Post optus data breach discovery of the problems with privacy…which has been known about for decades
September 29, 2022 |
Writing about privacy and the deficiencies in the the law is to feel like Cassandra. Cassandra a Trojan priestess of Greek mythology who was given the gift of prophecy, but was also cursed by the god Apollo so that her true prophecies would not be believed.
With the Optus data breach suddenly people have discovered the problems I have been writing about for years. As if it is a sudden discovery. That is typified with an ABC article What does the Optus data breach reveal about corporate governance problems around cyber security?, the Australian Financial review with Customer data should not be a corporate asset: Dreyfus and the ABC article Too much data collection means we’re more at risk of having personal details stolen, expert says. All interesting but hardly anything new.
The What does Optus data breach reveal article provides:
The Optus data breach has left the personal information of millions of customers exposed – and new information is still coming to light about exactly what information is out there.
Not to mention, who will use it and for what purposes.
Optus CEO Kelly Bayer Rosmarin issued a heartfelt apology – but she also said the company is not “the villain” and urged customers to be on high alert.
So, Optus isn’t to blame?
As Optus customers vigilantly avoid clicking links and figure out whether they need to replace their drivers licences, the data breach also revealed corporate governance issues around cyber security.
“Responsibility for the security breach rests with Optus, and I want to note that the breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” Home Affairs Minister Clare O’Neil told question time on Monday.
But Optus isn’t the only company that should be on notice.
“The truth is that what has occurred over the last week has been a wakeup call for corporate Australia,” Deputy Prime Minister Richard Marles said on Tuesday.
“Cyber security is right there in the top echelon of issues which face corporate Australia … and we need to be doing everything we can to make sure that protection is in place.”
How underprepared are Australian companies?
There have been warning signs that company boards are not well equipped to deal with the risks that come with constantly evolving technology and cyber security risks.
In May, the Australian Securities & Investments Commission successfully prosecuted a company for a data breach as a result of failure to manage its cybersecurity risks – it was the first time this happened in Australia.
“Boards need to realise that the new digital landscape is something they have to be prepared for,” CEO of the Governance Institute of Australia Megan Motto told The Drum.
Megan Motto agrees that the Optus data breach is a massive wakeup call for Australian companies big and small and it “should strike fear in the hearts of all directors and senior managers.”
“They need to have digital literacy in the same way that the Enron scandal forced company directors to wake up to financial literacy.”
The Governance Institute of Australia recently released the results of a survey that showed an overwhelming majority of respondents believe a company board should be involved in technology and cyber issues — 94 per cent.
However a third of respondents believed their organisation’s board lacked the ability to deal competently with these issues — 34 per cent.
Almost half of respondents believed their organisation’s management and protection of data was average — 41 per cent — or poor — five per cent.
“We expect [the Optus data breach] will galvanise organisations that are dragging the chain on this very serious – and real – risk,” Ms Motto said.
The Governance Institute of Australia is not the only one pointing the finger at Australian companies.
From the University of New South Wales, an analysis of cyber security skills of ASX 100 company directors found that less than on per cent have cyber experience, only 16 per cent have technology experience.
An alarming 80 per cent of boards have neither cyber or technology backgrounds.
“Company directors need to assess cyber security just as they would any risk, making competent decisions to understand the nature of the risk and how their level of (under) investment in cyber security controls will impact customers and stakeholders,” said Nigel Phair, Director (Enterprise) for the UNSW Institute for Cyber.
Why data security needs to be a priority
In 2021, the Department of Home Affairs released a discussion paper that highlighted weaknesses in Australian cyber security regulations and incentives.
A submission by a major Australian telco, Telstra, outlined a couple of key factors preventing companies from adopting cyber security best practice:
“A confirmation bias (it won’t happen to me) leading to apathy in seeking to understand and mitigate the risk of an attack, or … not knowing where to start.”
“Many organisations are emerging from more than two crisis years,” Ms Motto said.
“But the pandemic accelerated the use of technology, and in many respects increased the risk of data and privacy breaches.”
“Issues such as data governance need to be brought back into the spotlight as a matter of urgency.”
Also, data security is expensive, and boards need to see the value in investing in cyber security.
“With the Optus case, we have highly sensitive data and effecting a third of Australians,” Ms Motto told The Drum.
“We have a reputational risk involved and a big financial risk involved – it should be seen through that lens.”
The Australian Financial Review article provides:
Companies will be discouraged from keeping customers’ personal data under a federal overhaul of privacy laws in response to the Optus data breach.
Attorney-General Mark Dreyfus confirmed that stiffer penalties for companies that fail to properly store data will also be on the agenda, saying personal information needed to be treated as a liability.
“For too long we have had companies solely looking at data as an asset they can use commercially,” he said.
“We need to have them appreciate very, very firmly that Australians’ personal information belongs to Australians, it’s not to be misused, it absolutely has to be protected and if the Privacy Act is not getting us those outcomes then we need to look at reforms to the Privacy Act.”
Mr Dreyfus would not be drawn on the size of potential fines that could be levied against companies. European regulators can fine businesses €10 million ($14.9 million) or 4 per cent of their global turnover, whichever is bigger.
“It needs to be something that concentrates the mind of the board members of big companies so that they can see that if there is a data breach it shouldn’t be just treated as a cost of doing business but that there is a very serious penalty there, enough to be a deterrent, enough to be an incentive for companies to behave with the caution that we expect of them,” he said.
A cyberattacker has obtained the personal information of 9.8 million Optus customers including names, addresses, email addresses, Medicare numbers, driver’s licence numbers and passport numbers, in what has been billed as the nation’s biggest data breach.
The Albanese government has reacted furiously to the breach and is demanding Optus foot the bill for replacement passports. The telco has already agreed to reimburse people for new licences.
