, Victoria Police told Julie and John they had to file a separate report with them. Now, even when our reporter Maddie Chwasta contacted Victoria Police and cited Julie and John's cyber report number - you're given a number when you go to report cyber - she was told it wasn't recognised by Victoria Police. So, if Victoria Police doesn't recognise a cyber report number your system of coordination isn't working.
ATTORNEY-GENERAL: I agree. And I've said earlier that in March, the Australian Federal Police launched this joint policing Cybercrime Coordination Centre.
TRIOLI: It ain't coordinating.
ATTORNEY-GENERAL: Well, it's only been launched in March and I'm going to take this back and I'll be talking to the Commissioner about John and Julie's case, making sure that if we say we've got a Joint Policing Cybercrime Coordination Centre, it is coordinating. that it is working, that anything that's reported to it, anything that the Australian Federal Police get, works as a notification to the relevant state police force, because there are shared responsibilities here.
TRIOLI: Mark Dreyfus is with you. Attorney-General and Federal Member for Isaacs at eight minutes to nine. Attorney-General the Federal Government was rightly very angry about the data breaches that you cited just before that involved Medibank, Latitude, Optus and others. And you were furious to see that that such companies had, or were holding, information for that long and also hadn't bolted the back door properly. Given that's the case, what if anything has happened since then by the Federal Government, by your agencies, to try and ensure that whatever data was taken is not being used in what everyone assumes has been this circumstance where someone's been involved in Latitude, in the data breach by Latitude, Julie and John, and they've gone on to steal their identity. What have you done since to actually block off what might be done with that data?
ATTORNEY-GENERAL: The first thing we've done is to, and this was the first legislative action which I took in November last year, was to massively increase the penalties for misuse of personal information, for failing to take care of personal information. These are penalties under the Privacy Act. I said last year, and I'm going to keep saying it, companies need to stop thinking of Australians' personal data as an asset and start thinking about it as a liability for which misuse causes tremendous personal pain and cost to Australians. So, we need a change in attitude. One way of doing that is to massively increase the penalties, which we've done. I know that the Information Commissioner, Angelene Falk, is still looking into each of those massive breaches. There may yet be penalties imposed arising from those massive breaches. But they are very, very big breaches, that's taking some time to complete the investigations.
TRIOLI: If you can explain to us in a way that that will be meaningful for our listeners, what is the material difference between a scam and a fraud? Why does it matter in terms of, you know, where you go quickly when you realise you've been victim of either one?
ATTORNEY-GENERAL: A scam is a fraud, Virginia, and the distinction I'd be making is between identity theft and scam. Scam is where someone is tricking you, by pretending to be something that they're not, by pretending to make an offer which is not, in fact, a real offer, by tricking you into making a payment which you shouldn't be making. Identity theft is what's been occurring as a result of these data breaches where your personal information is grabbed and it's used to clean out your bank accounts or set up a false account or in some way enter your life, but with identity theft. But they're both fraud.
TRIOLI: They are indeed both fraud but in the case of the first one, the scam, are the banks then, in your view, on solid ground when they say, and some of them do, 'well, that one's your fault, because you clicked on the link'?
ATTORNEY-GENERAL: No, I think that the banks have to take more responsibility. Clearly, there's some going to be always some grey areas here but the banks have got, within their power, to take more care to prevent scams occurring in the first place.
TRIOLI: What do you want to see them do as a result of conversations like this? So, I've got listeners who have called for, you know, a button on your app, where you can push, for example, to say just freeze everything, halt everything, I've got, you know, concerning activity happening here. They're spit balling ideas but are there ideas that you've got that you think the banks should introduce quickly?
ATTORNEY-GENERAL: I think that there are things that the banks can do very quickly. I think for a start they should be putting more resources into this. For a second thing, they should be putting out more to their customers to try and improve the digital hygiene of their own customers. They should be encouraging people to change their passwords frequently. They should be encouraging people to use more complex passwords. And most importantly, they should be looking, themselves, to collect as much information as possible so that they can block and take the digital precautions that are available to these big companies.
TRIOLI: A couple of minutes left before I let you go. I just wanted to ask you a few questions about the Voice campaign. The Australian Jewish Association head David Adler, who's a key figure in the No campaign, in one of the organisations campaigning for a No vote, it's called Advance. He's made comments that he's been caught out about, about Stan Grant and about independent senator Lidia Thorpe, about the colour of their skin and questioning their Aboriginality. He's responded saying that he wasn't trying to insult them but these comments, and I won't quote them, are pretty disgusting. Your thoughts on this as, also, as a prominent figure in the Jewish community yourself?
ATTORNEY-GENERAL: Well, it's disgraceful. And I make the point to your listeners that Mr Adler doesn't represent anybody. He's entirely self-appointed. The No campaign needs to dissociate itself from the kind of hateful, and I have to say to anti-Semitic material that Mr Adler has used. We're seeing increasingly hysterical misinformation from the No campaign. Mr Dutton needs to start dissociating himself from this kind of material. I heard my Parliamentary colleague, the former Liberal frontbencher Julian Leeser, saying just this morning that the No campaign wants to talk about everything but the actual proposal. The Yes campaign is talking about what the proposal actually is, which is a simple and significant change to our Constitution which is about recognition and listening. So, let's try and get this whole campaign back on something like an even keel. The No campaign needs to stop using disinformation and dissociate itself from the kind of hateful, revolting material that we've seen from people like Mr David Adler.
TRIOLI: We've only got a few seconds left but just quickly, do you think the polls reflect true voter sentiment right now? Do you think the vote is heading for a defeat?
ATTORNEY-GENERAL: I don't. I have confidence that Australians will see that this will make us a better country. And when we come to the referendum in a couple of months’ time, I'm not worried about the polls now, I am confident that Australians will vote for a better future for all of us.
TRIOLI: Can you set the date?
ATTORNEY-GENERAL: I'm not going to. That's a matter for the Prime Minister, Virginia.
TRIOLI: Mark Dreyfus, good to talk to you this morning. Thanks for joining us.
ATTORNEY-GENERAL: Thank you very much.