Optus data breach, politics starts intruding with scalp hunting season opening…to the detriment of fixing the problem.
September 27, 2022 |
At the end of this debacle it is likely that there will be changes of personnel at Optus. And that would not just be the Chief Executive feeling some pressure to find greener pastures. The head of IT, the in house media unit, the privacy officer, the head of the in house legal team and probably anyone who had any role in installing and operating cyber security should all be put under some scrutiny. All of them would have some role in preventing the data breach and then remediating the damage. The latter has just been dreadful. But calling for the head of the Chief Executive at the moment is counterproductive and is a reversion to form in this field, short term hits which distracts from the boring hard graft of fixing the problem. It takes months and sometimes longer to resolve the problem, technical, reputational and legal. And lots and lots of money. Losing a chief executive or any other high level manager for that matter gives politicians something to crow about, some customers some satisfaction and the media plenty of ink to spill upon. But it is most likely counterproductive for the company and the victims of the hack.
Both the Government and the Opposition have increasingly wielded the knife in the public discourse. The Opposition Cyber Security Spokesman has been frenetically releasing posts attacking the Government’s response and telling it to make cyber security a priority. The data breach is primarily Optus’s problem to fix. Clearly Government resources are being put to use in fixing that problem however it is bad policy for the government to step into Optus’s shoes or even have that option. In the Age’s Optus boss digs in over cyberattack as government fury grows it is clear that responding to the data breach is not confined to the lost personal information. The Government has moved from being a party that can assist to a more adversarial role, at least as far as the management of Optus is concerned.
The article provides:
The Albanese government has escalated its attacks on Optus over the company’s massive data breach, demanding to know why customers were not informed their Medicare numbers may have been accessed as part of the cyberattack that hit almost 10 million accounts.
The confrontation between the government and the telco followed an incident in which someone claiming to be the hacker released unverified details of 10,000 customers online but then withdrew demands that Optus pay $1.55 million to prevent the release of more customer data.
The purported hacker claimed they were attracting too much attention and had deleted the data as authorities including the Federal Bureau of Investigations (FBI) in the United States joined the Australian Federal Police’s probe into the hack’s origins.
“Deepest apology to Optus for this,” the anonymous poster said in a claim that prompted Optus to confirm it had not paid a ransom.
Pressure is growing on Optus boss Kelly Bayer Rosmarin, with opposition cybersecurity spokesman James Paterson calling on her to resign if the company’s defence of its security practices turns out to be misleading.
“The federal government and Optus must publicly clarify the facts about this hack, because if the Optus CEO has misled the public about sophistication of the attack, or the encryption of the data or its protection, as the Minister has implied in her comments, then Ms Bayer Rosmarin position’s is clearly untenable,” Paterson said.
Bayer Rosmarin vowed to stay on in her job despite the attack, insisting the company was not a “villain” and rejecting the government’s accusations the company left itself open to a “quite basic” hack.
Clare O’Neil, the minister responsible for cybersecurity, doubled down on her criticisms of Optus, saying she was very concerned about reports that Medicare numbers were included in the hack.
“Medicare numbers were never advised to form part of compromised information from the breach,” O’Neil said in a statement. She said Optus should tell consumers exactly what personal information had been stolen from their accounts as a priority.
Optus customers were informed following the attack that ID document numbers had been compromised but driver’s licences and passports were given as examples, not Medicare.
Bayer Rosmarin said there was “misinformation” about her company’s cybersecurity but did not deny that personal customer information was accessed through an application program interface — a common way for computers to exchange information.
“Our data was encrypted and we have multiple layers of protection,” Bayer Rosmarin said on Tuesday morning. “So it’s not the case of having some completely exposed API sitting out there.”
The hacker claiming to be behind the Optus data breach has apologised for threatening to leak the information of 10,000 customers.
O’Neil said on Monday night that Optus had “effectively left the window open for data of this nature to be stolen”, flagging bigger fines for data breaches, tougher laws on telecommunications companies and reforms to consumer information rules.
James Paterson, the opposition spokesman for cybersecurity, said he agreed with O’Neil that it was not a sophisticated cyberattack. Responding to enquiries from Paterson, Foreign Minister Penny Wong told the Senate the government would consider whether to waive fees for new passport applications for Optus customers affected by the hack.
Attorney-General Mark Dreyfus revealed the FBI, America’s principal law enforcement agency, was assisting the AFP in Operation Hurricane, its investigation into who was behind the attack.
Bayer Rosmarin argued Optus should not be seen as the wrongdoer and was doing everything it could to help customers. “We are not the villains,” she said. But she pushed back against the introduction of major new fines for companies that allow data to be breached while also saying Optus would take “full responsibility” if investigations found it had made an error.
“I’m not sure what penalties benefit anybody,” Bayer Rosmarin said.
Asked whether she would take responsibility for the hack occurring on her watch and resign, Bayer Rosmarin said: “All we’re focussed on is protecting our customers. So, someone has to be accountable for doing that and that’s exactly what I’m focussed on.”
Optus’ customers have been left fuming by the company’s response, with many complaining of contradictory information from the company and difficulties replacing driver’s licenses.
In a post overnight by someone claiming to be the hacker behind the breach, the extortionist warned that 10,000 more records would be released each day over four days unless Optus paid a $1.55 million cryptocurrency ransom. That demand does not rank among the largest threatened by cyber criminals but is not among the lowest either.
On Tuesday morning, the purported hacker abruptly reversed course, saying: “Too many eyes. We will not sale [sic] data to anyone. We can’t even if we want to: personally deleted data from drive (only copy).”
An Optus spokesman said “we didn’t pay” after speculation the company may have transferred a ransom.
The veracity of the posts from the purported hacker has not been confirmed.
Optus has stressed that investigations are ongoing, as have the AFP, limiting what it can say. The recent hack has affected up to 9.8 million Australians, with 2.8 million having extensive data taken, including personal document identification numbers.