The Optus data breach could go down as the biggest in Australia’s history — and thanks to our laws, there’s little recourse for anyone affected.
Yesterday, the telecommunications company acknowledged it was investigating a cyberattack that allowed intruders to access former and current users’ details.
“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” Optus CEO Kelly Bayer Rosmarin said in a statement.
The company told Crikey that it went public and alerted authorities within 24 hours of “establishing that that customer’s information had been compromised”.
The Australian reported that 7 million customers had their name, date of birth, phone number and email address stolen. For 2.8 million of them, this also included postal addresses and passport and driver’s licence numbers.
This is an enormous number of people who’ve had important and — crucially — very difficult to change details exposed. If those affected were their own Australian state, they’d be the second in population behind New South Wales. Previous large hacks at Canva and Ubiquiti (which both affected tens of millions of people) were for global companies, whereas Optus is an Australian company with predominantly Australian customers.
The motivations of the hackers aren’t known yet. The intruders are from overseas (not from China, Nine reports), but it’s not known yet whether they are part of a criminal or a state-based group. None of the details obtained have turned up on the internet — yet. Home Affairs and Cybersecurity Minister Clare O’Neil has acknowledged the hacking. Her opposition minister James Paterson said he’s seeking an intelligence briefing on the attack.
So, what does this mean for Australians who’ve had their details exposed? Millions of people now have identifying information that could be publicly released at any point in the future. This information could be used for identity fraud, scams or to facilitate other harm (for example, using someone’s details to try to access their email or phone).
Optus has advised customers to have “heightened awareness” across their accounts and to refer to information provided by the Office of the Australian Information Commissioner (OAIC) and Moneysmart. Essentially, it’s on each of the 7 million individuals affected to protect themselves against the harm that may come from Optus’ management of their sensitive data. Good luck and may the odds be ever in your favour!
Kate Bower, consumer data advocate at consumer advocate group CHOICE, said that this response shows the limits of individualised response.
“There’s no monetary remedies or redress for those affected in these breaches. That’s becoming more of a problem as more of our information is out there with hundreds of companies,” she told Crikey.
Bower highlighted the need for a statutory tort for serious invasion of privacy (which would allow people to pursue legal recourse). As it stands, Australia has no tort of invasion of privacy. Going back a decade, the Australian Law Reform Commission was asked to design one by then attorney-general Mark Dreyfus. The commission’s report was ignored by the subsequent Coalition government when delivered in 2014. Groups such as the OAIC and Law Council of Australia have argued in their submissions to the ongoing review of the Privacy Act that a tort is sorely needed.
Bower also suggested introducing stronger penalties for breaches to incentivise companies to do more to protect Australians’ information while also providing more resources to the OAIC to help companies before it happens.
“Ultimately, it will happen. We need to be able to protect people as much as possible,” she said.
I know from experience that in many companies their IT infrastructure is not up to scratch mostly because there’s ALOT of IT people who simply don’t understand how many of the technologies they work with, actually work. Misconfiguration and outdated software is in abundance. Or DIY databases from “hobbyists” which often have become a critical point in the chain of infrastructure. Its incredible that there are still no regulated thresholds for meeting certain standards (including large fines for not complying – so large that a company will want to invest in proper systems and skills) with regards to data protection – at least for those corporations that store alot of sensitive data. Aswell as compensatory recourse when it goes wrong.
Every single time it’s a ‘oops my bad, sorry, but you’re on your own’ – they may lose a couple of customers but the damage keeps being done to the customer.
Actually, there are many smart people working in the field of IT security. (Disclaimer: I am not and have never been one of them.) One of their biggest problems is that security is in almost direct opposition to convenience, and the Security people are not the ones who win those arguments.
This breach has been announced as “hackers broke through a firewall”, which is one of the usual excuses. Taking a wild guess, the more accurate reason is likely to turn out to be one of:
(a) our Marketing people went out and bought some flashy application without consulting IT and the vendors insisted that it needed to bypass the firewall and directly access the internet if it was going to make the pretty graphs it was purchased for; or
(b) somebody senior decided that accessing the internal network using their iPad (the one that has to be replaced periodically because they keep leaving them in Ubers) on the plane was too hard, what with that “2-finger authenticity stuff” so exceptions naturally had to be made; or
(c) “Oh, you want my username and password? Sorry. It’s the accent – it took me a moment to figure out what you were asking. Okay, but it’s tricky – the ‘O’ is a zero.”; or
(d) “I know I said the same thing last year and the year before, but you can’t have a new firewall even if ours is no longer supported. We’ve spent all the money on the consultants updating our old website.”
There is only so much the IT Security people can do and the majority of staff in most organisations appear to be on the side of the “hackers”.
100%. Agree.
Usability is inversely proportional to security (generally).
After all, the easiest to access systems have no authentication at all!
So yes, the security folks always get overruled because the users/customers/minister dont like it being ‘too hard to use’.
And most organisations are swimming in ‘technical debt’ with systems that are years or even decades (Im not joking) out of date and literally cannot be properly secured. But the budget is spent on new stuff cos fixing the old ain’t popular.
How about board level accountability with criminal sanctions for cyber-security negligence? That would focus the executive decision makers minds a bit…….
I mostly agree with that. I think board level is a bit too high and too abstract – I’d go with C-suite, with the CEO by default unless the company has a dedicated CIO/CTO role to take the blame. I’d agree with board-level in cases where the CIO can show that he asked for relevant funding, the CEO supported it and the board turned them down.
