More than 200,000 attempts to use stolen identity credentials legitimately were blocked by the federal government’s anti-fraud register in just seven months — a 66 per cent increase since April.
The Credential Protection Register was created following the Optus data breach in October 2022 to prevent compromised passports, Medicare cards and driver’s licence data from being verified through the government’s Document Verification Service (DVS).
Initially established by the Department of Home Affairs to block the use of credentials stolen from more than 2.1 million Optus customers while new identity documents were issued, it is now overseen by the Attorney-General’s Department.
In the first 18 months of operation, the register blocked 300,000 attempts to use stolen identity documents. Since then, the register has blocked at least another 200,000, Attorney-General Mark Dreyfus said on Friday.
Mr Dreyfus said the register was helping to disrupts “black market sales of stolen personal documents and illegal activities that rely on those stolen credentials including scams, money laundering and fraud”.
He noted that while it prevents identity theft, the credentials on the register can still be used for their primary purpose.
“For example, if an Australian passport is stolen in a data breach and is put on the register, it can still be used by the legitimate owner for overseas travel but cannot be used by criminals to open bank accounts or conduct other fraudulent activities,” Mr Dreyfus said.
The government provided $3.3 million in the Mid-Year Economic and Fiscal Outlook to enhance the register as part of a $145.5 million digital identity funding package, which will also be used to expand the Australian Government Digital ID System (AGDIS).
In the May Budget, the Attorney-Gneral’s Department received another $11 million as part of an additional $288.1 million for the AGDIS.
The funding will enable the development of a mobile app and website service that allows people to add their credentials to the register for monitoring and control if their documents have been compromised.
When finalised, the service will notify users in real time if attempts are made to use their identity fraudulently. Users will then have the option to control whether the credential can be used for verification through the DVS.
At the moment, the Australian Passport Office and Services Australia are in charge of assessing on a case-by-case basis whether credentials need to be added to the register after being informed by companies that they have been impacted by a data breach.
Do you know more? Contact James Riley via Email.