Optus data breach, the Government takes issue with Optus and a class action is being mooted

September 26, 2022 |

Optus’s woes continues.  This time the Minister for Home Affairs has taken issue with Optus over its cyber security and response to the data breach in a none too subtle answer to a Dorothy Dixer in the House of Representatives today.  It is hardly surprising.  Optus has handled a particularly difficult situatio particularly badly.  For an organisation of its size and no doubt understanding of what happens in other parts of the world its response to the data breach has been ponderous, vague, defensive, apparently aggressive when dealing with frustrated consumers and lacking transparency.  If there was a data breach response plan it was thrown out the window late last week and replaced with not much at all.

The Hansard of Ms O’Neil’s answer provides:

Mrs PHILLIPS (Gilmore) (14:12): My question is to the Minister for Home Affairs and for Cyber Security. What action is the Australian government taking as a result of the Optus data breach?

Ms O’NEIL (Hotham—Minister for Home Affairs and Minister for Cyber Security) (14:12): I thank the member for Gilmore for this very important question. On Wednesday 21 September the Australian government was advised by Optus of a significant cybersecurity breach. Optus have advised that this breach has revealed some personal data of 9.8 million Australians. Of those, 2.8 million Australians have had significant amounts of their personal data taken. Responsibility for this security breach rests with Optus, and I note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country. Very substantial support has been provided by the Australian government, and I credit the work of the Australian Signals Directorate, the Australian Cyber Security Centre and the Australian Federal Police in that support.

For the Australian government more broadly, our focus now is on doing whatever we can to help protect Australians who are affected by this breach. This is a very large, multi-agency effort which has seen many hundreds of public servants work through recent public holidays, through the night and straight through the weekend, and the Albanese government thanks them for their efforts. The Australian government, the ACCC and APRA are engaging with the banking sector to see what additional steps can be taken to protect customers. This is complex. It’s legally and technically complex, but we are working on a solution. We will also be providing additional protections on government platforms such as myGov.

We expect Optus to continue to do everything that they can to support their customers and former customers. One way that they can do this is by providing free credit-monitoring to impacted customers. It will help protect those customers against identity theft, and I call on Optus to make that commitment today. Put yourselves in the shoes of the customer—you might be one of the member for Gilmore’s constituents living in Bateman’s Bay or Nowra, you might be a pensioner whose information has been stolen. This is a time of intense anxiety, and I say to Optus: you can do something about this problem today, and we ask you to do that.

A very substantial reform task is going to emerge from a breach of this scale and size, and there are a number of policy issues that I think that the public will soon become quite aware of. One significant question is whether the cybersecurity requirements that we place on large telecommunications providers in this country are fit for purpose. I also note that in other jurisdictions a data breach of this size would result in fines amounting to hundreds of millions of dollars. I really hope that this reform task is something that we can work on collaboratively across the parliament. I will speak in coming days about how we will work through those issues in conjunction with other members of parliament.

The Guardian in Optus faces potential class action and pledges free credit monitoring to data-breach customers has reported on Minister O’Neil’s scolding and that class actions are being considered with Optus faces potential class action and pledges free credit monitoring to data-breach customers. And there is an op ed in the Australian which is all about taking Optus to pieces for allowing the data breach to happen with Optus customers are right to be ropeable.

The Guardian article provides:

Home affairs minister Clare O’Neil says company to blame and flags new laws with large fines for such breaches

Optus has agreed to provide free credit monitoring to the millions of customers caught up in its massive data breach, as the home affairs minister flags changes to law to potentially fine companies millions for similar breaches.

The company on Monday said it had informed all customers via email or SMS if they had had their passport or driver’s licence numbers compromised in the breach last week.

The breach affected 9.8 million customers, of whom 2.8 million lost “significant amounts of data”, the home affairs minister, Clare O’Neil, told parliament on Monday.

The law firm Slater and Gordon has announced it is investigating launching a possible class action against Optus on behalf of customers. The firm’s class actions senior associate, Ben Zocco, said the breach was “potentially the most serious privacy breach in Australian history”.

The company announced on Monday afternoon that a 12-month subscription to Equifax Protect credit monitoring would be offered to all affected customers, and customers could expect to receive an email about how to start the service in the coming days.

Such services keep track of changes to a person’s credit history and watch for any suspicious activity.

O’Neil told parliament “the breach is of a nature that we should not expect to see in a large telecommunications provider in this country” and that she had asked the chief executive of Optus for credit monitoring services to be provided for affected customers

O’Neil said the breach raised substantial policy issues, and flagged the potential for new laws with large fines for such breaches.

“One significant question is whether the cybersecurity requirements we place on large telecommunications providers in this country are fit for purpose. I also note that in other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars,” she said.

