The Shocking Tale of the Optus Hack
Close to 10 million people, or around 40% of the Australian population, had their personal data exposed in last week’s security breach at the country’s second-ranked telco Optus. Yet, the company has sent only one email to customers.
The email includes a fulsome apology from Optus chief executive Kelly Bayer Rosmarin, some warnings about where to look for suspicious activity, and a suggestion that if people were worried and needed any more information, they could go to the Optus website for more.
Unsurprisingly, many Australians have been in the dark on what to do next and how to respond to Australia’s most significant cyber security breach ever.
It wasn’t immediately clear if the email was for the 10 million people whose information was potentially compromised, the three million whose data was accessed, or the much smaller number of 10,000 whose data was dumped on the dark web.
There has been no definitive advice on precisely what people should do. Should they, for example, get new passports and drivers’ license numbers?
Experts in the media suggested people should contact their bank, yet when my partner — who received the Optus email — did so, the bank kept her on the line and listening to music for an hour or so. Then, they told her there was nothing more she could do. But don’t worry, they added, we are being vigilant.
Woefully unprepared
The fallout from the Optus data breach may take months, even years, to play out.
Perhaps the only clear out takes at this point are that SingTel’s wholly-owned Australian subsidiary was woefully unprepared for the attack and that — beyond brand damage and the potential rolling of executive heads — the penalties in place for their negligence are inadequate. The current maximum penalty Optus could face is a paltry AUD2.1 million.
The Australian Government, meanwhile, has assumed the lead in the response.
Prime Minister Anthony Albanese is insisting that Optus pay the costs for people who replace passports and drivers’ licenses. A discussion has begun on increasing the penalties in the future.
“The regulatory framework needs to shift the dial to place more responsibility on organizations who are the custodians of Australians’ data”
Arms of Government, such as the Australian Federal Police and the defense department’s Australian Signals Directorate, have been much more proactive than Optus. At the same time, a Government funded not for profit, IDCARE, has fielded 42,000 ‘engagements’ since the incident. Unsurprisingly, two law firms are signing up people for potential class actions against Optus.
Even in a week since the event, there has been an upswing in online criminal activity, suggesting that many of the 10,000 names for sale on the dark web have been purchased and information was being used. There are reports of fake tax returns being lodged with the Australian Taxation Office, the goal being bogus refunds and access to pension accounts.
It has also emerged that of the 10 million people who had their data exposed, as many as 4 million are not even current Optus customers. The company has been hanging on to their data even though these people have changed providers long ago. Optus says it needs to keep this data for regulatory compliance, but some say this is a grey area and that the company should delete this information as soon as customers leave.
Some who have had their data exposed are not even Optus customers but are customers of brands such as Amaysim, Dodo, Circles Life, iiNet, Virgin Mobile, and Gomo, who use infrastructure provided by Optus.
“Kid in a garage”
The whole fiasco has exposed several contradictions at the heart of modern cybersecurity. For example, customers in Australia need to provide several documents to verify their identities under the ‘100 points’ test required under Know Your Customer rules. Now, this same information that was supposed to protect is being used against them.
The Australian Government has invested significantly in its cybersecurity capabilities for national security and defense reasons, and the last federal budget includes an AUD9 billion cybersecurity budget.
These efforts are focused on the nation’s defense assets. Yet, such is the nature of the defense industry supply chain that the data of some of the private companies which are suppliers to significant defense projects could potentially have been exposed in the Optus breach.
All this is a reminder that despite how sophisticated we might think our security posture is, the reality is that it's probably lagging way behind and is full of holes that are only exposed in the event of an attack.
The lead the Government has taken over the Optus affair has been possibly the most encouraging aspect of the affair, but what is needed is an over-arching national approach covering both the public and private sectors. If one person is unsafe, the view should be that the entire nation is too.
The Government says it plans to fast-track changes that would ramp up penalties on corporates, and while this is welcome, it is overdue and too late to punish Optus in any fair proportion.
As Australian Information and Privacy Commissioner Angelene Falk said: “The regulatory framework needs to shift the dial to place more responsibility on organizations who are the custodians of Australians’ data, to prevent and remediate harm to individuals caused through the handling of their personal information.”
The other silver lining could be that, if Finance Minister Stephen Jones was correct, the attack was not perpetrated by sophisticated “bad actors” in the service of a foreign power but by a “kid in a garage” who knew how to use an API.
After all, the hacker only asked for a AUD1 million ransom in a cryptocurrency called Monero, which seems like a cheap price to pay for all the trouble the hack caused.
Lachlan Colquhoun is the Australia and New Zealand correspondent for CDOTrends and the NextGenConnectivity editor. He remains fascinated with how businesses reinvent themselves through digital technology to solve existing issues and change their entire business models. You can reach him at [email protected].
Image credit: iStockphoto/Deagreez
