OPINION: Some 55 years ago Blues legend Muddy Waters got together with Howlin Wolf and Bo Didley and recorded what was marketed as super blues for Chess records. It became one of the classic blues records for all time, and also one of the best produced.

The resultant record included the Muddy Waters classic tune You Can’t Lose What You Ain’t Got, a soulful tune about a former love now long gone.

The song came to mind over recent weeks as the Optus cyber attack unfolded in Australia.

It’s been called a complex cyber attack, but it appears it wasn’t so complex. According to reports the attack vector was an API (application programming interface) which was connected to one of the Australian telecommunications company’s core databases.

An API is just a channel between computer systems, that lets one computer share data with another. If you think of an API as the loading docks underneath office buildings where trucks drop off and pick up parcels, in this case someone had left the door unlocked at the dock after the parcels had been dropped off.

And behind that door was data. A shedload of personal customer data including a lot of source documents.

Some 10 million customers in total, given Optus is Australia’s second-largest telco. So that’s about 45% of the Australian population.

Kevin Stent/Stuff If a customers’ personal data is deleted it can’t be hacked, says Mike O'Donnell.

To get an idea of how big a deal this is let’s imagine the godzone equivalent.

Imagine if Vodafone (our second-biggest telco) was hacked, and it lost data for 2.3 million Kiwis (45% of the population) and that included the passport details for 100,000 of our whanau and medical insurance information for another 17,000 of them.

So it’s a lot more than just names and email addresses. Meanwhile, the scale is astounding.

The Optus data breach saw a huge range of information points that the company had used to validate the identity of their customers. This included banking data, passports, Medicare information, birthdates and home addresses.

In simple terms it’s the largest successful breach of personal data in Australian history. Its bad enough that Optus is giving current and former affected customers free credit monitoring and identity protection service for a year.

That may sound good, but the damage will last much more than a year. Some details lost can never be changed, so they will be permanently floating around the currents of the dark web. Details like names and birthdates can’t be updated like you can a credit card or a passport.

Speaking of which, the Australian federal government wants Optus to pay for new passports of the data breach victims. A fair ask I reckon given it costs over A$308 (NZ$341) to get a passport and a lot of faffing around. In total, I understand over 100,000 live passports are affected – so that’s a cool A$30m it could cost Optus.

But to be clear, the breach will cost them a lot more than that. A couple of big questions come out of it.

Firstly, how could a technology specialist be hacked so easily? I mean we’re not talking about a bunch of digital hillbillies here. We’re talking about a A$10 billion Aussie technology company owned by a A$50b Singaporean technology company.

Secondly, why on Earth was it hanging onto so much information and for so long? The fact that a bad actor can steal your passport details by hacking your mobile phone provider seems weird, not to mention rather chilling.

It all comes down to retention. Why did Optus retain authentication documentation beyond the point it needed it to validate the customer’s identity? From what I understand Optus is referencing the Telecommunications Consumer Protection Code as the reason. However, the code only refers to retaining customers billing information for six years, not the source documents used to confirm their identity to start with.

Hopefully right now directors and chief executives in Aotearoa are asking the same question of themselves in respect of their organisations. What is their retention policy and is it fit for purpose?

New Zealand’s Privacy Act doesn’t specify a minimum or maximum time that a company should keep client’s personal information. Instead, Privacy Principle nine states that you should not keep that information for longer than is required for the purpose it may lawfully be used.

For normal customer service contexts that means it's fine to ask for a driving licence or a utility bill or similar to verify the identity of the person you are servicing, but once that is done there’s no need to hang onto that information.

The key thing for directors and chief executives to consider right now is, do their organisations have a crisp metric for deciding when the retention of those source documents is still needed? And as soon as that need expires, do they securely delete it?

Because that’s the gold standard for protecting consumer data. Deleting it so it can’t be hacked. As Muddy Waters noted some 60 years ago, you can’t lose what you ain’t got.

If Optus had deleted the personal information after it has used it, it couldn’t have been stolen, and it wouldn’t be facing the world of pain it is right now.