Optus data breach, the remediation and no shortage of continuing recrimination

September 28, 2022 |

Data breaches in other jurisdictions rarely have governments drawn into both the circumstances of the data breaches and steps being taken to remedy them.  Usually regulators are the limit of governmental involvement. There have been exceptions.  The Cambridge Analytica scandal involving Facebook attracted widespread condemnation from political parties across multiple jurisdictions. But the Federal and now State Government’s involvement in the Optus Data Breach both as critics and active participants is unusual.  Probably because it is such a massive data breach and it involves a major telco.  Whether this is a good practice will be seen. The initial and ultimate responsibility for cyber security and remedying a data breach is the organisation itself.  The Federal Government has a critical role in ensuring there is the appropriate level of regulation and a regulator which is willing and able to enforce the laws.

The Australian reports in Scramble to save millions of Optus customers that Australians are in the dark about the security of their personal information and that governments and banks are working to protect them  It reheats a story first run by the Guardian that Optus resisted any legislative change to the privacy laws. 

The article provides:

Nearly 10 million Australians remain in the dark over the security of their personal information as Optus, the banks and state and federal governments scramble to protect victims of the telco’s massive data breach from a wave of identity theft and online scams.

The Australian can reveal Optus resisted multiple federal government efforts to tighten ­cyber-security obligations for big companies before 9.8 million of its customers’ details were stolen last week, complaining new data laws would impose unnecessary costs on its operations.

As an individual claiming to be the Optus hacker apologised and declared the stolen information had been deleted, the federal government was preparing to launch a major review of the nation’s ­cybersecurity legislation.

The NSW, Queensland and Victoria governments offered low- or no-cost licence replacement for those affected by the Optus cyber attack, to prevent their identities being stolen.

Foreign Minister Penny Wong said the government would consider waiving fees for those who wanted to replace their passports because of the Optus hack.

Banks will also receive details of customers whose information has been compromised in coming days under federal government measures to prevent their ­accounts being hijacked.

Attorney-General Mark Dreyfus revealed on Tuesday that the US Federal Bureau of Investigations was among the international agencies helping Australian authorities to investigate the massive data breach.

The purported hacker claimed he or she had abandoned a $US1m ransom demand, saying there were “too many eyes” examining the theft. “We will not sale [sic] data to anyone. We cant (sic) if we even want to: personally deleted data from drive (only copy),” the alleged hacker said on online discussion forum BreachForums.

The hacker claimed to have ­released the data of 10,000 Optus customers, but then said they had deleted the data. Cybersecurity experts expressed scepticism over the claimed backdown, with one suggesting that the telco’s parent company Singtel had quietly paid the ransom demand without telling its Australian subsidiary. Optus denied the claim.

Other cyber experts said the hacker could have already sold the data or be sitting on it to sell later.

The development came amid growing pressure on Optus, with sources saying the number of the telco’s customers with extensive records stolen was more than the 2.8 million it originally disclosed.

Law-enforcement sources said they were continuing to investigate the data theft.

Mr Dreyfus suggested negligence by the telco, declaring Australians’ data should never have been exposed in such a way. “We know that millions of Australians have been impacted by the Optus data breach, and it is a data breach which should never have happened,” he told parliament.

He said the government was alarmed to discover that Optus customers’ Medicare details had also been exposed in the breach, which the telco failed to disclose.

Optus chief executive Kelly Bayer Rosmarin defended the company’s actions, saying: ‘We are not the villains’.

Mr Dreyfus said the Australian Federal Police was devoting “huge effort” to investigating the breach with the support of other agencies and the FBI. His comments followed those of Home Affairs Minister Clare O’Neil on the ABC’s 7.30, declaring the breach was not a sophisticated cyberattack.

“We should not have a ­telecommunications provider in this country which has effectively left the window open for data of this nature to be stolen,“ Ms O’Neil said.

Optus chief executive Kelly Bayer Rosmarin defended the company’s actions, saying: “We are not the villains. It’s clearly not as simple as has been ­written in the press, but what I can say is our customer data is encrypted and there are multiple levels of security.”

The NSW government has issued instructions for customers to apply for a replacement driver’s licence, with Customer Service Minister Victor Dominello saying Optus will notify customers in coming days if their licence number was stolen in the hack.

To apply, residents with a digital driver’s licence should head to the Service NSW app to be immediately issued an interim card number, which can be used instead of a plastic licence card.

Transport and Roads Queensland will replace licences free of charge to its residents impacted by the hack.

Victorians affected will be eligible for a new driver’s licence, with Optus expected to reimburse the cost.

In evidence to the parliamentary joint committee on intelligence and security last year, Optus pushed back against proposed laws to strengthen protection of critical infrastructure, saying they would add to “high commercial stresses on the communications industry”.

The telco said the security objectives of the proposed legislation “should be balanced against the financial and administrative burden on the regulated entities which own and operate critical infrastructure”.

In its response to the 2020 Cyber Security Strategy review, the telco also resisted legislated penalties for cyber failures.

Former committee chairman James Paterson said Optus was “one of the loudest stakeholders complaining about the regulatory burden” of critical infrastructure changes last year that placed additional responsibilities on telcos to protect their networks.

“The committee and the government rightly ignored their pleading for special treatment and ensured they were subject to robust cyber security obligations,” Senator Paterson said.

Senator Paterson’s successor as chairman, Labor’s Peter Khalil, said the Coalition had “failed to turn on any cyber-security obligations for the telecommunication sector”. He said Labor switched on the cyber-security obligations under telecommunications laws in July “because we saw this massive gap”. He said the Albanese government would undertake an immediate review of cybersecurity laws.

The Australian Strategic Policy Institute’s Fergus Hanson said the likely perpetrator of the data breach appeared to be a “rank amateur” who “freaked out” after realising they were over their head. CyberCX chief strategy officer Alastair MacGibbon, a former Australian Cyber Security Centre head, said Ms O’Neil was “100 per cent correct” when she said the breach was unsophisticated.

Meanwhile the criticism of Optus’ failure to advise that Medicare numbers were amongst the stolen data continues with Medicare data in Optus breach ‘very concerning’: Butler which provides:

Health Minister Mark Butler said the federal government has largely been kept in the dark by Optus about the nature of the information in its major data breach.

“We only found out yesterday, as I’m advised, that included within the data that has been lost is Medicare details,” he told ABC Radio National.

“We were not notified that among passport details, drivers’ licence details and others that Medicare details had also been the subject of this breach.

“We’re very concerned about the loss of this data and working very hard to deal with the consequences of that, but particularly concerned that we were not notified earlier and consumers were not notified earlier about the breach of Medicare data.”

Mr Butler said the government didn’t know just how many people had had their Medicare details leaked, but they were looking at reparations.

“We’re looking at (getting people new Medicare numbers). We’ll have more to say about that as soon as we can, but we’re looking at that very closely,” he said.

“Right now, all the resources of government are going to protecting consumers in the face of this extraordinary breach of their personal data.”

Facing calls from state and territory governments to remove the 6.5 per cent cap on annual hospital funding increases, Mr Butler said he did not believe the motion was necessary.

“I’m not convinced, on the advice I have, that the 6.5pc cap is going to breach this year.

“There are substantial constraints on hospital activity right now mainly due to the workforce, but the advice I have is that we’re not going to breach the 6.5pc cap.

“We’ve made sure that hospitals are in a good position over the course of the rest of the year to deal with the increase in Covid activity… and we’re committed to making sure that we share responsibility for the additional health care costs that this pandemic is imposing.”

And it was inevitable, there is a 22 minute podcast produced by the Guardian.  

Leave a Reply

Verified by MonsterInsights