While the government has an inquiry into the Privacy Act under way, Mr Dreyfus hopes to fast track some changes, so they are in place by the end of the year.
As well as tougher penalties, Mr Dreyfus will look at whether companies should be permitted to keep data long-term and laws that encourage them to dispose of data safely.
“If a company says we need to see your driver’s licence or we need to see your passport number that is for the purpose of establishing that you are who you say you are, but that should be the end, one might think, of the company keeping all that data,” he said.
“They don’t seem to me to have a valid reason for saying we need to keep that for the next decade. Obviously, the more data that’s kept the bigger the problem there is about keeping it safe, the bigger the problem there is about the potential damage that’s going to be done by a huge hack that’s occurred here.”Mr Dreyfus said he would spend the next four weeks before parliament resumes examining whether it was possible to get stronger privacy protections in place before the end of the year.
More on the Optus breach
-
- Optus fraud risk lower than thought: ACT The risk of identity theft from the Optus data breach may be much lower than feared because the cyberattacker only gained partial driver’s licence records in most cases, the ACT government says.
- Nearly 37,000 Medicare details compromised in Optus hack Optus has finally confirmed the Medicare numbers were stolen in a massive data breach, days after it emerged these details may have been leaked.
- Banks, Treasury team up to protect Optus customers The government is set to approve the use of a little-known independent agency to transfer sensitive data between Optus and banks to protect customers from hacking.
- We need answers from Optus, but all are vulnerable to cyberattacks Amid the finger pointing, there should be no real shock about the massive data breach at Australia’s second-largest telco.
- Optus hack ‘could happen to anyone’ ex-Telstra boss warns David Thodey says every company will be hacked sooner or later and urged boards to be “vigilant” about online security.
The ABC article Too much data collection provides:
We’re more at risk than ever of having our personal data stolen, with so many businesses collecting and storing unnecessary amounts of personal information on their customers, a security expert has warned.
Professor Asha Rao, Associate Dean of Mathematical Sciences at RMIT University, says Australia needs new laws to prohibit companies from engaging in unnecessary data harvesting.
She says we also need “severe penalties” for companies that fail to protect customer data, similar to penalties for violations of money laundering and counter-terrorism financing laws.
Her comments come in the wake of the huge breach of customer data from the telecommunications giant Optus.
Prime Minister Anthony Albanese has also flagged an intention for a legislative crackdown.
Data-harvesting needs to stop
Professor Rao teaches the maths behind cryptography, which is the core of cybersecurity.
Her students have gone on to work for Australia’s biggest banks, major accounting firms, and Coles and Woolworths, among other businesses.
Professor Rao told the ABC this week that, because of the ubiquity of the internet, we were living in the most “dangerous” time in history for peoples’ personal data.
She said the demand from businesses for customers to hand over increasingly detailed personal information, for no apparent reason, had to stop.
“It’s absolutely dreadful,” she said.
“It’s what we call data retention, and function creep. They are collecting data that they have absolutely no need to collect.”
The Optus data breach included customer names, dates of birth, email addresses, postal addresses, phone numbers, Medicare card numbers, passport numbers, and drivers licence numbers.
The data was typical of the kind of information some companies demand from customers to prove their identity when signing contracts.
Professor Rao said too many companies were collecting and keeping far too much unnecessary information on their customers, and many failed to understand how important it was to protect the data.
“We need to have severe penalties for data breaches involving personal information,” she said.
“They need to bring in new laws, and [to] give all the [regulatory] agencies some teeth.
“It’s the most dangerous time for humans’ personal data, and it’s getting worse, because everything is online,” she said.
In a recent paper, Professor Rao and her colleagues Tracy Tam and Joanne Hall found small businesses were also facing more problems, because they were increasingly becoming attractive targets for cyber-criminals but lacked the means to combat it.
“Our research found that small businesses tend to operate differently from large corporations due to their size,” their paper said.
“One phenomenon is the tendency to mix personal and business use in devices.
“The rising use of cloud services by small business also raises questions around liability and the control and visibility a small business actually has over its IT security,” it said.
Cyber threat a growing problem
Australian authorities have been aware of the problem of cyber security for a long time.
Between July 1, 2019, and June 30, 2020, the Australian Cyber Security Centre (ACSC) says it responded to 2,266 cyber security incidents at a rate of almost six per day.
According to a study commissioned by Microsoft in 2018, cyber incidents targeting small, medium and large businesses were already potentially costing Australia’s economy up to $29 billion a year.
Australia’s Cyber Security Strategy 2020 also warned that Australians were being targeted online by a range of different groups.
“The barrier for entry into cyber criminal activity is very low,” it said.
“Underground online marketplaces offer cyber crime-as-a-service or access to high-end hacking tools that were once only available to nation states.
“Malicious actors with minimal technical expertise can purchase illicit tools and services to generate alternative income streams, launder the proceeds of traditional crimes or intrude into networks on behalf of more sophisticated adversaries.”
In a public submission to the strategy in 2019, Sapien Cyber warned that the consequences of attacks in Australia were “increasing in severity” as information systems become more central to business and society.
Prime minister flags intention to change law
On Wednesday, Prime Minister Anthony Albanese told parliament that Australian laws needed an overhaul.
“When customers hand over their data to companies in Australia, they expect that it will be kept safe and this kind of data breach should be an absolute wake-up call to corporate Australia,” he said, regarding the Optus data breach.
“Clearly, we need better national laws, after a decade of inaction, to manage the immense amount of data collected by companies about Australians, and clear consequences for when [companies] do not manage it well.
“We are committed to protecting Australians’ personal information and to strengthen privacy laws through the privacy act review.”