The minister did not refer to the incident as a cyber-attack. Reports on how the personal information was accessed have thrown into question the company’s claim that it was as a result of a “sophisticated attack”.

A user going by the name “optusdata” has posted on a data-leak site claiming they had obtained the data, and had offered to sell it back to Optus for $1m in cryptocurrency in the next week. The user posted a sample of the data, including 100 records. Multiple reports have suggested that these records are legitimate Optus user data.

The cybersecurity journalist Jeremy Kirk reported that the user claimed they obtained the data not through a sophisticated attack on the company’s systems but through an application programming interface (API) connecting Optus’s customer database.

An API is used to allow systems to transfer data. When left open on the internet without requiring authorisation, it is not difficult for people to gain access to the data.

When contacted by Guardian Australian on the data leak forum, the user claimed this was how they found and extracted the data from Optus. The API is now offline.

The Australian Federal Police announced on Monday officers were working with overseas law enforcement to identify who was behind the attack.

“Criminals, who use pseudonyms and anonymising technology, can’t see us but I can tell you that we can see them,” assistant commissioner Justine Gough said.

“It is an offence to sell or buy stolen identification credentials, with penalties of up to 10 years’ imprisonment.”

Samantha Floreani, program lead at Digital Rights Watch, said having an API online without proper authentication checks for those who access it would be akin to Optus publishing the data.

“This breach is a clear example of the dangers of collecting and storing large amounts of personal information and shows why we need reform to the Privacy Act as well as a strong, well-resourced regulator to enforce it, including access to harsher penalties when companies get it wrong.”

Optus’s head of corporate affairs, Sally Oelerich, would not confirm the reports when asked on 2GB radio on Monday.

“Obviously that’s on the internet. But no one’s picked up the phone and called us, so to speak,” she said. “I cannot actually validate whether that’s even legitimate. And part of that is, again, it’s under investigation.”

The data-leak forum user told Guardian Australia on Monday they had not yet had contact with Optus. They claimed they were not interested in the attention the breach had brought, and “just want money, like everyone”.

A long-awaited review of Australia’s privacy law was also expected to be finalised before the end of this year. The attorney general, Mark Dreyfus, said his department was working though “the many submissions and feedback” to produce a final report that will be made public once the government had considered it.

Optus’s chief information security officer left the company in August after four years in the role, ITNews reported. In a LinkedIn post, Dr Siva Sivasubramanian said it was “sad and shocking” what happened to Optus, and “my heart bleeds for them”.

“I have offered my services and support to the current cyber management team in this hour of crisis.”

Optus has been approached for comment.

The Australian article provides:

Data breaches can happen to anyone. But the nation’s second largest telco has let down its 10 million customers multiple times – firstly by allowing their data to be taken, but secondly – and perhaps more egregiously – taking days to let those customers know, and going first to the media.

Last week’s massive data breach, first reported by The Australian, is already looming as a future history lesson in cyber security.

One of Optus’ first mistakes was to have that amount of sensitive data of millions of customers all in one place.

The troves of data were reportedly not taken in a cyber attack per se, but by an open API endpoint.

This is the cyber equivalent of leaving the front door open, then being shocked that someone would come in and try to take everything.

The hacker, known online as ‘Optusdata’, is now attempting to extort Optus for $US1m in cryptocurrency.

The pain associated with that mistake, while significant, could have been somewhat eased had the company been quick to contact its 10 million or so affected customers. It didn’t, instead going through the media.

Chief executive Kelly Bayer Rosmarin performed strongly in front of reporters at a press conference on Friday, diligently and honestly answering as many questions as she could.

But the people with the most pressing questions are not journalists, they’re Optus customers.

There is a palpable anger now and frustration among customers, many of whom say they are still yet to receive any notification that their personal information was caught up in the breach.

Millions across the country now face anxious wait to see what comes next.

Our new shiny digital era has brought with it a lot of promise.

But central to that notion is trust – that the companies to which we hand over all our private and sensitive data will treat it with respect.

Obviously no user is every truly fully safe online, and no company is not at risk from a data breach or cyber attack.

Common sense can go a long way when it comes to how we interact online.

But Optus customers in this case are not at fault, and could not have forseen such a shocking outcome.

There are different ways to handle an incident when you are a victim, and Optus has been too slow in trying to make things right.

The telco now faces a mounting class action lawsuit, and millions of angry customers, many of whom are likely already lining up at a Telstra or TPG store to change provider.

The government will now likely change the law to force a company like Optus to be faster in contacting affected customers in future.

Local Optus executives will this week face an angry Singtel board, who are visiting from their head office in Singapore, but that’s cold comfort for the 10 million current and former customers who through no fault of their own have had some of their most sensitive data stolen.

 

 

 

Leave a Reply





Verified by MonsterInsights