Negligence could be proven by an email chain showing the Security staff making a recommendation which is either turned down or ignored (since the most obvious means of avoiding blame is just to answer the email with an unrecorded, verbal, “No”.
Billing and cost recovery systems are working just fine, thank you for your concern – nothing of any consequence or customer importance to be seen here. All our fine OPTUS folk on company accounts they do not have to pay for are not affected.
Nervous about this personally, but I suppose something like this was inevitable. If not Optus, then one of the myriad other places that may or may not have sensitive data.
My main question for Optus in particular is why they’d keep sensitive information like that on file. Collect if needed, then discard the moment it’s used for verification!
I suspect that the government requires Optus keep the information because terrrrrrr.
I dumped Optus about 18 months ago because of their pathetic service (I’d been with them for 20 years beforehand. I thought I was safe from this attack but this article states that FORMER customers are vulnerable. The question to be asked is why have they information on FORMER customers and does the government force them to keep this information?
Customer records need to be retained for various statutory periods.
https://www.google.com/url?sa=t&source=web&rct=j&url=https://treasury.gov.au/sites/default/files/2022-03/c2022-250645-cdr_design_paper_tele.pdf&ved=2ahUKEwjywbXEh6r6AhUSumMGHaqJCm4QFnoECBUQAQ&usg=AOvVaw3jXsIhvohpCyrTXlfiTwMt
Interestingly, the paper is more concerned with the rules for sharing consumer data rather than protecting it. Hence it has a discussion about requiring carriers to retain the data of closed accounts ‘for at least 2years’.
They need to turn that around. If there is good reason to retain the data (?) then they need to decide how long and then require that it be deleted beyond that point.
Sensitive consumer information shouldn’t be left hanging around and vulnerable on Optus servers on the off chance it might be commercially useful to them in the future.
It can be required for commercial reasons as well such as matters before the Telco Ombudsman etc (can well and truly post-date customers leaving) and data is required for lawsuits, police investigations etc etc. It’s complicated unfortunately.
Typically old data remains on primary Tier 1 storage for (whatever) period and is then archived to lower Tier storage (read cheaper) thereafter before eventually being purged.
I can’t see why the ombudsman would need details like licence or passport numbers and the police could access those details via government agencies if they needed them.
I also wonder, if the data of closed accounts is archived, does it really need to be available online? For that matter, why does the carrier need to have current customers’ drivers licence or passport numbers accessible on line? It sounds like it is about what is easy and convenient for them and really irresponsible.
Nothing to do with the Ombudsman. The ID records would be required to prove compliance with Government ID laws. The Ombudsman isn’t the only game in town you realize? Multiple regulations are involved.
I doubt the data concerned was online in itself. Websites usually link to an internal database via various web and other authentication amd application servers. The Website is just the external access point they probably used to access Optus internal systems is all.
Not enough information available as yet.
My guess is laziness, or more specifically that the processes are about collection rather than retention. Since collection and use of the data would be critical to the business processes, the processes to collect it would be well established, but once they’re collected you’d need further processes for clean-up and those sorts of things aren’t business critical unless forced by regulation. It’s only potential reputational damage that might motivate them to put in place sensible data deletion mechanisms.
If nothing else, hopefully other large businesses across Australia are seeing what Optus is going through and making internal inquries to what their risk is.
Isn’t it reassuring that, even if OPTUS can’t care for its own back office, inquisitive, helpful world citizens have anonymously come forward to show them how easy it is to find the wood among the trees.
Much of the info they collected is not required to ask/retain by loaw.
Identification details are required for all Telco services and the rest is just Billing info.
https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-retention-obligations
Yep. I just got contacted as a “former customer” but I haven’t been an Optus customer in the 2017-present date range they are saying were affected, so something fishy is going on.
The CEO and Executive Management bonuses will skyrocket this year. Corporate Australia rewards blunders all the time – Qantas approaching Ryan Air status and Joyce and the Executive Management team have been handsomely rewarded, not to mention the 2 billion dollars from Australian taxpayers as well. I was an IT Manager in large corporates for 20 years and my number 1 KPI was ZERO security breaches. There is technology available to achieve this, plus you need to run IT with an Iron Fist. My favourite saying when people complained was that we aren’t running a milk bar, we are running a business that turns over hundreds of millions of dollars, is available 24 x 7 for internal and external customers and there is no way that is being jeopardised. Any yes, I always met my KPI’s so it can be done. Just got to know how to do it. And if there are 3rd parties managing this, what are the SLA’s and penalties….if any.
Apparently optus have begun contacting customers to let them know whether they are affected by the breach and others are having to contact optus to find out.
This raises the question, if you are a former customer, how do you find out?
That is my situation. Obviously I dont have an optus email that they can contact me on. I can’t access their app because I am no longer a customer. Phoning them doesn’t work because I can’t get as far as talking to a human being without an account number.
It is an outrageous situation that a company I no longer have a contract with, holds my information and, it is even more outrageous that I can’t even find out if the idiots have let criminals access it.
Try calling them or using chat on their website? I’m potentially in the same boat as you BTW.
I was an Optus customer some years ago but left them over a security breach on my account which allowed a criminal to change details of my account and then use it to order goods. Staff at Optus were particularly unhelpful and unconcerned over the issue. This company has form.