Peter A Clarke

Optus is very slowly applying the basic principles of a data breach response plan.  But grudgingly and so reluctantly that the benefits of having a plan are lost. It refused to provide any help initially to those affected, merely suggesting they get assistance from services it helpfully listed in its original letter.  That never works.  So it engaged Equifax to help “most affected customers.”  Still miserly.  It wasn’t candid about what personal information was compromised.  It failed to say that some Medicare numbers were part of the hacker’s haul.  That brought on a savage response from the Home Affairs Minister.

With Operation Guardian, the taskforce an investigation by the Australian Federal Police to find the hacker, the focus has shifted ever so slightly away from the incredibly poor response to the data breach. On 30 September Optus and the Australian Federal Police and other agencies and organisations issued a joint media release about the Optus data breach which states

The AFP and state and territory police have set up Operation Guardian to supercharge the protection of more than 10,000 customers whose identification credentials have been unlawfully released online under the Optus data breach.

Customers affected by the breach will receive multi-jurisdictional and multi-layered protection from identity crime and financial fraud. The 10,000 individuals, who potentially had 100 points of identification released online, will be prioritised.

Under the AFP-led partnership between law enforcement, the private sector and industry to combat the growing threat of cybercrime, Operation Guardian will focus on key measures to help shield affected customers, including:

• • Identifying the 10,000 individuals across Australia now at risk of identity fraud and alerting industry to enable further protection for those members of the public
  • Monitoring online forums, the internet and the dark web for other criminals trying to exploit the personal information released online
  • Engaging with the financial service industry to detect criminal activity associated with the data breach – Analysing trends from ReportCyber to determine whether there are links between individuals who have been exploited, and To identify and disrupt cyber criminals.

Operation Guardian will use collective legislative powers, experience, investigative and intelligence capabilities of all Australian policing jurisdictions.

If you believe you are a victim of Cybercrime, please report it to ReportCyber at cyber.gov.au

That does not mean the bad stories do not keep piling up with Guardian’s The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle, the WA today with ‘Drawbridge needs to come down’: Government says Optus still hasn’t provided critical information and the Australian Financial Reviews’ forthright Optus not co-operating on breached data: Labor.

The media are now reporting on the Optus breach in terms of how the Government and its ministers are performing.  For example Peter Hartcher in Optus hack shows Albo-dextrous PM can make the right calls has undertaken a largely positive analysis of the governmental response.  And fair enough.  While ministers like Mark Dreyfus have made it clear that Optus must fix the problem the Government, and State Governments, are getting drawn further and further into the story.  That initially related to changing passports, medicare cards and other government related services but they are being drawn into issues of compliance and regulation.  Given the size of Optus in the national market that is tempting but it is also dangerous in terms of acting both as a government and a quasi regulator.

And there is the continuing analysis of Optus’ strategy, which remains a mystery to someone who has reviewed a lot of data breaches here and overseas, with Govt criticism of the telco not just ‘Canberra parlour games’.  As analysis goes it is not too bad. The point about being candid, as possible, and co operative are absolutely correct.  With data breaches the loss of personal information is bad enough and costly in terms of remediation.  The reputational damage can be much more damaging and harm the bottom line far worse than immediate outlays. It provides:

When these events occur, corporate leaders often default to a legally conservative strategy aimed at ensuring whatever is said or done doesn’t make a future civil penalty or class ­action worse, but they ignore the fact that the reputational damage occurring in the short term often matters more.

Of course, legal risk can be costly, but in the Optus saga, the maximum civil penalty the Privacy Commissioner can pursue is a woefully inadequate $2.1m. The unacceptability of this has been recognised by successive federal governments, with a commitment made in 2019 to increase it and draft legislation released last year. A successful class action will undoubtedly cost more in legal fees than any civil penalty, let alone the final compensation awarded to customers. Weigh that against the cost of poorly managing the perception of critical stakeholders such as customers, regulators and politicians. That cost will be known only once it’s clear how many customers have jumped ship, political inquiries have been launched and new laws passed. The full effects could take years to flow through as customers stuck in contracts wait for them to expire.

Some customers will be people who, regardless of how Optus responded, would have gone to a competitor because of the breach. Then there will be many others leaving because they haven’t been convinced the organisation is on top of the issue. In the meantime, corporate and government clients will likely mark Optus down in future tenders, lacking confidence that commercially sensitive information is secure.

The revenue loss could be hundreds of millions, if not billions.

None of this should come as a surprise. Major cyber incidents are the first, second and third risks in the corporate crisis management plan – particularly for telcos and banks that hold such significant quantities of personal information. All of these plans should include detailed strategies for communicating with customers, politicians and regulators.

For a company like Optus to not be adequately prepared for this in the digital age is akin to a modern cruise liner not having a way of dealing with icebergs. Which begs the question of how the relationship with the government, the one stakeholder that can both assist Optus recover the data and inflict the greatest amount of regulatory pain on it, has so rapidly and publicly deteriorated.

Crisis management for major cyber incidents relies on government assistance. The cyber-spooks at the Australian Signals Directorate can do things in response that private companies can’t, both legally and technically. Governments and corporates should usually be on the same side in the event of a major hacking event by foreign actors.

Despite this, on Monday night the Minister for Cyber Security, Clare O’Neil, indicated she thought Optus’s characterisation of the incident as a sophisticated hack was misleading corporate spin, at best. She also told Optus to start clearly communicating with its customers and the next day slammed them again after apparently learning Medicare identifiers were also part of the breach.

In defence, Optus CEO Kelly Bayer-­Rosmarin said: “Our briefing of the minister came after she gave that interview”. Bizarrely, this suggests the minister co-ordinating the government response wasn’t fully briefed by the company until after her media appearance, five days from when the incident was announced. If that’s the case, Optus executives have failed in their basic duty to keep a critical stakeholder informed and onside. Even if so, the minister would still have received almost constant briefings from ASD and other national security officials. She probably knows things about the attack that Optus doesn’t.

This public criticism by the minister is not just Canberra parlour games. It has real consequences. It indicates, fairly or not, that those devoting resources to help Optus out of this mess don’t have confidence in the way the company is managing it. If that’s the case, why should customers who aren’t privy to briefings from the Optus CEO and national security agencies believe the company? And what are the broader implications of one of the largest critical infrastructure providers in Australia apparently losing the trust of the government?

Alternatively, it could just be convenient politics to throw Optus under the bus and reverse over it. It’s certainly reflective of public opinion. Unfortunately for Optus, the true reason doesn’t matter. The impact on public confidence in it is just as damaging.